On 08 January 2020 the UK Information Commissioner published its draft Code of Practice on Direct Marketing (the ‘Code’). The Code will be open for public consultation until 4 March.
At over 120 pages the Code is long, covering traditional e-marketing but also newer tools increasingly relevant to marketers today such as social media and adtech. The Code is essential reading for those engaging in direct marketing activities in the UK.
Much of the Code consolidates earlier guidance and won’t come as a surprise to organisations with knowledge of the exiting rules. However, there are some important clarifications and updates to previous guidance particularly in relation to in-app marketing messages, refer-a-friend schemes, and marketing via social network platforms.
Headline points to note include:
End of refer-a-friend schemes?: According to ICO, it is difficult reconcile refer-a-friend schemes with the requirements of GDPR as organisations won't know what the referring individual has told their friends about the processing and will not be able to verify whether the friend provided GDPR standard consent.
The restrictions in the Privacy and Electronic Communications Regulations ('PECR') also apply regardless of whether the organisation messages the friend directly or ‘instigates’ the individual to send or forward the messages on its behalf. ICO, thus, conclude that refer-a-friend schemes breach PECR.
Refer-a-friend schemes are effective tools widely used by advertisers and valued by consumers, as such ICO’s comments on this front won’t be welcome and pushback from marketers can be expected. It would be worth stakeholders exploring if a more pragmatic position could be reached with ICO for organisations that do not abuse these programs.
Custom audience initiatives: Many organisations use custom audience services whereby the organisation shares email addresses or other direct identifiers with a social network provider which the network provider then matches with its user base to allow the organisation to advertise via the social media platform.
According to ICO, it is likely that consent is the appropriate lawful basis for advertising via custom audiences, as it is difficult to see how custom audience tools ‘would meet the three part test of the legitimate interest basis’.
It is not, however, clear why ICO conclude this.
Under GDPR direct marketing is recognised as processing which can be based on legitimate interest.
Further, while in its update Report on Adtech and Real Time Bidding, ICO cites Article 29 Working Party (‘A29WP’) Guidance noting that behavioural targeting is unlikely to be justified on the basis of legitimate interest - such A29WP views often relate to scenarios where there’s wide volumes of data collection across sites with little consumer awareness. In contrast, standard custom audience targeting generally works very differently: it does not depend on building large profiles, but just allows a marketer to reach an individual they already know in a different (ad-supported) medium.
In taking the view it has, ICO is following the conservative German approach, but this is not typical of the position across Europe where custom audience is currently possible on the basis of legitimate interests.
For look-a-like audiences, i.e. the advertiser asking the social network to build a list of individuals who ‘look like’ the advertisers own customers - ICO consider that the advertising organisation and social network will both be joint controllers. As the advertiser won’t have a direct relationship with the individuals in the look-a-like audience, they will need to be satisfied that the social media platform has the appropriate transparency information in place.
The Code's position on custom audience is not exclusive to social media, and will also apply to similar tools in other contexts such as subscription TV and video on demand services.
Service messages: Consent is not required under PECR for genuine service/operational messages. According to ICO, in determining whether a communication is a service message, key factors will be the phrasing, tone and context of the message. If the message has an active promotional element it is likely to be direct marketing. For example a mobile network provider sending a text to a customer alerting them of reaching their data limit would constitute a service message, however if the message goes on to encourage the individual to buy more data or switch data plans that would cross the line and constitute direct marketing.
However, the tone alone is not determinative. A message from a supermarket stating ‘your local supermarket stocks carrots’ is still, according to ICO, promotional in nature despite the ‘non-sales’ language used.
Electronic mail covers in-app messages and direct messaging on social media: In an important change, ICO states that in-app messages and direct messages in social media ‘are electronically stored messages’ and treated akin to email for the purposes of PECR (thus requiring consent unless an exemption applies).
The definition in Regulation 22 PECR refers to material being stored ‘in the network or in the recipients terminal equipment’ and as such is closely linked to traditional email rather than webmail type communications.
The Code, unhelpfully, does not explain the reasoning for ICO's conclusion i.e. are in-app messages caught because the message is stored in the device (which does not seem correct from a technical perspective), or because ICO view the message as being stored, as opposed to being merely transmitted, in the network? Accordingly industry pushback on this point can be expected.
The ICO is also silent on the European Electronic Communications Code ('EECC'), which will come into law on 21 December. The EECC will bring Over the Top communication providers , for the first time, within the scope of EU telecommunications regulation. These OTT services, which deliver services functionally equivalent to traditional electronic communication providers across an IP network but do not consist wholly or mainly in the conveyance of signals, will also be required to comply with the PECR rules on confidentiality of communications and restrictions on the use of traffic and location data. However, unlike the Code, the EECC does not seek to broaden the rules on email marketing to cover wider types of communications such as in-app messaging.
Incentivisation of consent: While organisations should not coerce or unduly incentivise consent to marketing, some element of incentivisation is permitted - ICO give the example of joining a loyalty scheme, the whole purpose of which is to access money-off vouchers.
However, when it comes to incentives, ICO warn organisations ‘not to cross the line’ and unfairly penalise those who refuse to consent to direct marketing. More prescriptive guidance from ICO on what these red lines are would be welcome, so as to avoid organisations finding out ex post through enforcement action.
Joint marketing activities: Where an organisation is planning a dual branding promotion with a third party, it still needs to comply with PECR regardless of whether it has access to the data used. ICO give the example of a supermarket sending out a marketing email promoting a supported charity. Although the supermarket is not actually passing customer contact details to the charity it still needs to ensure there is appropriate consent from its customers ‘to receive messages promoting the charity’. It is not clear whether the supermarket needs separate opt-in consent to send marketing about the charity. Further clarity on this point would be helpful.
Legitimate interests: Where consent is not required under PECR or GDPR organisations may be able to rely on legitimate interest for the marketing activity subject to carrying out a legitimate interest balancing assessment.
ICO provide some helpful guidance for organisations carrying out these assessments in practice: (1) the fact that GDPR states that direct marketing may be a legitimate interest should help organisations satisfy the legitimate interest purpose test, provided the activity is carried out in compliance with e-privacy laws and other industry standards; (2) in the assessments, organisations should avoid undue focus on the presumed benefits of the marketing on customers (such as discounts or offers) as this is ‘unlikely…to add much weight to the test’; (3) it is difficult pass the balancing test if individuals are not given a clear opt-out when their data was initially collected and (4) the balancing exercise must consider whether people would expect their data to be used as the organisation propose; the potential nuisance factor of unwanted marketing messages; and the effects the methods and frequency of the communications might have on vulnerable individuals.
According to ICO, marketing activities which individuals were not told about i.e. so called invisible processing is particularly difficult to justify on the basis of legitimate interests, as are activities that collect and combine vast amounts of personal data for profiling purposes.
Making a service conditional on direct marketing: In most cases, it is unlikely that organisations can make direct marketing a precondition to a product or a service (such as, to use an example from the Code, a train service making passenger wifi conditional on opt-in consent to marketing). However there are exceptions to this rule: ICO point to retail loyalty schemes operated purely for the purposes of sending members marketing offers. Operators of such schemes still need to be upfront and clear about the purposes of their processing, and to send marketing they must have consent from the scheme members where required by PECR.
Using special category data in direct marketing: Organisations can only use special category data for marketing purposes - including drawing inferences about likely race, ethnicity, political beliefs, health or sexual orientation - if they have the individual’s explicit consent.
Helpfully, ICO note that merely having a list of customer names will not trigger Article 9 GDPR even if those names are associated with a particular ethnicity or religion unless the names are specifically used to target marketing based on those inferences. Similarly an organisation inferring special category data from a customer list due to the nature of the organisations’ products - for example, where the organisation sells disability aids, doesn’t trigger Article 9 GDPR unless specific information about the individual’s condition is held or that the organisation specifically uses the data for marketing purposes.
ICO’s comments here are broader than those in its Update Report on Adtech and Real Time Bidding, where ICO suggests that the use of special category data in order to avoid serving ads against certain types of content would amount to the unlawful processing of special category data. ICO’s more flexible approach in the Code is to be welcomed and is in line with the similarly pragmatic approach seen in the European Data Protection Board’s 2019 opinion on video surveillance that notes video footage which captures information which could be indicative of disability or religious belief would only be considered special category data if it was actually being used to deduce special category information about the individual.
Elsewhere on special category data, ICO unsurprisingly note that it will be difficult for marketers to use biometric facial recognition technology to display direct marketing to specific individuals given the challenges of complying with the lawfulness, fairness and transparency principles in GDPR.
Duration of consent: The Code reminds organisations that consent to marketing does not last forever. The validity of consent depends on the particular circumstances of the case including (1) the context in which it was given; (2) the nature of the individuals relationship with the organisation and (3) the individuals expectations.
Where an organisation obtains consent via a third party, ICO warn that while the individual may be happy to hear from the organisation when they gave the consent they are unlikely to expect to start to receive messages at a much later date. To add to the woes of data vendors, ICO repeats it’s best practice recommendation that organisations do not rely on consent from third parties that is more than 6 months old.
Providing Notice for indirectly collected data: Where organisations obtain data indirectly under Article 14 GDPR, the organisation must provide the privacy information within a reasonable period and at the latest within one month of obtaining the data or at the time of first communication or disclosure of the data (if sooner). Helpfully ICO confirm that where an organisation buys in data from a data vendor it can send out the privacy information alongside the marketing materials. Therefore organisations that act promptly within the notification timeline in Article 14, may be less reliant on their data vendors providing the full list of Article 14 transparency information to the individual (although where required by PECR organisations still need to rely on the vendor to obtain consent for sending the communication).
Disproportionate effort exemption to giving notice: Article 14(5)(b) GDPR provides an exception from the requirement to give notice where it would involve disproportionate effort.
Some regulators have read down this exemption suggesting it only applies in the context of archiving, research, or statistical processing (an interpretation which is not supported on a literal reading of GDPR). The Code does not say this.
The Code notes that if the processing has a minor effect on the individual then it may not be proportionate to put significant resources into informing individuals. However, the comments are cautionary - particularly in the big data/data mining context - with ICO warning that organisations are unlikely to be able to rely on disproportionate effort exemption where they are collecting personal data from various sources to build an extensive profile of an individual’s interests and characteristics for direct marketing purposes.
Public information ≠ fair game: The Code reminds us that just because information is publicly available does not mean it is fair game. As ICO note ‘an individual may want as many people as possible to read their social media post but that does not mean they are agreeing to have that data collected and analysed to profile them to target…direct marketing campaigns’. In such contexts, GDPR is applicable and organisations are still required to provide privacy information to individuals unless an exemption applies.
Buying additional contact details: According to the Code, ‘in most instances buying additional contact details for existing customers is likely to be unfair, unless the individual has consented’. It doesn't matter how clearly this practice is explained in the privacy notice. The rationale here is that individuals should have a free choice about which channels they use for direct marketing and an organisation buying in alternative contact details erodes this.
Tracing/data cleansing: The Code confirms that using data vendors to cleanse marketing databases of deceased individuals is permitted as GDPR only applies to living data subjects.
However, organisations are unlikely to be able to justify tracking services to find the new addresses of individuals’ who have moved. For example, ICO state that a university would not be allowed to use a data broker to find updated address details for its alumni. This is a conservative view worthy of review in the consultation.
Pixel tracking in email: In line with ICO’s recently updated Guidance on Cookies, the Code reminds organisations that if pixels or similar devices are being placed in email marketing messages so as to measure open rates or similar metrics then consent will be required under Regulation 6 PECR (i.e. under the cookie consent rule). This is in addition to the consent required under Regulation 22 PECR required for the sending of the email marketing message itself. This is a widespread practice which has generally flown under the radar but organisations will now need consent for tagging email messages in this way. The soft opt-in won’t help organisations either: the exemption can only cover the sending of the message and will not extend to placing the cookie.
Cookie walls: According to the Code, and in line with ICO’s previous Cookie Guidance, cookies walls i.e. requiring users to consent to cookies before they can access a website, ‘in many circumstances’ won’t be ‘appropriate’. As in the Cookie Guidance, ICO have not totally prohibited cookie walls which reflects the fact that this is a difficult area given the policy considerations in play, notably the fact that many websites and e-commerce platforms rely on targeted advertising to monetise otherwise free content. For organisations for whom this is a particularly important issue, the public consultation on the Code may be another shot to re-lobby ICO on this matter.
DPIAs: The Code promotes use of DPIAs. It considers that they are required for any direct marketing which targets children, which involves large scale profiling or wealth profiling. It also recommends them for any use of new technology, and suggests that a DPIA will likely be required for profiling, data matching, invisible processing (which, somewhat oddly, ICO considers includes online advertising in general, notwithstanding informed consent requirements for cookies), use of location data and running loyalty schemes. Indeed, ICO suggests that it is likely that all direct marketers will need to carry out a DPIA and that completing these will help bring broader financial and reputational benefits and build trust and engagement with individuals. DPIAs are unavoidable for processing which poses a high risk and, in this situation, a rigorous analysis of the impact of the processing and ways to mitigate risk is appropriate and helpful. However, suggesting this level of documentation and analysis for the wider types of direct marketing suggested by ICO is excessive and risks producing a counter-productive, box-ticking, culture.