With the introduction of the General Data Protection Regulation (“GDPR”) many marketing teams have been left in a state of confusion as to what is and is not allowed with regards to direct marketing under data protection law. Historically, marketing teams often relied on consent to send direct marketing but with the bar for valid consent now raised under the GDPR it has become harder for organisations to rely on this ground to send direct marketing lawfully. This is especially the case as the standard of consent required under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) – the legislation where direct marketing rules are primarily set out – is the GDPR standard of consent.
In an effort to provide some clarity on the issue, the Data Protection Act 2018 – the UK legislation that implements the GDPR – mandates that the Information Commissioner’s Office (“ICO”) publish an updated statutory code of practice on direct marketing (to be reviewed and signed off by the government) that provides guidance to operators on what constitutes lawful marketing activity. As a result, earlier this year the ICO published its draft Direct Marketing Code which is out for consultation until 4 March 2020.
Whilst we have not seen the final version of the code yet, it largely builds on the existing Direct Marketing Code, but with some important updates in light of the GDPR and, in particular, in relation to the use of new technologies and marketing techniques (e.g. on-demand and OTT content services, in-game advertising, social media marketing and profiling). Significantly, the code, in many instances, is sceptical of organisations relying on “legitimate interests” to send direct marketing which further underlines how important it is to undertake legitimate interest “balancing tests” when relying on this ground to process personal data. This type of activity may prove crucial given that the code’s enforcement section states that the ICO may request copies and details of organisations’ procedures, practices and data protection impact assessments in the event of complaints or investigations. The code is also critical of “refer a friend” marketing practices as organisations have no idea what the relevant individual has told their friend about the processing of their data, and it is not possible to verify that any consent has been obtained. To the extent that this type of marketing is e-marketing, the code states that it is likely that this activity will breach PECR.
Given the large amount of time and energy invested in marketing campaigns, and that fines for breaching direct marketing rules are the most common sanctions that we tend to see, we recommend that all organisations follow the development of the code to ensure that they do not waste valuable time and resources on marketing campaigns that may end up breaking the law and a potential fine from the ICO.