New GDPR guidance from ICO

The Information Commissioner's Office (ICO) has launched a public consultation on a draft direct marketing code of practice.

And to quote the DMA - "It is a critical document for the data and marketing industry because its elevated status as a code of practice, as opposed to guidance, will give it statutory status. Meaning that it will effectively become the legal rulebook for the sector." 

All organisations have an obligation to ensure their direct marketing activities comply with the General Data Protection Regulation, Data Protection Act 2018 (GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR). These two pieces of legislation are not completely aligned and we have seen numerous cases of companies being fined for breaches of the PECR when carrying out activity to conform with The GDPR.

The 124 page draft code – available on the ICO website – aims to tackle widespread confusion which was flagged up by many of the responses to the first consultation and to help businesses comply with both pieces of legislation.

Here is a summary of some of the key points for email marketers:

• You need to ensure that the individuals rights are at the heart of what you do, a positive by-product of this is that it will build trust and confidence in your audience.

• Continued emphasis on granularity of consent and the requirement of clear affirmative action - no pre-ticked boxes or assumptions of consent if not clearly stated at the outset.

• It is perfectly legitimate to use bought data as long as your carry out appropriate due diligence

• Your data management processes need to be clearly defined and built into your strategy from the outset - by design - switching legal basis when it suits you is not an option. A life-cycle approach is required.

  There is also considerable information about profiling and data enhancement which we will cover in a separate post.

Detailed Analysis

In the words of the ICO:

The draft code takes a life-cycle approach to direct marketing. It starts with a section looking at the definition of direct marketing to help you decide if the code applies to you, before moving on to cover areas such as planning your marketing, collecting data, delivering your marketing messages and individuals rights.

It contains chapters on areas such as data protection by design, generating leads and collecting contact details, profiling and data enrichment, selling or sharing data, profiling and data enrichment, sending direct marketing messages and online advertising and new technologies. The document is also littered with real-world examples of application.

The code very clearly reinforces the key points that were emphasised around the time that The GDPR was introduced. For example;

Pre-ticked opt-in boxes are banned under the GDPR. You cannot rely on silence, inactivity or default settings – consent must be separate, freely given, unambiguous and affirmative. Failing to opt-out of direct marketing is not valid consent.

But there is more information around the interaction of GDPR with PECR, and a special focus on generating leads

If you have obtained consent in compliance with PECR (which must be to the GDPR standard), then in practice consent is also the appropriate lawful basis under the GDPR. Trying to apply legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for individuals.

Switching legal basis is an absolute no, no.

Following on from the above point regarding potential confusion of applying multiple basis for communication, the ICO goes a step further to really hammer the point home. You have to be very clear and also comprehensive in your planning to ensure that no misrepresentation of legal basis occurs through your marketing actions.

Where data is shared with you for direct marketing purposes on the basis of consent, then the appropriate lawful basis for your subsequent processing for direct marketing purposes will also be consent. It is not appropriate to switch to legitimate interests for your further processing for direct marketing purposes. Switching to legitimate interests would mean the original consent was no longer specific or informed, and misrepresented the degree of control and the nature of the relationship with the individual.

Contrary to media hype using legitimate 3^rdparty data providers is perfectly acceptable.

What was great to see, for the first time, was more specific guidance around buying or renting lists and more of an indication of what proportionate due diligence might entail.

Due diligence when buying data could include ensuring you have certain details as described below:

· Who compiled the data – was it the organisation you are buying it from or was it someone else?

· Where was the data obtained from – did it come from the individuals directly or has it come from other sources?

· What privacy information was used when the data was collected – what were individuals told their data would be used for?

· When was the personal data compiled – what date was it collected and how old is it?

· How was the personal data collected – what was the context and method of the collection?

· Records of the consent (if it is ‘consented’ data) – what did individuals’ consent to, what were they told, were you named, when and how did they consent?

· Evidence that the data has been checked against opt-out lists (if claimed) – can it be demonstrated that the TPS or CTPS has been screened against and how recently?

· How does the seller deal with individuals’ rights – do they pass on objections?

A reputable third party should be able to demonstrate to you that the data is reliable. If they cannot do this, or if you are not satisfied with their explanations, you should not use the data.

So contrary to some of the scaremongering in the marketing press and even advocated by some business who specialise in marketing communications – purchasing lists is by no means not off the table, and remains a legitimate marketing practice. In practical terms, bought data tends to cause more technical problems than legal ones, with issues such as blocking, blacklisting and spam traps becoming increasingly prevalent.

Might be time to reconsider recommend a friend?

The ICO has also highlighted the illegitimacy of extending your database through asking customers to provide details of friends and family. So, recommend a friend is on shaky ground if not managed properly:

You cannot escape your GDPR and PECR obligations by asking existing customers or supporters to provide you with contact details for their friends and family to use for direct marketing purposes. In practice it is very difficult to comply with the GDPR when collecting details for direct marketing purposes in this way or to demonstrate your accountability.

For example you have no idea what the individual has told their friends and family about you processing their data and you would not be able to verify whether these contacts actually gave valid consent for you to collect their data. If you want to do this you need to very carefully plan how you will demonstrate accountability and compliance – in practice this is likely to be difficult in most circumstances.

The code is out for consultation until 4 March 2020 and the final version is expected later this year. You can read the code and take part in the consultation through the ICO website.

You can learn more about best practice email marketing including the processes needed to stay compliant with the legislation at our regular free events.