The Information Commissioner’s Office (ICO) has recently issued a draft Direct Marketing Code of Practice for consultation. The draft Code of Practice builds on existing guidance relating to direct marketing which focused primarily on the Privacy and Electronic Communications (EC Directive) Regulations (PECR) and adds more analysis of the General Data Protection Regulation (GDPR) requirements in this area. It also provides more commentary on the interaction between the two pieces of legislation.
This change in scope is significant, because the draft Code makes it clear that using personal data for direct marketing purposes goes beyond the simple act of sending direct marketing. For example, using data to profile existing customers in order to find new “lookalike” customers to target is a use of personal data for direct marketing purposes, even if the existing customers do not receive any direct marketing themselves. As such, if those existing customers have objected to the use of their data for direct marketing, it cannot be used for the profiling exercise.
Lead generation, the activities of list brokers, data enrichment and cleansing are also within the scope of direct marketing activities, and this means that organisations which do not send direct marketing themselves, but provide services to enable or facilitate third parties to do so, are likely to be caught by it.
In addition, the wider focus allows the ICO to explore new techniques such as online advertising, social media, subscription TV, in-game advertising, location based advertising and connected devices. While the ICO has issued separate notes on ad-tech in the past, the draft Code brings much of its guidance together in one place. However, it is important to note that this still only relates to the use of personal data – non-targeted or contextual online advertising which is not directed to an individual will not be caught by GDPR.
Now that ad-tech and other forms of online advertising are firmly within the scope of the draft Code, there is a section which provides more detailed guidance on what the ICO expects organisations operating in this sector to do. There are specific comments on different forms of technology, but there are a number of common themes. In particular, there is a focus on ensuring that there is an appropriate legal basis for processing and ensuring transparency. The draft Code also confirms that a user of a system such as those provided by social networks to identify a “lookalike” audience is likely to be seen as a joint controller for the activity and will, therefore, be accountable for it rather than simply relying on the technology provider to ensure compliance.
2. Basis for processing
The draft Code confirms that the most appropriate legal bases for processing are likely to be consent and legitimate interests. Where PECR requires consent, the draft Code confirms that consent will be the GDPR basis for processing, but it goes further and comments on several areas where the ICO considers that the legitimate interests test will rarely be met, and consent will therefore be required. Several of these examples are in the digital marketing field and include “intrusive profiling”, tracing, the use of social media “list-based targeting” tools, location based direct marketing and selling or sharing data. Some of these are areas where obtaining GDPR compliant consent may be difficult – or impossible – and could require significant changes to business models.
Transparency is also important - a key concern is the fact that it is less “obvious” how data is used in the context of new technologies, because of the number of different organisations and technological complexities involved. As such, there is a greater onus on organisations to explain it properly. This is particularly important when consent is required, given the GDPR requirement for informed consent – it is hard to obtain consent meeting this standard if data subjects do not understand what they are being asked to consent to.
Even where consent is not required and the legitimate interests test can be satisfied, the draft Code still makes it clear that sufficiently detailed information must be given to meet GDPR transparency obligations. As well as confirming the information which must be given where information is provided directly by the data subject to the data controller, there is now a greater focus on what information must be provided where the information is received from another source, and when and how that should be done.
4. Cookies, Special Category Data and DPIAs
Care should also be taken when using cookies, fingerprinting techniques, tracking pixels and plugins as these will be “cookies” within the scope of PECR, and the draft Code confirms that consent will be required for any such cookies used for online advertising. The draft Code also states that it is unlikely that a cookie wall will enable you to obtain valid consent.
The use of special category data (for example, data about health or race) also requires special care. The draft Code is clear that the only possible condition for using this type of data for direct marketing is with explicit consent. It flags that technologies such as facial recognition technology are likely to trigger this requirement, although facial detection may not – however the draft Code warns against function creep and any use of this type of technology needs to be considered carefully.
Finally, the draft Code emphasises the need to carry out Data Protection Impact Assessments (DPIAs) and lists a number of activities that this is likely to be required for. This covers a number of new technologies, including large scale profiling, data matching, invisible processing, online tracking, online advertising, tracking the geolocation or behaviour of individuals, web and cross device tracking. Carrying out a DPIA requires you to consider and document an assessment of the privacy risks of an activity at an early stage.
Written by Helen Goldthorpe, associate and commercial IT lawyer at Leeds-based corporate law firm Shulmans LLP.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus