Although the public consultation period on the draft direct marketing code of practice issued by the UK Information Commissioner’s Office (ICO) closed on March 4, 2020, organizations engaged in direct marketing may want to pay attention to the guidance now. Coming in at 124 pages, the draft ICO code of practice provides practical guidance on direct marketing and ensures compliance with the European Union’s General Data Protection Regulation (GDPR) as well as the Privacy and Electronic Communications Regulation 2003 (PECR).
What Does the ICO Code of Practice Do?
Issued in January 2020, the draft ICO code of practice on direct marketing updates existing guidance that was developed before the GDPR went into effect.
Section 122 of the UK Data Protection Act of 2018 directs the information commissioner to develop a code of practice that helps the regulated community engage in direct marketing efforts. These efforts must meet the requirements of data protection legislation and also the PECR, which addresses privacy rules in electronic marketing communications and cookies.
There can be some overlap between data protection and e-privacy. The ICO code of practice on direct marketing, however, does not go beyond the bounds of the GDPR and the PECR, or add any additional legal obligations. The UK information commissioner notes that failure to comply with the code’s guidance will make it difficult for organizations to demonstrate compliance with these laws.
Who Is Subject to the ICO Code of Practice?
The UK’s guidance applies to organizations that process personal data for direct marketing purposes. Although neither the GDPR or the PECR define “direct marketing purposes,” the focus is on the purpose of the processing, according to the UK information commissioner. It’s a bit of a broad approach: If the “ultimate aim” is to “send direct marketing communications,” then all processing activities “which lead up to, enable or support sending those communications is processing for direct marketing purposes, not just the communication itself,” as written in the ICO code of practice.
For example, a hotel that wants to email previous guests to ask if they consent to receive special offers is sending that communication for direct marketing purposes, pursuant to the draft ICO code of practice, even though the email itself does not contain a special offer.
Notable Takeaways From the Draft ICO Code of Practice
The draft guidance states that in-app messages and direct messaging on social media are considered to be “electronic mail” covered under the direct marketing requirements of the PECR. Therefore, an organization needs the individual subscriber’s consent to receive similar direct marketing communications.
Those subject to the draft ICO code of practice should note that refer-a-friend programs in which a retailer offers 10% off an order for customers to participate are likely violations of the PECR. In a refer-a-friend scheme, a person provides their own name and email address, and the retailer generates a marketing email for that person to send to friends and family. In this scenario, a retailer “is instigating the direct marketing,” meaning the retailer has a “responsibility for complying with the PECR rules,” the code explains. Because the retailer does not have the consent of the customer’s friends and family, “these emails breach PECR.”
The UK Information Commissioner’s Office will review the feedback received during public consultation — which is akin to notice and comment periods in the United States — before issuing final guidance on direct marketing.