Some Thoughts on the New ICO Direct Marketing Guidance

The ICO recently published a draft code for consultation of their direct marketing code of practice, which provides some great insights into how the ICO believe GDPR and PECR should be applied with relation to Direct Marketing.

If you're interested, you can read the draft and provide feedback by March 4th here.

What is Direct marketing?

The ICO defines Direct Marketing in the DPA 2018 as following:

““direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”

So this means:

  1. Email marketing
  2. SMS Marketing
  3. Push Notification marketing
  4. Physical mailing
  5. Phone calls
  6. In-app messaging
  7. Advertising (where people are targeted specifically)
  8. Remarketing (via cookie, pixel, or other data sources)
  9. Other emerging channels that can fit the definition of direct marketing

Specifically, this guidance calls out the fact that not only does both the GDPR and PECR apply to the activity of direct marketing but also to any underlying data processing that enables that activity.

This can mean processing activities like:

  1. lead generation
  2. data enrichment
  3. data cleansing
  4. audience segmentation
  5. asking for marketing consent
  6. etc

There's a lot to unpack here, but what's important to understand is that this guidance makes it clear that the guidelines are quite broad and expands the definition of direct marketing beyond what a lot of us are typically used to.

What Isn't direct Marketing?

This one's a bit easier, essentially if an "individual" is not the target for the direct marketing activity, such as for a postal mailing targeted at a general geographic area, a magazine insert or a general advert shown to everyone such as a billboard or some online banners.

The guidance also clearly calls out "service messages", which constitutes messages sent for administrative or customer service purposes. For example an order confirmation email. However you must be careful and ensure your "service message" is not in fact a marketing message.

In order to determine whether a communication is a service message or a direct marketing message, a key factor is likely to be the phrasing, tone and context.

If a message is actively promoting or encouraging an individual to make use of a particular service, special offer, or upgrade for example, then it is likely to be direct marketing. However if the message has a neutral tone and simply informs the individual for example of a benefit on their account then these are more likely to be viewed as a service message.

The Importance of Planning

One of the key principles of the GDPR is "data protection by design and default" and this remains important when planning your Direct marketing activities.

You must be clear which legislation applies to your direct marketing activities so you can follow all the relevant rules. In some cases only the GDPR or only PECR will apply, but in other circumstances both may apply. For example, if you are processing personal data when sending direct marketing by electronic message or when using cookies (or similar technologies) for direct marketing purposes.

Some things you should consider at this stage are:

  1. Who is your audience? Are you targeting individuals or business contacts?
  2. What personal data is necessary to carry out your planned marketing activities?
  3. How do you plan on securing any data you collect?
  4. Will personal data be transferred overseas?
  5. How do you plan on supporting individuals' rights with regards to their data?
  6. How long do you plan on retaining data?
  7. How are you going to ensure that your direct marketing activity is going to be lawful?

If you're planning on carrying out certain "high risk" activities, you'll need to complete a data protection impact assessment (DPIA)

  1. Large scale profiling
  2. Invisible processing (i.e. with cookies or other tracking tools)
  3. Targeting if you deal with vulnerable individuals such as children
  4. Behavioural tracking

If in doubt, carry out a DPIA.

What's a lawful basis for data processing?

The GDPR lays out 6 lawful basis for data processing:

  1. Consent
  2. Contract
  3. Legal obligation
  4. Vital Interests
  5. Public task
  6. Legitimate interests

More specifically, the two you're likely to be looking at are Consent and Legitimate Interest.

One thing that's odd here is that the ICO seem to be pushing marketers into using Legitimate Interest rather than Consent, as using Consent as your lawful basis implies you need Consent for all other processing that occurs to make the Direct Marketing activity possible.

PECR requires consent for some methods of sending direct marketing. If PECR requires consent, then processing personal data for electronic direct marketing purposes is unlawful under the GDPR without consent. If you have not got the necessary consent, you cannot rely on legitimate interests instead.

One thing to note is if you're using Consent you'll need to keep records of those consent actions, if you're using Legitimate Interest you should document how it applies to your processing.

Consent

Consent must conform to the GDPR definition, that is:

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Soft opt-in is not Consent.

Pre-ticked opt-in boxes are banned under the GDPR. You cannot rely on silence, inactivity or default settings – consent must be separate, freely given, unambiguous and affirmative. Failing to opt-out of direct marketing is not valid consent.

Legitimate Interests

If you're not using Consent as your basis for processing, you'll likely be using Legitimate Interests, which are defined as:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

You'll typically want to look at whether your processing meets the purpose, necessity and balancing tests by carrying out a legitimate interests assessment (LIA).

When GDPR came out, Recital 47 turned a lot of heads in the industry with the following:

“…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

What's important is an emphasis on may be. You still need to prove that processing data for Direct Marketing under a Legitimate Interest basis meets the prior criteria. I can't stress enough how important it is to conduct a LIA here.

The ICO also call out instances where it's going to specifically be hard to use Legitimate Interest as your basis for processing. These scenarios are:

processing for direct marketing purposes that you have not told individuals about (ie invisible processing) and they would not expect;

collecting and combining vast amounts of personal data from various different sources to create personality profiles on individuals to use for direct marketing purposes.

Lead Generation

The ICO definition here isn't going to rock any boats.

  1. Individuals who buy your products or support your cause, ie those who have a direct relationship with your brand
  2. Third parties who sell of rent contact lists
  3. Data you scrape from publicly available sources

At all times, you'll need to make sure that your processing continues to be fair, lawful and transparent.

Regardless of the way you're going to be generating leads, make sure you have a publicly accessible privacy policy that outlines exactly how and why you're processing people's data for lead generation.

One thing to note is that if you're collecting data from sources other than directly from the individual in question, you should tell them the source of the data you're using, within at most a month of you acquiring the data.

If it's disproportionately difficult to tell an individual what you're collecting and how you're using that data, you must specify as such in your privacy policy - personally I think you should change your business practices.

When collecting data for direct marketing purposes, make sure you're not being vague as to the purpose for which you're collecting the data.

You need to clearly explain the purposes for which you want to process the individual’s personal data for. Vague terms such as ‘marketing purposes’, ‘marketing services’ or ‘marketing insights’ are not sufficiently clear. These terms are wide and potentially cover all sorts of processing for direct marketing purposes such as sending direct marketing messages, profiling or analysing individual’s behaviours.

If you find it difficult to explain what you will be doing with people’s personal data, or you do not want to be transparent because you think they might object to that processing, then this is a clear sign that you should rethink your intended purpose or processing.

In any case, be clear and upfront when collecting data, if you're collecting data from other sources, you will need to make sure it is brought to the individual's attention.

List purchase or rental

This one's pretty clear cut.

It is important to remember that you are responsible for ensuring compliance with the GDPR and PECR. Simply accepting a third party’s assurances that the data they are supplying is compliant is not enough. You must be able to demonstrate your compliance and be accountable

Make sure you're carrying out appropriate due diligence when renting or purchasing data.

Profiling and Data Enrichment

You're likely using profiling when you carry out segmentation for your direct marketing campaigns, or when thinking about automated personalisation, for example, what products to promote to an individual.

Be careful if you're using Legitimate Interest as your basis for profiling an individual

If explicit consent is not required and you are considering using legitimate interests as your lawful basis, you need to give careful consideration to the three-part test. It is unlikely that you will be able to apply legitimate interests for intrusive profiling for direct marketing purposes. This type of profiling is not generally in an individual’s reasonable expectations and is rarely transparent enough.

Most of us are unlikely to fall afoul of the rules regarding automated profiling that may have legal or otherwise significant effect on an individual, if you do, probably stop reading this and go speak to a lawyer instead.

Matching or appending data is unlikely to be fair.

In most instances, buying additional contact details for your existing customers or supporters is likely to be unfair, unless the individual has expressly agreed.

This is likely to be true no matter how clearly you explain it in your privacy information that you might seek out further personal data about individuals from third parties. This is because it removes people’s choice about what channels you can contact them on for direct marketing purposes.

Data cleansing and tracing services are unlikely to be fair to individuals.

If you're using third parties to help you profile or enrich data, you are accountable for this and must ensure those third parties are appropriately compliant.

A reputable third party should be able to demonstrate to you that the data is compliant. If they cannot do this, or if you are not satisfied with their explanations, you should not use the data.

Don't forget to tell affected individuals that you're using profiling or enrichment services in a clear and far manner with an adequate lawful basis.

Direct marketing

Now we get to the interesting stuff...

DM by Post

Covered under the GDPR, not PECR.

Don't try to be sneaky, the ICO are onto you.

If you conduct a mail drop addressed to ‘the householder’ or ‘the occupier’ this is unlikely to constitute direct marketing because it is not directed to a particular individual. However you cannot use this as a way to get around the GDPR. If you process an individual’s data to target them with advertising, merely omitting that individual’s name from the final marketing communication does not prevent the processing being for direct marketing purposes.

DM by Live Call

Depending on the type of call, PECR will apply under different provisions.

You can call numbers not registered on the Telephone Preference Services (TPS) or the Corporate Telephone Preference Service (CTPS) without consent, but only if there has been no prior objection.

Even if you have spoken to an individual in the past, if a number is added to the TPS or the CTPS you can no longer call them. The only way around this is via Consent from the individual in question.

DM by Automated Call

These are only allowed if you have specifically obtained consent for this activity. No ifs no buts.

You can only make this type of call if you have consent. General consent for direct marketing, or even consent for live calls, is not enough. The consent must specifically cover automated calls from you.

DM by Email or SMS

This is covered under PECR regulation 22, and defined under Regulation 2 as:

“any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”

The definition is suitably broad as to also encompass things such as voicemail, in-app messaging, direct messaging on social media and more.

In most scenarios you'll be carrying out this activity under either Consent or Legitimate Interest.

Consent to receive a phone call is not consent to receive SMS , this goes back to earlier points about appropriate planning for your DM campaigns, make sure you collect the consent you need for planned activities.

Got a tracking pixel in your email? Of course you do. Make sure you're following this guidance.

If you use ‘tracking pixels’ within your direct marketing emails then you need to be aware that:

  • regulation 22 applies to the email itself; and
  • if the pixel involves storing information, or accessing information stored, on the device used to read the email – such as its location, operating system, etc – then PECR’s rules on cookies and similar technologies (Regulation 6) will also apply.

A soft opt-in can be used for sending this type of DM, but you'll need to make sure you meet the 5 requirements:

  1. You obtained the contact details;
  2. In the course of a sale or negotiation of a sale of a product or service;
  3. Your similar products and services are being marketed;
  4. Opportunity to refuse or opt-out given when you collected the details;
  5. Opportunity to refuse or opt-out given in every communication.

B2B Marketing

You can send email or SMS DM to B2B subscribers without consent, however you must still allow them to unsubscribe.

The PECR rules on marketing by electronic mail (eg email and text messages) do not apply to corporate subscribers. This means you can send B2B direct marketing emails or texts to any corporate body. However you must still say who you are and give a valid address for the recipients to unsubscribe from your emails.

However, you must be careful as sole traders and some partnerships are still treated as individuals.

Because sole traders and some partnerships are treated as individual subscribers you can only market them by electronic mail if they have specifically consented, or the ‘soft opt-in’ applies.

The GDPR may not apply in scenarios where you are contacting role based addresses, such as [email protected], however it does still apply when you have the name or number of a business contact, such as [email protected]

Online Advertising

Unlike marketers, most people are unlikely to know how cookies and other technologies are used for marketing purposes. As a result, you need to be transparent and fair (not to mention lawful) with how these technologies are used for direct marketing purposes.

Due to the nature of this type of processing, you are likely to have to conduct a DPIA for this type of direct marketing.

This guidance implies that cookie-based advertising can only be done via a GDPR level of consent. That is, no Legitimate Interest and no soft opt-in.

If you are planning to use cookies for direct marketing purposes (whether or not they are targeted on the basis of those users’ personal data), you need to comply with Regulation 6 by:

  • providing users with clear and comprehensive information about the cookies etc that you intend to use; and
  • getting their consent (which must be to the GDPR standard).

This applies whether the cookie is yours or a third parties (Facebook, DoubleClick, Criteo, etc)

Similar rules apply when talking about SDK's used in apps vs cookies on websites.

If relying on unique identifiers provided by Android or iOS, these fall under Recital 30 of the GDPR and can be considered to the personal data.

Individuals are unlikely to be aware of list-based targeting on social media platforms, it's likely that you'll need Consent for this type of activity

You must be upfront about this processing. Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information. It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis. However you will still need to ensure you also meet transparency requirements.

This applies whether you are targeting these individuals directly or whether you're using their details to create lookalike audiences.

Individual Rights

When carrying out data processing activities for direct marketing purposes, you have to remember that individuals have rights under the GDPR, specifically the rights to:

  • Object
  • Rectification
  • Erasure
  • Access
  • Restriction
  • Data portability

Individuals retain the right to object to their data being processed for Direct Marketing purposes.

This is an absolute right. If someone objects, you must stop processing their personal data for these purposes. There are no exemptions or grounds for you to refuse the objection.

This right does not only apply to the direct marketing itself but any data processing activity for the purpose of direct marketing, such as profiling or for advertising lists.

Conclusion

It's clear from this draft guidance that the ICO have their eye on some of the more nefarious activities that marketers have been up to, specifically around areas that were previously lacking clarity, such as regarding the use of cookies for advertising or analytical purposes or with regards to uploading lists of personal data to third parties such as Facebook or Google.

This guidance also provided some much needed clarity around how Consent and Legitimate Interest can be used and where the soft opt-in can apply - these areas were previously quite ambiguous and this clarity goes a long way towards preventing some of the behaviour that was observed.

It remains to be seen whether the ICO have sufficient funding to actively enforce the GDPR and PECR.

My opinions and interpretations are no replacement for reading the guidance, read it.