Written by Christoan Smit
6 Feb, 2020
Written by Christoan Smit, Data Protection Office.
Historically, the ICO has only written fines for two things: Actual data leaks and non-compliant marketing, with the latter attracting fines in the tens or even hundreds of thousands, even for small companies.
The ICO has recently released its new draft guidance on marketing. So, firstly, this is still a draft, which means things could change, but I wouldn’t expect any major changes – mostly just some additional explanations or addenda. Secondly, we’ve all been invited to comment on the new draft – which is why things could change.
Below is my condensed version of what’s changed, and what’s important. Please bear in mind that I’m coming from an angle of assuming you already now at least something about GDPR-complaint marketing, so I’m skipping many of the basics. I tried to keep it brief – the GDPR itself is only 99 pages long, whereas the ICO’s marketing guidance is already standing at 124 pages, which I’ve tried to cram into less than 3, so obviously there are a few omissions…
Direct marketing is defined as “the promotion of aims and ideals as well as advertising goods or services”. It further states that “any method of communication which is directed to particular individuals could constitute direct marketing.
Direct marketing purposes include all processing activities that “lead up to, enable or support the sending of direct marketing” and is technology-neutral, extending to online marketing, social networking or any other emerging channels of communication or approach, as well as any background processing. Behavioural advertising (personalising adverts on the basis of things like an individual’s browsing history, purchase history or login information) constitutes direct marketing. However, indiscriminate blanket marketing does not fall within the definition of direct marketing
The right to object to direct marketing is absolute. This means if someone objects you must stop processing for direct marketing purposes and add their details to your suppression list. You should provide mechanisms for individuals to easily object to your direct marketing at the time you collect their details, rather than relying on them exercising their right to opt-out at a later stage.
The two lawful bases most likely to be applicable to your direct marketing purposes are consent and legitimate interests; the latter requires a Legitimate Interest Assessment (LIA). You must decide and document your lawful basis before you start.
Legitimate Interest may be used if:
Consent & Soft Opt-in
Consent lasts as long as the circumstances remain the same. Consent is non-transferable – it is specific to receipt of calls or texts to a particular telephone number, or messages to a particular email address. it those details change, Consent automatically falls away. Consent also needs to be specific to the type of electronic mail, e.g. specific consent for emails or specific consent for text messages
Consent obtained via 3rd party lists should not be older than 6 months.
‘Explicit consent’ is required for all direct marketing involving special categories of data. In addition to standard GDPR consent, it:
Must be confirmed in a clear statement (whether oral or written), rather than by any other type of affirmative action;
In general, under PECR, direct marketing by electronic mail requires that you have the individual subscriber’s consent. However, there is an exception to this known as the ‘soft opt-in’. Electronic mail is any text, voice, sound or image sent electronically.
Soft opt-in applies only if:
It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process. In subsequent messages the individual should be able to reply directly to the message, or click a clear ‘unsubscribe’ link.
Remember that not all types of businesses are classed as corporate subscribers under PECR. Sole traders and some types of partnerships constitute individual subscribers which means they have greater protections under PECR.
PECR applies to all electronic forms of direct marketing to individuals, as well as to corporations, with the exception of emails & texts sent to corporate subscribers. Sole Traders and certain partnerships are classed as individuals though, so PECR applies no matter what.
You can’t switch out consent for Legitimate Interest once consent has been withdrawn.
Direct Marketing vs. Service Messages vs. Market Research
Often it is very obvious that a message contains advertising or marketing material but sometimes it is not as clear cut. In these circumstances the tone, content and the context of the message is likely to be important. The question is whether the communication is:
promotional in nature – does it advertise goods or services or otherwise promote the organisation itself or its interests?
more neutral and informative in nature – does it seek simply to provide information the individual needs in the context of the existing relationship?
Market research will not constitute direct marketing, but you still need to comply with other provisions of the GDPR, and ‘sugging’ is not allowed/automatically classes the ‘research’ as direct marketing. (‘Sugging’ is the practice of Selling Under Guise of doing market research)
You may not use your goods/services as incentive to participate in market research or promote your products during the market research.
Service Messages are not classed as direct marketing, but care must be taken over the content and tone – if the message has a neutral tone and simply informs the individual for example of a benefit on their account then these are more likely to be viewed as a service message, e.g. reminding them how to contact you in case of a problem, checking that their details are correct, appointment reminders, or updating them on your terms and conditions.
If there is a call to action attached to the service message, it becomes direct marketing
Conduct a DPIA
You should not coerce or unduly incentivise people to consent to Direct Marketing, and you must be careful not to cross the line and unfairly penalise those who refuse consent to your direct marketing, or if you make consent for marketing a condition of accessing a service or benefit.
You need to accurately record:
You should keep a suppression list rather than simply deleting people’s details when they opt out, otherwise you might accidentally market to people who have already opted out.
Suppression involves retaining just enough information about people to ensure that in future you respect their preference. Adding people who’ve objected to receiving direct marketing to your suppression list, means that you can screen any new direct marketing lists against it, thus ensuring that you do not send direct marketing to anyone who has asked you not to. The lawful basis for suppression lists is Article 6(1)c “necessary for compliance with a legal obligation” as well as Article 17(3)b because the processing of the suppression list is to ensure that their wishes and rights are complied with is necessary for compliance with a legal obligation (respecting their right to object).
Data cleansing that removes deceased records from your database and removing out-of-date contact details helps you comply with the accuracy and data minimisation principles.
It is highly likely that ‘tracing’ (i.e. tracking down someone who has moved) will be unfair and unlawful in a direct marketing context.
Purchased & Public Lists
Publicly available data (e.g. electoral register, Companies House, social media, press articles etc.) are not fair game – GDPR and PECR still apply.
Simply accepting a third party’s assurances that the data they are supplying is GDPR-compliant is not enough. Be very careful about using these lists and undertake your own proportionate due diligence. Screen the lists that you obtain against your own suppression lists.
In most instances, buying additional contact details for your existing customers or supporters is likely to be unfair. If an individual has consented via a third party for you to have their additional contact details to use for direct marketing then you are able to match this to what you already hold about them. However you need to make sure that the consent is valid.
You may sell or share data for direct marketing purposes, but only if you are the Controller or have the Controller’s permission, and you must make it clear to the data subjects that you want to sell to/share with third parties for direct marketing purposes, and you must either have specific consent for that, or proper Legitimate Interest. For LI, ask:
You may use the services of a third party to send your direct marketing on your behalf, but you are still responsible for compliance. PECR applies to the ‘sender’, ‘caller’, or ‘instigator’ of the direct marketing message. PECR applies to both companies, and both companies require consent from the individual
Direct marketing rules also apply to asking individuals to send your direct marketing to their family and friends via viral marketing or ‘tell a friend’ campaigns. Because you most likely do not have the friend’s consent, that would be a breach of PECR. If people tell their friends out of their own volition, however, there is no obligation for you to comply with PECR because that individual is the instigator.
Practically speaking then, you can’t really ask existing customers to give you contact details of their friends and family because proving consent would be very difficult, and soft opt-in doesn’t apply.
If consent is valid, it overrides the need to perform TPS/CTPS checks or screen against suppression lists, as long as there’s sufficient proof of consent.
In short you can call numbers that are not registered on the TPS or CTPS without the subscriber’s consent, as long as there was no previous objection. If someone you have called in the past subsequently registers their number with TPS or CPTS, you cannot make any more direct marketing calls to them from that point. Even if they have not specifically objected to your calls before, registering with TPS acts as a general objection which you must respect.
You cannot make a direct marketing call to a number that you originally collected for an entirely different purpose
Automated calls require specific consent; general consent for direct marketing is not enough. No need to check TPS/CTPS though because consent trumps that.
For any direct marketing phone calls, you must:
Similar rules apply to B2B direct marketing faxes as B2B direct marketing phone calls
GDPR only applies to business cards if you intend to file them or input the details into a computer system.
Adtech and other Emerging Technologies
You should conduct a DPIA for any new technologies/ methods of marketing
Targeting & Audiences
If your online advertising does not involve the processing of personal data (not based on any interests, behaviours or other information about Individuals) – then the GDPR will not apply, e.g. non-targeted or contextual (i.e. targeted to the content of the page rather than user info) advertising. PECR may still apply where e.g. cookies, tracking pixels or other adtech are used or data such as IP addresses are stored
Online ads that use targeting still requires GDPR compliance and most likely consent because PECR requires you to obtain consent when using cookies or similar technologies.
Targeted advertising on social media does not fall within the definition of electronic mail in PECR, but direct messaging does.
‘Audiences’ and other list-based targeting e.g. Facebook Custom Audiences or LinkedIn Contact Targeting would most likely require consent, unless the 3-part Legitimate Interest test can prove otherwise. You must clearly inform individuals that you will use their email addresses to match them on social media for the purpose of showing them direct marketing.
With ‘Lookalike’ audiences you need to be satisfied that the social media platform has taken all necessary steps to provide the appropriate transparency information to individuals, and inform individuals who have provided information to you that you intend to process their data to create these other audiences and ensure that you have a valid lawful basis.
The data protection issues for Direct marketing on subscription TV, on-demand and ‘over the top’ (OTT) services are the same as using social media to target marketing, so you need to be transparent, fair and lawful.
Facial Detection & Recognition
Facial recognition seeks to identify or verify a specific individual, whilst facial detection seeks to distinguish between different categories of individuals, and both involve processing biometric data, which is Special Categories day, which means it will be highly unlikely that you will be able to use facial recognition technology to display direct marketing to specific individuals.
Facial detection is not necessarily seeking to identify an individual but rather is segmenting the audience into categories and therefore does not automatically trigger Article 9. However, care should be taken with function creep, as facial detection could easily become facial recognition depending on the way the system works, e.g. tracking an individual throughout the shopping centre or storing their data, rather than simply comparing the facial data to a ‘mask’ or template.
In-app and In-game Adverts
Not all in-game or in-app advertising is covered by the direct marketing rules e.g. where all users see the same advert and that advert is not based on any characteristics of the users. However, any targeted in-app advertising falls under GDPR, as well as sharing user details with third parties, and therefore the same rules would apply as for any other targeted digital ads, and PECR would apply where storing information (e.g. cookies) or accessing information (e.g. location) on user devices takes place. Consent must be separate and not bundled in with your app terms and conditions.
Geo-targeting using GPS/ Wi-Fi from the user’s device requires consent.
Where personal data is processed by any connected devices or IoT, the GDPR applies, and Regulation 6 of PECR generally applies to connected devices as in most cases they meet the definition of ‘terminal equipment’.
You also need to do your own DPIA where required