On January 8, 2020 the ICO published its draft Direct Marketing Code of Practice for public consultation, which is open until 4 March 2020. We are summarized the status of the draft code, the key areas which are new compared to the ICO’s current direct marketing guidance, and the next steps.

What is the draft code and its status?

  • The Information Commissioner is required to publish a statutory direct marketing code under the Data Protection Act 2018, and has published a draft of this code for consultation.
  • Once finalized, the Information Commissioner must take the code into account when deciding whether organisations carrying out direct marketing have complied with their obligations under the GDPR and PECR. Compliance with the code will also be taken into account in enforcement action by the ICO.
  • The draft code, which runs to over 120 pages, is intended to contain practical guidance on carrying out direct marketing, but is not meant to impose additional legal obligations which go beyond the General Data Protection Regulation (“GDPR”) or the Privacy and Electronic Communications (EC Directive) Regulations (“PECR”).
  • The draft code is very broad in in its scope, and will be of interest to all organisations engaging in direct marketing activities.

What is new in the draft code?

  • Much of the draft code restates and reflects the ICO’s approach in its current direct marketing guidance.
  • However, the draft code takes a much broader approach than the current direct marketing guidance, which primarily focuses on PECR compliance.
  • In particular, the draft code also covers compliance with the GDPR in a direct marketing context and discusses broader data protection issues in some depth, including guidance on data protection by design, data protection impact assessments (DPIAs), accountability, profiling and data subject rights.  
  • In addition, the draft code also provides guidance on new areas such as online advertising and new technologies, including social media, subscription TV, on-demand and “over the top” services, facial recognition and detection, in-game advertising, mobile apps, ad IDs, location based advertising and connected devices.  
  • We have produced a more detailed summary of the key points, which you can read here .

What next?

  • The consultation is open until 4 March 2020. Following the consultation, the code will be finalised and laid before Parliament and Parliament then has 40 days to decide not to approve the code. If there is no objection, then the ICO must issue the code and it will come into force 21 days after it is issued.
  • It will be important for organisations to follow the development of the code, and at this stage to understand their current direct marketing practices and processes to ensure these comply with the GDPR and PECR. Taking such measures in advance will assist in preparing for when the code is finalised and enters into force.

Much of the guidance in the draft code reflects similar messages and themes from the ICO contained in current direct marketing guidance as well as its updated Cookies Guidance, and also in its report on Adtech and Real Time Bidding and subsequent blog posts on that topic, with a particular focus now on online advertising, social media, lead generation and enriching data for direct marketing purposes. You can read our summary of the ICO Cookies Guidance here, and our summary of the ICO’s statements regarding Adtech here and here.


Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.


Joanna advises on a wide range of technology and commercial agreements and matters. Her practice focuses on regulatory issues, especially data protection, consumer law, and advertising and marketing, and she regularly advises clients on these areas in particular.