Direct Marketing Code of Practice consultation – response.

Here is my full response to the consultation.

Dear Sir/Madam

JP Legal Assist has welcomed the opportunity to response to this consultation. The company was formed earlier this year by Janine Paterson, who previously worked at the Data and Marketing Association, to provide advice on marketing and advertising law to its clients.

Direct Marketing Code of Practice consultation.

This consultation comes at an important time for the industry, with new and innovative ideas and technology playing a large part in many organisation’s marketing. The GDPR has provided a welcome opportunity to ensure the use of personal data for any purpose, but specifically for marketing, is done with the privacy interests of the consumer in mind, but without unfairly restricting an organisation’s right to market its products and services.  

Direct Marketing Code of Practice consultation – response

The code overall is a vast improvement on the previous guidance and it is clear you have thought about the structure to make it understandable by organisations in this industry and the public. I have comments on many aspects of the draft, some favourable but others where I believe you need to rethink your approach.

What is the purpose of this Code

The code makes clear the difference between the GDPR and PECR in terms of the type of data it covers, which has not really been set out in the past. Many people do not understand the difference and do not realise that PECR covers any data, personal or not, which is important to understand, especially in terms of cookies and other technologies.

What happens if we do not comply with the code?

It is clear the guidance will form the basis of any investigation into non-compliance with data protection rules. What is not clear is the status of best practice recommendations within the code, which often go far beyond the legal position. It would be beneficial to have a paragraph in this section setting out how you see best practice and a clear statement that any failure to adhere to this will not form part of any investigation into non-compliance with the code.

Does the Code apply to us?

The definition of “direct marketing” only comes from UK legislation, first the Data Protection Act 1998 and now in the 2018 version, having never been defined in the European legislation from which they derive. There has always been a wide definition in the past and in the draft code this continues. The definition of what constitutes “advertising or marketing material” is also very wide. However the example given  on page 17 under “What is “solicited” and “unsolicited” marketing, appears to impose such a wide definition of “marketing” that has the practical effect of bringing any communication, requested or not, under the rules.

“Example An individual submits an online form to a double glazing company requesting a quote. By sending this quote to the individual the company is responding to the individual’s request, and so the marketing is solicited. “

When is a specifically requested quote for a product or service “marketing”? If I have asked for a price for something and I am provided with a quote, surely that communication is a service message. They are doing what I have asked for. Even including information about the products or service I have asked about is not marketing. It is providing the information requested and that they legally have to provide under consumer legislation (Consumer Contracts Regulations 2013).  If they include additional information about things I have not asked about, this may then be deemed a marketing communication, but just giving me what I asked for is not marketing nor is it an unsolicited communication, so the rules in this example do not apply on both counts: This is not direct marketing and the email is not unsolicited.

The definitions of “advertising or marketing materials” and “unsolicited/solicited” needs to be reconsidered as they are far too wide which is an unnecessary restriction on an organisation’s activities.

Market Research

Genuine market research is not direct marketing, however what is not clear is whether asking individuals questions about your products and comparing them with a competitor’s products would still be seen as market research or whether this becomes direct marketing as you are potentially promoting your own products/brand. An answer to this with an example would help to explain how to avoid market research unintentionally turning into direct marketing.

Service messages

The code provides a good explanation of what a service message is, although there is still uncertainty whether a communication is a service or marketing message, as this will depend on the content and context of the message, a subjective assessment.

It would be good to have some examples here, for instance is a brand tagline ok to include and what about links to the brand’s website?

Regulatory communications

Many organisations that are regulated, for example energy, have an obligation to tell their customers various things, including in some cases that they may get a better deal with a competitor. Are these service messages? It would seem again to depend on the content and context of the communication but an example would be useful.

Public sector comms

Here again an example would assist in showing what a local authority could include in a communication about its statutory services without straying into marketing. The GP example shows that how you say something is as important as the wording itself when deciding whether it is a service or marketing communication.

Data protection by design

There is a good set of questions to consider before you embark on your marketing campaign, and these are relevant for a simple direct mail piece or a wide reaching online/social media campaign. The clarification of how the different parties within the campaign are responsible for compliance is helpful.

DPIAs

This is a good summary of the circumstances when you need a DPIA, although it would be good to have a link to the European guidelines referenced. The best practice recommendation, on page 29 is confusing. The draft code sets out when one should be carried out, but then recommends that you carry out one anyway. This could lead to a tick box mentality if organisations always do one, as when a DPIA really is necessary, it may not be done with the care and attention it should.

Lawful basis

Consent and legitimate interests are the only two lawful basis that can be used for marketing, but in my view, both can give choice and control to individuals if done correctly. The important thing to remind marketers is the interaction with PECR. If you need consent for your marketing activities under PECR then I would agree there is no point trying to argue LI as your lawful basis under the GDPR. However PECR does not always require consent. For live phone calls to non TPS/CTPS numbers, email and sms marketing carried out using the soft opt-in and email and sms marketing to corporate customers, you can use legitimate interests. So there is a need to consider your audience when deciding on your lawful basis.

The best practice recommendation on page 31 is terrible. Both lawful bases are equally valid, and both have their advantages and disadvantages, so to dismiss one arbitrarily seems ill considered. As stated neither is easy but both have their place in responsible marketing.

The short summaries for consent and legitimate interest are good but a link to the further detailed guidance on these would be useful.

Accurate and up to date

This is useful confirmation that you do not need to go out and “update” the personal data you have if the individual does not tell you themselves that something has changed. So if an individual has moved, you only need to record this on their record, but unless the individual tells you their new address, you should not take steps to find out this information yourself. Many organisations wrongly assume that they should do this as part of their responsibility to keep data up to date, so this is timely confirmation.

Lead generation

The draft code confirms the information you need to tell people when you collect their data, whether directly or from another source. It also states that if you acquire the data from another source, when communicating with the individual you need to “name the third party” from whom you acquired their data, but it is not clear where or how you need to do this. The draft refers to “privacy information” but I am not sure what this is referring to. Is it satisfactory to do this in your privacy policy and bring this to the individual’s attention or do you need to do this on the first communication to them? If so, then is this the specific supplier who supplied the data or must you list all your third party suppliers?

It is clear you need to tailor the explanation of what you want to do with the data to your audience and be especially clear for children and other vulnerable individuals. The draft has an example of wealth screening and what is considered unacceptable, but an example of what would be compliant would be more valuable.

Direct Marketing lists

The draft confirms that if you are buying or renting a marketing list it is your responsibility to carry out due diligence and ensure that it has been collected fairly and transparently and that you can use the list for your intended purpose. What I think would be helpful would be some guidance in terms of the responsibility of the seller of the list to ensure the buyers complies with the GDPR in their activities. Surely the responsibility of the seller does not stop once the sale/rental has gone through. The seller cannot sell to anyone and not be responsible for any potential consequences?

This section covers collecting contact details for traditional third party marketing, and for “refer a friend/viral marketing”.  What is missing is “hosted” marketing and a mention of the due diligence needed would be helpful. Reference to guidance later in the code on undertaking host marketing using specific marketing channels can then be made.

Data enrichment.

You appear to have incorporated guidance from the Fundraising paper presented at the Fundraising Conference in 2017 within the code. This is a good addition as it sets out the need for consideration of why you want the personal data and the basis on which it was collected in the first place. I would however suggest you reword the second paragraph on page 61, as the third party could use legitimate interests to acquire permission to pass on the contact details depending on the channel.

Direct marketing channels

The section on each channel has useful basics. The examples are also beneficial although some could go further and provide guidance on how you could carry out the activity compliantly. For instance the example of the charity under” Direct Marketing by “live” calls” .

“A charity has called an individual in the past to fundraise. The individual has never specifically objected to receiving the calls nor did they specifically consent to the direct marketing calls.

 When undertaking its regular screening against the TPS the charity notices that the individual has now registered their number on the list. The charity might be confident in light of its past relationship with the individual that they would not object to further calls, however it will breach PECR if it continues to make direct marketing calls to that individual.”

This confirms previous advice, repeated later in the draft, that you should take the latest indication from the individual but it would be helpful to have guidance on how the charity could acquire opt-in consent for telephone marketing from the individual.

Email/texts

The section on “Direct marketing by electronic mail (including email and texts)” on page 72 specifically mentions that Regulation 22 of PECR applies to “in-app messages and direct messaging on social media”. However there is no expansion on this nor any examples which would make this easier to understand, especially by small and medium sized traders who don’t have the benefit of in-house social media teams.

Third party marketing

The section on page 82 on “Can we use third parties to send out direct marketing” is confusing and incomplete. The first example is a controller/processor situation where the third party sends out the marketing of the controller on its behalf. This is not third party marketing.

I suggest you have a third party marketing section, as you have in the current guidance covering the three main ways to carry out third party marketing:

1.         Company A collects and sells a marketing list to company B for them to send marketing messages about their products/services

2.         Company A sends out marketing to its own customer database promoting the products/services of named third parties

3.         “viral marketing” – either asking your customers to send your marketing message to their friends/family or asking them to provide the contact details of their friends/family for you to send marketing communications.

Viral marketing is covered on page 83 under “Can we ask individuals to send out direct marketing”. This however only covers email and sms marketing and there should be clarification that although this is virtually impossible to do compliantly using these channels, other channels that are not subject to PECR are still possible.

There then needs to be an explanation of the other two ways to carry out third party marketing, starting with the traditional collection of personal data for a marketing list and how this can be done compliantly for each marketing channel.

Host marketing

As you know this is where an organisation sends the marketing of third parties to their existing customers. This could be purely promoting the third party, or a dual branding promotion containing promotion of both parties. A classic example of this is in the draft Code. A supermarket promotes the work of a charity to its customers, thereby also promoting the aims and ideals of the supermarket.

The code needs a section specific to host marketing which covers all marketing channels, with more explanation on using electronic channels, as PECR becomes involved. This is still an area that causes confusion and this is the ideal place for some real guidance on how to do this compliantly. Under the current Direct Marketing Guidance, it was my, and many others understanding, that host emailing was preferable to the more traditional form as there is no sharing of the personal data by the organisations. The controller would obtain permission from their customers to send them marketing from third parties.

The third party would not acquire the personal data unless the recipient of the host communication directly contacted them as a result of the marketing and provided it first-hand.

However the code has introduced an additional element to hosted emailing, removing the benefits of this over traditional third party marketing, an ill-conceived move in my opinion. PECR applies to the “sender” or “instigator” of the communication. “Instigator” is not defined in PECR and has never been applied to direct marketing in the past. It now appears that “if you encourage, incite, or ask someone to send your direct marketing message” you are likely to be considered an instigator. The practical result of this is that the third parties featured, as well as the organisation sending the hosted email/sms, will need GDPR standard consent from the intended recipients. The third parties will also need to be named; categories of third parties would not be sufficient.

I believe the introduction of “instigator” is a way to deal with the Information Tribunal decision in the appeal by Xerpla. The Tribunal decided that Xerpla were providing a “service” to its subscribers, in that they signed up to receive third party marketing offers. The hosted emails were providing what the subscriber had agreed to. This was therefore not “direct marketing” and not an “unsolicited” communication. I cannot see the “mischief” in this arrangement that would need such a drastic reaction. Hosted emails are a privacy friendly way to carry out direct marketing: consumers are protected, and fully aware of what they are getting into, with businesses able to provide those consumers with exciting new products and services which will be of interest and value to them.

In practice many third parties do not have control over how and when their marketing is included in a host mailing as the brand controller has the final say on who they will feature. Having so little control over where their direct marketing appears is not the definition of an instigator in my view. This needs serious reconsideration as it is unnecessary, unfairly restricting organisations from legitimately promoting their products and services. There are minimal privacy risks to the consumer but there is a huge responsibility on the controller to ensure that not only are their customers fully informed about the types of offers they will receive emails about, but also a requirement for proper due diligence on the third parties wanting to promote their products and services. Are the offers suitable for the controller’s customers? Will they get good value for money and a great customer experience if they respond to an offer? How the third parties handle this will reflect on the reputation of the controller, so this is not an easy option for them to take to boost their brand. Partnering with the wrong third parties could have serious detrimental effects on them so they need to choose wisely. What is needed from the regulator is better guidance on how hosted emailing can be done compliantly to the benefit of both consumers and organisations.

Online advertising and new technologies

This section is good confirmation that if you process personal data for your marketing online, either on a website, social media platform or using apps, GDPR and the rules on direct marketing will apply. There is also guidance on the use of cookies for any of your marketing online, covering the requirement of Regulation 6 of PECR to gain consent for any cookies (unless one of the two exemptions apply) regardless of whether you are processing personal data. It would be useful if the draft made specific mention of the two stage process needed for online marketing; first consent to place the cookie in the first place and then a lawful basis for the direct marketing itself. An example here would also help organisations understand how to comply when undertaking online advertising.

The clarification about the relevance of the rules in PECR with regard to social media is welcomed. The use of personal data either supplied by the user, observed by the platform, or inferred/derived about the user for marketing purposes do not fall within the definition of “electronic mail” so PECR does not apply. However, the rules on direct marketing do apply.

The guidance on the social media “list-based” targeting tools, so Facebook Custom Audiences or LinkedIn Contact targeting is also welcome as this was an area not specifically covered before. Although not subject to PECR, they are covered by GDPR as personal data is involved, so you need to be clear, transparent and upfront about these activities. The view in the code that you can only do this under consent is understandable, but I believe there is scope to consider legitimate interests although a well thought through LIA will be essential, and guidance on this should be included.

The section on “lookalike audiences” on social media is welcome, specifically the point that as you have no direct relationship with these individuals, you are relying on the social media platforms to help you with your transparency obligations.   The reminder that if your customers/supporters have objected to the use of their personal data for direct marketing purposes, you cannot use their data to create a “lookalike” audience is useful.

The inclusion of advice and guidance on other technologies, such as OTT services, facial recognition/detection, in app advertising and location bases marketing is also beneficial.

Selling or sharing data

The section on “Can we offer data broking services?” provides confirmation that if you collect consent to pass personal data onto third parties for marketing, the third party can only use consent as their lawful basis for their direct marketing activities. This guidance will help organisations understand they cannot switch to legitimate interests, so they need to consider this when looking to purchase a marketing list.

Individual rights

There is good advice in this section on suppression files, especially the confirmation that you are not breaching GDPR or PECR by having one. This will help organisations explain to consumers requesting deletion of their data because they believe it will stop them from receiving marketing.

However the section on erasure is not as clear. It confirms that if Article 17 (1) applies you must comply with the request and erase the data “(unless you need a small amount for a suppression list)”. At the very least you would need to add their contact details to your in-house suppression list, so you would need to keep that contact data to do this. I would suggest this wording is amended to “(except for the data needed for your suppression list)”. The example following this on page 113 confirms this position so the text should be clear.