This is part of a series of articles on the ICO’s draft Direct Marketing Code of Practice. The consultation is open until the 4th March 2020. Here we look at acquiring personal data for marketing purposes.

How can we acquire personal data for marketing purposes?

Lead generation

The draft code confirms the information you need to tell people when you collect their data. This applies whether you collect the data directly or from a third party source. If you acquire the data from another source, you have to “name the third party” who provided their data. However it is not clear how you need to do this in practice.

The draft refers to “privacy information” but what are they referring to here? Is it satisfactory to do this in your privacy policy and bring this to the individual’s attention? Or do you need to do this on the first communication to them? If in the message, do you name the specific supplier of the data or should you list all third party suppliers? You are unlikely to be able to rely on the disproportionate effort exemption to avoid the information requirements.

You need to tailor your explanation of the processing to your audience and be clear for children and other vulnerable individuals. The example of wealth screening and what is considered unacceptable is clear, but an example of what would be compliant (if possible) would be of more value.

Publicly available information

The draft code confirms that GDPR and PECR apply to personal data that is freely available. So it covers data that is on a website or can be obtained from registers, like the open version of the  electoral roll which is available to anyone. But that doesn’t mean that you can use it for any purpose.

The transparency provisions in the GDPR apply. If you obtain data from these sources you need to tell individuals you have their data and what you want to do with it. You need to do this within a month of acquiring the data or before disclosing it to third parties. If you intend to send marketing within the month, this information should be included on the marketing piece.

Direct Marketing lists

The draft code confirms if you are buying or renting a marketing list due diligence is your responsibility. Has it been collected fairly and transparency and can you use it for your intended purpose? However, what about the responsibility of the seller to ensure the buyer complies with the GDPR in their activities. Surely the responsibility does not stop once the sale/rental has gone through? The seller cannot sell to anyone and not be responsible for potential consequences.