ICO consults on new direct marketing code of practice
17 January 2020
On 8 January 2020 the UK Information Commissioner’s Office (ICO) issued a consultation on a draft direct marketing code of practice which is intended to “provide practical guidance” to help organisations comply with data protection and e-privacy rules – particularly those set out in the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR) – in respect of direct marketing activities.
Just as the GDPR seeks to ensure that data protection law is fit for the digital era, the code will modernise existing guidance by dealing with relatively new data use cases and technologies. It also provides useful (if not welcome) clarification on the situations where, in the ICO’s view, consent is required to lawfully market to individuals.
While the intention may be to provide ‘practical guidance’ the code raises many issues that may not be easy to address in practice. We set out below our top five takeaways from the draft code and, as a bonus, provide a reminder of the consequences if your organisation is unfortunate enough to find itself on the wrong side of the ICO.
If you need any help with the latest guidance, we would be pleased to hear from you.
Key points
1. What is a ‘marketing communication’?
PECR requires consent to send unsolicited ‘marketing communications’ (or, more precisely ‘unsolicited communications for the purposes of direct marketing’) via electronic mail, subject to the ‘soft opt-in’ exemption.
However, many organisations struggle to draw the line between a ‘marketing communication’ and a ‘service communication – see, for example, the ICO’s recent £100k fine issued to EE, who thought that their text messages were service related and were not marketing in nature.
Until now, guidance on this point has been sparse. The ICO says on its website that “routine customer service messages do not count… However, if the message includes any significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end, that message includes marketing material and the rules apply.
The new code expands on the above but, unfortunately, the ICO takes a strict and somewhat inconsistent approach. In particular:
- The ICO says, when determining whether a communication is service or marketing in nature, “a key factor is likely to be the phrasing, tone and context”. A message that actively promotes a product or service will be marketing in nature, but a message that takes a “neutral tone” and is informative is more likely to be viewed as a service message.
- However, the ICO goes on to say that brands cannot “avoid the direct marketing rules by simply using a neutral tone”. The extent to which tone is relevant is therefore unclear.
In summary, for now the best we can say is that the ICO is likely to cast its net wide in respect of what it considers to be marketing. The best question that a brand can ask itself is why it wants to make a particular communication (or, rather, what would the ICO regard as the reason why the brand wanted to make the communication). If the answer is ‘to promote or upsell’, the message will be marketing in nature. If, on the other hand, the answer is that ‘the customer needs the information’, the message is likely to be considered service in nature.
2. In-app push notifications and other new channels are ‘electronic mail’
It’s not just classification of the content that causes a headache – what counts as ‘electronic mail’?
It has always been clear that email and SMS messages count, but the code makes clear that the ICO considers it to include other messages that are stored electronically, including in-app messages and push notifications, and direct messages sent via social media (i.e. private inbox messages and not ads shown, for example, on an individual’s Facebook newsfeed, although such ads are captured by other parts of the code).
3. Social media (and online) advertising – time to obtain consent?
On the other hand, ads served via social media ‘newsfeeds’ do not count as ‘electronic mail’ (but, as above, direct messages to a person’s inbox will count). Does this mean that consent is not required? Not quite.
Firstly, where ads are served using tracking technologies and social media plugins, consent will be required for the use of these technologies. By now, most know that consent is required to use cookies and other similar technologies, so this may be an obvious point. If you would like to read more about this, see our article on the ICO’s recent ‘cookie guidance’ here.
The surprise (for some) however relates to advertising on social media using ‘custom audiences’. This is where a brand provides a list of its customers’ hashed email addresses to (for example) Facebook, which Facebook uses to display the brand’s ads on the customers’ newsfeeds. As an extension of this, brands can use their custom audience to advertise to other Facebook users that share similar traits to their custom audience – so-called ‘lookalike audiences’.
Up until now, the majority of brands have been relying on legitimate interests to use custom audience advertising and have been crossing their fingers in the hope that the ICO will not decide that the customer’s consent is necessary. While the ICO doesn’t firmly put a stop to reliance on legitimate interest in this context, it does say that “consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis” in particular because individuals “are unlikely to expect that this processing takes place”.
As for the lookalike audience, the ICO expresses the view that the brand and social media platform are joint controllers of the personal data that belongs to the ‘lookalikes’. The ICO recognises that the brand will have no direct relationship with the lookalike and, therefore, that the social platform is the only entity that can comply with the obligations owed by controllers under the GDPR – but the onus is on the brand to make sure that the social platform has achieved compliance.
4. The death of legitimate interests for direct marketing?
As we have seen, for some activities consent is required under PECR. Where that’s the case, legitimate interests cannot be used as a lawful basis for processing personal data for that activity for the purposes of complying with the GDPR. This is nothing new, but the guidance makes this clear.
However, where consent is not required under PECR, it is widely believed that legitimate interests might be able to be relied on to process personal data for direct marketing activities. While the ICO (thankfully) clarify that this is the case, the code shows that it may be difficult to rely on legitimate interests in practice.
Firstly, where an activity requires consent under PECR (for example, to use cookies or to send marketing via electronic mail), the ICO indicates (although does not explicitly say) that consent will usually be the most appropriate lawful basis for ancillary processing of personal data.
Secondly, even where the activity is not ancillary to an activity that does require consent, the guidance makes clear that legitimate interests is not an ‘easy option’ (see, e.g. point 3 above for an example). To properly rely on legitimate interests, organisations need to undertake a careful balancing exercise (a ‘legitimate interests assessment’) to ensure that the rights of the individual do not override the aims pursued by the organisation. In several places the ICO makes clear that, central to such assessment, the use of the data must be in the “reasonable expectations” of the individual and, in many situations, the ICO thinks it would be fanciful to suggest that this requirement is met.
So, legitimate interests may not be dead yet, but in practice it may be difficult to justify. If it cannot be relied on, consent is the only other option insofar as direct marketing is concerned.
5. Profiling – is it in the reasonable expectations of the data subject (the ICO thinks it probably won’t be)?
Direct marketing activities are often complex and go beyond contacting customers to promote the brand. Organisations are increasingly analysing their customers’ behaviour (‘profiling’) to better target direct marketing, or obtain additional data to add to profiles that are already held in order to find new ways to target customers (‘enrichment’).
These activities can be undertaken for direct marketing purposes, but they must always be fair (undertaken in accordance with the reasonable expectations of the data subject), lawful (broadly, it needs to be within the legitimate interests of the organisation or with the consent of the data subject) and transparent (a clear explanation of the profiling needs to be provided to data subjects).
While these principles are relatively easy to understand, in practice it is difficult to ensure that profiling complies with them. The ICO points out that this is especially true when it comes to special category (e.g. health related) data, where explicit consent of the data subject will be required, and – more vaguely – ‘intrusive’ profiling, where it will be difficult to rely on legitimate interests because the processing will not be in the reasonable expectations of data subjects.
It is unclear what the ICO regards as the threshold for profiling to be ‘intrusive’ but, given the ICO’s other examples of processing activities that would not be in the reasonable expectations of data subjects (see, e.g. point 3 above in respect of the use of social media custom audiences), in practice we think that the ICO would find all but the most innocuous forms of profiling are not within the individual’s reasonable expectations. Examples of intrusive profiling given by the ICO where the consent will definitely be required include profiling to target vulnerable persons and ‘wealth’ profiling for the purposes of charging an individual a higher price for a product or service.
In respect of enrichment, the ICO says that the purchase of additional contact details for existing customers is likely to be unfair unless the individual “has previously agreed” (consented?) to the organisation having those extra contact details. As always, what the individual has been previously told about enrichment activities will be a key consideration.
6. Breaches of direct marketing rules may attract GDPR-level fines
What is the maximum fine that can be issued by the ICO for a breach of PECR? This is a question that we are often asked. The answer is £500,000 (though regulatory change is on the horizon), however this is not the end of the story.
The ICO makes clear that, if the code is not followed, organisations will find it difficult to demonstrate that their processing complies with the GDPR too. The ICO reminds us that they have the power to issue fines of up to EUR 20m or 4% of annual worldwide turnover, whichever is higher, for breaches of the GDPR.
Organisations should not assume, therefore, that any circumspect marketing activities will be sanctioned by the ICO under the more ‘relaxed’ powers granted to the ICO under PECR.
Final comment
Organisations should take a look at their direct marketing practices and evaluate whether they need to undertake Data Protection Risk Assessments.
It is also clear that the ICO regards the ordinary data subject as having fairly rudimentary expectations of the processing that organisations undertake. Given that the data subject’s reasonable expectations are a key component of any decision to rely on legitimate interests, we predict that the ICO may challenge the reliance on legitimate interests more and more in the future. It is therefore essential that organisations undertake legitimate interests assessments so that they document and are able to justify their decision to rely on legitimate interests. Absent being able to rely on legitimate interests, when it comes to direct marketing obtaining the data subject’s consent will likely be the only other option – but that is by no means a simple solution.
Whatever, lawful basis is relied on to process personal data, it is important to be as transparent as possible with data subjects (and not bury important information, especially about ‘privacy intrusive’ activities in privacy notices). This may be easier said than done, as the ICO’s view on what is ‘intrusive’ will inevitably be more restrictive than the view of the average organisation.
The challenge, therefore, will be to find new and easy-to-digest ways of being upfront with data subjects about processing activities. The more you do this, the more likely it is that you will be able to establish that your processing is fair and lawful, too. If you cannot (or don’t want to) be upfront, the ICO say there’s only one answer: “this is a clear sign that you should rethink your intended purpose or processing”.
Finally, it’s worthwhile remembering that the draft code is intended to provide guidance in respect of the law as it currently stands – i.e. under the GDPR (implemented in the UK by the Data Protection Act 2018) and PECR. PECR is the UK’s implementation of EU Directive 2002/58/EC, which is due to be replaced by a new ePrivacy Regulation (EPR). However, the EPR has been held up at the EU legislative stage (the latest draft was rejected by the European Council in November 2019), so it is unclear when or if the EPR will come into effect. Either way, brands and marketers can expect the goalposts to shift over the next few years.