On January 8, 2020 the ICO published its draft Direct Marketing Code of Practice for public consultation, which is open until 4 March 2020. We are summarized the status of the draft code, the key areas which are new compared to the ICO’s current direct marketing guidance, and the next steps.
What is the draft code and its status?
- The Information Commissioner is required to publish a statutory direct marketing code under the Data Protection Act 2018, and has published a draft of this code for consultation.
- Once finalized, the Information Commissioner must take the code into account when deciding whether organisations carrying out direct marketing have complied with their obligations under the GDPR and PECR. Compliance with the code will also be taken into account in enforcement action by the ICO.
- The draft code, which runs to over 120 pages, is intended to contain practical guidance on carrying out direct marketing, but is not meant to impose additional legal obligations which go beyond the General Data Protection Regulation (“GDPR”) or the Privacy and Electronic Communications (EC Directive) Regulations (“PECR”).
- The draft code is very broad in in its scope, and will be of interest to all organisations engaging in direct marketing activities.
What is new in the draft code?
- Much of the draft code restates and reflects the ICO’s approach in its current direct marketing guidance.
- However, the draft code takes a much broader approach than the current direct marketing guidance, which primarily focuses on PECR compliance.
- In particular, the draft code also covers compliance with the GDPR in a direct marketing context and discusses broader data protection issues in some depth, including guidance on data protection by design, data protection impact assessments (DPIAs), accountability, profiling and data subject rights.
- In addition, the draft code also provides guidance on new areas such as online advertising and new technologies, including social media, subscription TV, on-demand and “over the top” services, facial recognition and detection, in-game advertising, mobile apps, ad IDs, location based advertising and connected devices.
- We have produced a more detailed summary of the key points, which you can read here .
- The consultation is open until 4 March 2020. Following the consultation, the code will be finalised and laid before Parliament and Parliament then has 40 days to decide not to approve the code. If there is no objection, then the ICO must issue the code and it will come into force 21 days after it is issued.
- It will be important for organisations to follow the development of the code, and at this stage to understand their current direct marketing practices and processes to ensure these comply with the GDPR and PECR. Taking such measures in advance will assist in preparing for when the code is finalised and enters into force.
Much of the guidance in the draft code reflects similar messages and themes from the ICO contained in current direct marketing guidance as well as its updated Cookies Guidance, and also in its report on Adtech and Real Time Bidding and subsequent blog posts on that topic, with a particular focus now on online advertising, social media, lead generation and enriching data for direct marketing purposes. You can read our summary of the ICO Cookies Guidance here, and our summary of the ICO’s statements regarding Adtech here and here.