The direct marketing industry is getting its first code of practice – a legal rulebook from the Information Commissioner’s Office that brings statutory status to the sector.
That is a big change in itself. Prior to this, while industry bodies such as the Data and Marketing Association have issued guidance, the industry has not had a legal framework.
There are not more requirements in the code that are already present in laws such as the General Data Protection Regulation (GDPR). But the ICO highlights that “adherence to this code will be a key measure of [companies’] compliance with data protection laws”.
If brands and marketers don’t follow the code then they will find it hard to show they are complying with GDPR.
The current version of the code is just a draft that is under consultation until 4 March. Any business or person can respond, as well as industry organisations.
What is in the direct marketing code?
The code aims to consolidate all the ICO’s previous guidance around GDPR, the Privacy and Electronics Regulation (PECR) and cookies. It focuses solely on direct marketing, which the regulator defines as anything that is directed to particular individuals.
That includes the obvious such as addressed mailings, emails and SMS, as well as some of the not-so-obvious including advertising in mobile apps and games, and location-base marketing.
“People have typically thought of direct marketing as direct mail and telephones,” explains DMA director of policy and compliance, John Mitchison. “This guide makes it clear that direct marketing is anything that is directed to an individual whether based on their phone number, location or IP address, both online and offline.”
However, rather than addressing media channels separately, the code takes a “lifecycle” approach. This means it tackles each step in creating a direct marketing campaign in order, starting with planning, then generating and collecting data, then profiling and finally sending the message.
For marketers working in B2B and charities, there are separate sections as data regulation is applied slightly differently to these sectors. Charities, for example, cannot take advantage of soft op-in, while in B2B the code makes it clear that personal data used for business is still personal data.
The code also draws attention to areas that, while not unknown, some brands may have been ignoring. For example, it recommends getting consent rather than using legitimate interest because that will increase trust and control.
That does not mean legitimate interest is not valid in some cases, but it warns against using it as the default reason for sending marketing communications.
The ICO could have rewritten the rules for marketing, but it hasn’t. This just brings all the guidance into one place.
John Mitchison, DMA
The code also lays out that companies that collect data from sources other than the data subject – such as from Companies House or the Edited Electoral Roll – will have to provide privacy information to that person within a month. Mitchison believes this could have a “major impact”.
Other areas likely to come as a surprise to some marketers are hosted email campaigns, which are deemed to breach PECR because the advertiser is the instigator of the email and therefore requires consent.
Data appending is ruled out because it is deemed unfair processing, while ‘Refer a Friend’ promotional campaigns are also deemed in breach because the friend being referred cannot have consented.
Reaction from the direct marketing industry
While there are still areas that require work or clarification, the direct marketing industry has broadly welcomed the code.
“There are no massive surprises,” says Mitchison. “The ICO could have rewritten the rules for marketing, but it hasn’t. This just brings all the guidance into one place.”
It is also clear the ICO has learned from industry engagement, including a range of real-life examples and answers to commonly asked questions in an attempt to clarify grey areas and common mistakes.
The Institute of Fundraisers (IoF) also welcomes the guide, suggesting it will prove useful to its members.
“It confirms some of the stuff we knew, as well as informing that there are some areas that are not completely clear cut,” says the IoF’s head of policy and external affairs, Daniel Fluskey.
Some of those grey areas may be ironed out in the consultation. But areas where the rules are unclear will remain. For example, whether a ‘service message’ counts as direct marketing will likely come down to individual campaigns and their phrasing, tone and context.
This was an area of concern raised by many brands, particularly as they struggle to marry data regulations with guidance from their own industry regulators (in areas such as insurance and telecoms, for example).
There are also outstanding issues in areas such as cookies and digital advertising that the code does not solve, although the ICO has issued some separate thoughts on these areas.
Nevertheless, the DMA believes its members, and any other companies sending out direct marketing, should be able to comply.
“We are still reviewing the code and comments from our members before we make a full response [to the ICO]. But we see nothing too frightening and no reasons why our members would not be able to comply with it,” concludes Mitchison.