The Information Commissioner’s Office (ICO), the UK’s data protection authority, has launched a public consultation on its draft code of practice on direct marketing, which gives businesses practical guidance on how to comply with data protection and e-privacy rules.
It builds on previous ICO guidance, but includes important updates about marketing via new technologies and social media.
Here are our top takeaways.
Marketing via social media platforms
If you’re advertising via ‘custom audiences’, it’s likely you’ll need user consent. This is where a business shares personal data it already has (eg a list of email addresses) with a social network platform.
The platform then matches this data with its own user base. Any user that matches the uploaded list is then added into a group that the business then targets for marketing on the platform itself.
As an extension of this, businesses can use their custom audience to advertise to other social network users that share similar traits to their custom audience – a ‘lookalike audience’.
If you’re using lookalike advertising, you’re classified as a joint controller with the social media network. This means you need to ensure that the social media platform has given the right information to users to comply with data protection law.
In-app messages and direct messaging on social media
The draft code classes in-app messages, push notifications and direct messages sent via social media as ‘electronically stored messages’.
This means those messages will be treated like email and text messages under privacy law, requiring users’ consent unless an exemption applies.
Duration of consent
The draft code emphasises that consent to marketing does not last forever.
How long it lasts depends on the circumstances, including:
- the context in which it was given;
- the nature of the individual’s relationship with the business; and
- the individual’s expectations.
Consent for a one-off message, or consent that is clearly only intended to cover a short period of time or a particular context, does not count as ongoing consent for all future direct marketing.
When sending direct marketing to new customers on the basis of consent collected by a third party, businesses should not rely on consent that was given more than six months ago.
Renewals and end of contract notices
If you send customers renewal or end-of-contract notices, these might be classed as direct marketing communications.
To avoid this, the notices should be neutrally worded and not actively encourage the customer to renew.
The draft code is open for public consultation until 4 March 2020 and the final version is expected later this year.