This is part of a series of articles on the draft ICO draft Direct Marketing Code of Practice. The consultation is open until the 4th March 2020. Here we look at third party marketing and whether using email for this is still possible under GDPR.

Third party marketing: possible under GDPR?

The ICO have introduced a new element in terms of electronic marketing which has left some questions unanswered on what compliant looks like.

If you want to market your products and services, it seems to make sense to get other people to do it for you, whether formally or informally. However this involves the use of personal data, so how do you do this lawfully?

The first version of the Direct Marketing Guidance, issued in 2016, had a specific section on Indirect (third party) consent. It discussed how third parties can market your products and services to people who are not already your customer.

The new Direct Marketing Code of Practice uses a different format, looking at the journey of a direct marketing campaign, and deals with third party marketing in its “Selling or sharing data” section.

The Code makes it clear that all parties involved in processing personal data are responsible for compliance. This is specifically so when processing personal data for marketing purposes.

There are three main ways to carry out third party marketing:

  • Company A collects and sells a marketing list to company B for them to send marketing messages about their products/services
  • Company A sends out marketing to its own customer database promoting the products/services of named third parties
  • “viral marketing” – either asking your customers to send your marketing message to their friends/family or asking them to provide the contact details of their friends/family for you to send marketing communications

Lets deal with viral marketing first as this is clear and I don’t have an issue with the ICO view of this.

Short answer: for electronic marketing this is not complaint. For email and SMS, you need consent for the “sender” or “instigator” to send a marketing message. Whether you ask your customers to provide their family/friends’ contact details for you to send marketing messages or you ask them to forward on your marketing emails/texts to them, you will be the sender or instigator. You need to demonstrate you have provided the required information concerning the processing of their personal data (transparency) and have gained GDPR standard consent. As you have no direct contact with these individuals, there is no way you can show this.

“Traditional” third party marketing. This involves the sharing of personal data. The permission of the individual has been obtained by an organisation on behalf of the third parties. The data is then shared/sold for direct marketing purposes to those named organisations. The organisation collecting the data and selling/sharing it needs a lawful basis to do this. The third party needs its own lawful basis to carry out the direct marketing. Which lawful basis you can use will depend on the channel and therefore whether PECR applies. For some channels you will need consent.

A reminder when PECR applies:

Communication ChannelPECR requires
Live calls to TPS/CTPS registered numbersYes
Live calls to your customers who have objected to marketingYes
Live calls to non TPS/CTPS numbersNo
Automated Phone CallsYes
Emails/SMS to individuals collected using “soft opt-in”No
Emails/SMS to individuals collected not using “soft opt-in”Yes
Emails/SMS to corporate business contactsNo

Where PECR says you need consent, your only lawful basis will be consent. If PECR does not need consent, you need to decide on either consent or legitimate interests. You would decide which would be the most appropriate for your organisation and your approach to direct marketing.

What is important to remember is that whichever lawful basis was used to collect the marketing permission, the third party using that data has to use the same basis. So if the data was collected using consent, the brand/organisation using the data has to use consent. They cannot switch to legitimate interests as this will affect the validity of the initial collection of the personal data. The individuals would not have been given the correct information about how their data would be used and how to change their mind. The initial data collection would therefore not be fair or transparent.

Whichever lawful basis you use, you need to consider your accountability responsibilities. The data has to be collected fairly and transparently with information about how the data will be processed clear and unambiguous. There should be no doubt as to what the individual is agreeing to.

Host marketing. This is where an organisation sends the marketing of named third parties to their existing customers. This could be purely promoting the third party, or a dual branding promotion containing promotion of both parties. A classic example of this is used by the ICO in the draft Code. A supermarket promotes the work of a charity to its customers, thereby also promoting the aims and ideals of the supermarket.

The lawful basis you can use for hosted marketing depends on the channel you are using and your intended audience. If PECR is involved then you need to use consent. Where PECR is not involved, legitimate interests can be considered. Both the sender and third party will need to carry out an LIA.

Where PECR is involved, under the Direct Marketing Guidance, it was always understood that host emailing was preferable to standard third-party marketing as there is no sharing of the personal data by the organisations. However the ICO has introduced an interpretation which indicates they have changed their view on hosted emailing in the draft Code. PECR applies to the “sender” or “instigator” of the communication. “Instigator” is not defined in PECR, but it is the ICO’s view that “if you encourage, incite, or ask someone to send your direct marketing message” you are likely to be an instigator. This means that both the organisation sending the hosted email/sms and the third parties featured need GDPR standard consent from the intended recipients.

What the draft Code does not go on to confirm is how the third parties can obtain that consent.  Is the current practice whereby the organisation wanting to send the hosted communication gains consent from its customers to send them direct marketing offers from named third parties count as valid consent for those third parties? In other words, is indirect consent for direct marketing for named third parties GDPR compliant? In my view, this has to be the case, as requiring the third parties to gain consent directly from the individuals would be impossible and would mean the end of electronic third-party marketing hosted or not.

I believe that if the ICO is going to add to their interpretation of how the GDPR or PECR apply to direct marketing, they need to fully explain how this works in practice. I can understand that on an in-depth analysis of PECR a third party in a hosted communication is an instigator. The host organisation is not doing this out of the goodness of their heart! However the ICO need to provide guidance, and examples, of what compliance looks like so organisations can see how this will affect their practices.

They should make it clear that a hosted communication is the recommended way to undertake third party marketing as it is more privacy friendly. The individual provides consent to receive an introduction to the brand and their products via a company they already know and trust. The individual is able to make an informed decision as to whether to engage with the third-party brand once they have seen the product/service being offered. They can then actively provide their personal data direct to the brand, which is preferable.

I will be asking the ICO in my consultation response to make it clear that the current practice for gaining consent under GDPR for hosted email third party marketing is valid.