This is part of a series of articles on the ICO’s draft Direct Marketing Code of Practice. The consultation is open until the 4th March 2020. We look at the guidance on the direct marketing channels including post, telephone and online advertising.

Direct marketing channels

The section on each marketing channel has useful basics. The examples are also helpful although some could go further. Instead of saying something is wrong, there could be guidance on how to carry out the activity compliantly. For instance the example of the charity under ”Direct Marketing by “live” calls”.

A charity has called an individual in the past to fundraise. The individual has never specifically objected to receiving the calls nor did they specifically consent to the direct marketing calls.

 When undertaking its regular screening against the TPS the charity notices that the individual has now registered their number on the list. The charity might be confident in light of its past relationship with the individual that they would not object to further calls, however it will breach PECR if it continues to make direct marketing calls to that individual.”

This is confirmation that you should take the latest indication from the individual. However what would be helpful would be guidance on how the charity could acquire opt-in consent for telephone marketing from their supporter.

“Direct marketing by electronic mail (including email and texts)” specifically says Regulation 22 applies to “in-app messages and direct messaging on social media”, However examples would make this easier to understand, This would be especially beneficial for SMEs who don’t have the benefit of in-house social media teams.

There is expanded guidance on B2B direct marketing. This explains the difference between employees of a corporate organisation and a sole trader/ordinary partnership. There is clear guidance that data protection rules apply to all business contact information. You need to carry out normal checks and due diligence as this is personal data.

Direct marketing channels: Online advertising and new technologies

If you process personal data for your marketing online, the rules will apply. So marketing on a website, a social media platform or in an app. There is also guidance on the use of cookies for your marketing online.

Regulation 6 of PECR requires you to gain consent for any cookies you use, unless one of the two exemptions apply. This is regardless of whether the cookie processes personal data. The draft should include specific mention of the two stage process needed for online marketing. The need for consent to place the cookie in the first place and then a lawful basis for the direct marketing itself. An example here would help organisations understand how to comply when undertaking online marketing.

Clarifying the relevance of the rules in PECR with regard to social media is welcome. Using personal data either supplied by the user, observed by the platform, or inferred/derived about the user, does not fall within the definition of “electronic mail”. PECR therefore does not apply. However, the direct marketing rules will, as the personal data is processed for the purposes of a marketing message. Both the rules in PECR and the direct marketing rules will apply to direct messaging on social media.

Guidance on social media “list-based” targeting tools, so Facebook Custom Audiences or LinkedIn Contact targeting is also welcome. This was not specifically covered before. Although not subject to PECR, they are covered by GDPR as personal data is involved. You need to be clear, transparent and upfront about these activities. The ICO’s view that you can only do this under consent is understandable, but I believe there is scope to consider legitimate interests. A well thought through Legitimate Interest Assessment (LIA) will be essential.

There are similar considerations when dealing with “lookalike audiences”. They are more difficult, as there is no direct relationship with these individuals. You need to rely on the social media platforms to assist with your transparency obligations. If your customers/supporters have objected to direct marketing you cannot use their data for this purpose.

The code looks at other technologies. This is the first time OTT services, facial recognition/detection, in app advertising and location based marketing have been covered. There is a helpful example of the questions to ask when carrying out due diligence before using these new technologies.