This is part of a series of articles on the ICO’s draft Direct Marketing Code of Practice. The consultation is open until the 4th March 2020. We look at the lawful basis you can use, keeping data accurate and whether you can use children’s data for marketing.

Lawful basis, accurate and up to date, and children’s data

Lawful basis

Consent and legitimate interests are the only two lawful bases that can be used for marketing. I would argue that both give choice and control to individuals if done correctly. The important thing to remember is the interaction with PECR. If you need consent for your marketing under PECR, there is no point trying to argue you can use legitimate interests.

However what is important is that PECR does not always require consent. For live phone calls to non TPS/CTPS numbers, email and sms marketing carried out using the soft opt-in and email and sms marketing to corporate customers, you can use legitimate interests. So it is a question of who your audience is and your organisation’s attitude to privacy.

The best practice recommendation here is terrible. Both lawful bases are equally valid, and both have their advantages and disadvantages, so to dismiss one arbitrarily seems ludicrous. As stated, neither is easy but both have their place in responsible marketing.

The short summaries for consent and legitimate interest are good but a link to the ICO’s further detailed guidance on these would be useful.

Accurate and up to date

This confirms you should not go out and “update” the personal data you have if your customer/supporter does not tell you themselves that something has changed. So if you become aware that an individual has moved, you should only record this on your database. If the individual does not tell you their new address, you should not take steps to find out this information yourself. Please see later article on data profiling and enrichment.

Children’s data

GDPR applies to all living individuals no matter their age, so it applies when processing the personal data of children. However the GDPR does goes a little further. It states children should have specific protection, in particular when personal data is processed for marketing purposes. This means extra care needs to be taken to explain the processing in language that children would understand.

You can profile children, but you need to take extra precautions. The European Data Protection Board (EDPB) has stated that in general you should not profile children for marketing purposes. If you want to carry out profiling involving children, you need to carry out a DPIA as there are high risks in this activity.