As required by the Data Protection Act 2018, this new code will supersede the ICO’s existing Direct Marketing Guidance. The aim is to provide practical guidance and promote good practice in respect of processing for direct marketing purposes in compliance with data protection and e-privacy rules.
The ICO states that it intends the new code to apply to all processing activities that lead up to, enable or support the sending of direct marketing by an organisation or a third party. Examples the ICO has selected include:
- Collecting personal data to build a profile of an individual with the intention to target advertising at them;
- List brokering;
- Data enrichment; and
- Audience segmenting.
Whilst the publication date of the new code is unknown, here are a few of the key takeaways from the current draft:
- Sending direct marketing messages.
No matter which method is used for sending direct marketing messages, the GDPR will apply when personal data is processed.
- Social media platforms.
When using a social media presence to target direct marketing at individuals or using the platform’s advertising services and technologies, there will be a need to be clear about what data is being used and why.
The use of location-based marketing techniques must be transparent. People should also be told about the tracking. This is likely to be of significance for AdTech.
- Viral marketing (“tell a friend campaigns”).
Viral marketing is likely to breach the Privacy and Electronic Communications Regulations 2003 (PECR) as it is almost impossible to obtain consent, particularly as the instigating organisation has no direct contact with the ultimate recipients, will not know what the referring individual has told their friends about the processing and will not be able to verify whether the friend provided GDPR standard consent.
- Publicly available information.
Someone posting their details on social media or other public forums does not, by soing so, agree to his/her content being used for direct marketing purposes. (This means that if an organisation collects publicly available personal data, it must still comply with the GDPR and PECR).
Why is this important?
Once adopted, the ICO says it will monitor compliance with the new code through proactive audits.