United Kingdom: Information Commissioner’s Office (ICO) issues statement on SolarWinds Orion compromise

On 8 January 2020 the ICO published its draft Direct Marketing Code of Practice for public consultation, which is open until 4 March 2020.

What is the draft code and its status?

• • It is a draft of the statutory direct marketing code of practice which the Information Commissioner is required to publish under the Data Protection Act 2018.

• • The code, which runs to over 120 pages, is intended to contain practical guidance on carrying out direct marketing, but is not meant to impose additional legal obligations which go beyond the General Data Protection Regulation (GDPR) or the Privacy and Electronic Communications (EC Directive) Regulations (PECR).

• • Once finalised, the Information Commissioner must take the code into account when deciding whether organisations carrying out direct marketing have complied with their obligations under the GDPR and PECR.

• • If organisations do not comply with the code, it may be difficult to demonstrate that processing of personal data for direct marketing purposes complies with the GDPR and PECR. Compliance with the code will also be taken into account in enforcement action by the ICO.

• The code also contains optional “good practice” recommendations, although these do not have the status of legal requirements.

What is new in the draft code?

• • Much of the draft code restates and reflects the ICO’s approach in its current direct marketing guidance.

• • However, the draft code takes a much broader approach than the current direct marketing guidance, which primarily focuses on PECR compliance.

• • In particular, the draft code also covers compliance with the GDPR in a direct marketing context and discusses broader data protection issues in some depth, including guidance on data protection by design, data protection impact assessments (DPIAs), accountability, profiling and data subject rights. The code also provides guidance on new areas such as online advertising and new technologies, including social media, subscription TV, on-demand and “over the top” services, facial recognition and detection, in-game advertising, mobile apps, ad IDs, location based advertising and connected devices.

• The key points to note are summarised below.

Direct Marketing Purposes

• • The draft code applies to all processing of personal data for “direct marketing purposes”. This concept is not defined in GDPR or PECR, but the ICO takes a wide interpretation of it in the draft code. In particular, the draft code states that the concept of direct marketing purposes is wider than just sending direct marketing communications and includes not only sending the communications themselves but also all processing activities that lead up to, enable or support sending those communications. For example, collecting personal data to build a profile of an individual with the intention of using this to target advertising to them will be processing for direct marketing purposes. Activities such as lead generation, list brokering, data enrichment, data cleansing, matching or screening, audience segmenting or other profiling and contacting individuals to ask them for consent to direct marketing will also constitute processing for direct marketing purposes.

• It follows that if an individual objects to the processing of their personal data for direct marketing purposes this is not limited to just to sending direct marketing messages, but can extend to all processing related to those communications.

Legal basis for processing

• • As expected, the draft code states that generally consent or legitimate interest are likely to be the most appropriate legal bases for processing personal data for direct marketing purposes, and that if PECR requires consent then consent would also be the lawful basis under the GDPR for processing the personal data (consistent with the position taken by the ICO in its updated cookies guidance issued in July last year).

• • If consent is not required (either under PECR or for other reasons, for example because the marketing activities involve processing special category data – see further discussion on this below), then legitimate interest may be appropriate. However, the draft code stresses that legitimate interest should not be viewed as the “easy option”, and notes in particular that controllers will need to give careful consideration to the three part test (purpose, necessity and balancing tests) if relying on legitimate interest.

• • The draft code reiterates the ICO’s previous position that organisations should not swap from consent to another legal basis for processing personal data if the individual withdraws their consent. The ICO’s position is that it is unfair to give people the illusion that they have a choice, but continue to process their personal data after they have withdrawn their consent.

• The code also confirms that the legal basis of necessity for performance of a contract is unlikely to work in most cases. In particular, the ICO considers that this lawful basis does not apply where processing for direct marketing purposes is necessary to maintain your business model or is included in terms and conditions beyond what is necessary to deliver the contractual service.

Consent and benefits?

• The draft code helpfully clarifies that although there is usually some benefit to providing consent to receive direct marketing (e.g. discounts or special offers), such consent can still be valid. However, organisations need to be careful not to unfairly penalise individuals that refuse to provide consent for direct marketing.

Loyalty Schemes

• • The draft code acknowledges that if someone signs up to a service for the sole purpose of receiving marketing, for example some loyalty or offer schemes, such messages are “solicited”. Therefore, the consent requirements under PECR do not apply to such messages.

• In relation to the legal basis for processing personal data under the GDPR, the ICO acknowledges that there may be situations where making direct marketing a condition of a service is necessary for that service (e.g. retail loyalty schemes operated solely for the purpose of sending marketing offers). However, if a loyalty scheme allows individuals to collect points when they purchase products or services which can be redeemed on future purchases, consent cannot be required for marketing messages in order to collect those loyalty points.

Profiling and Automated Individual Decision Making

• • The draft code clarifies that, while direct marketing activities will often involve profiling, the stricter GDPR rules applicable to solely automated processing (under Article 22) are unlikely to apply to most direct marketing, because it is unlikely to have a legal or similarly significant effect. Therefore, for most direct marketing activities involving profiling, the key concern will be to ensure the processing is fair, lawful and transparent, as well as ensuring the personal data held as part of the profile is accurate and not excessive for your purpose.

• That said, the code also notes that certain profiling activities for direct marketing purposes could be considered to have a legal or similarly significant effect and fall under Article 22 of the GDPR. In particular, this is likely to be the case for profiling to target vulnerable groups, targeting individuals known to be in financial difficulty with marketing for high interest loans, marketing regarding betting websites to known problem gamblers, or profiling which “prices out” individuals from owning a particular product by providing a much higher price to certain individuals. For these types of activities, it is likely that the individual’s explicit consent will be needed to profile for direct marketing purposes.

Viral marketing / “tell a friend”

• The draft code states that viral marketing (asking individuals to send your direct marketing messages to their friends and family) by email is likely to breach PECR as it is impossible to collect valid consent. This goes further than the ICO’s current direct marketing guidance, which advises against this type of viral marketing and states it would be difficult to be sure valid consent has been obtained.

In-app messages and direct messages on social media

• • The draft code confirms that in addition to emails and text messages, the definition of “electronic mail” under PECR includes in-app messages and direct messages on social media, and the PECR rules on consent apply to these types of marketing as well. This has generally been accepted as the position for some time, but this statement goes further than the current direct marketing guidance which only states the definition of electronic mail applies to “some social networking messages.”

• In contrast, the code confirms that targeted advertising on social media does not fall within the definition of electronic mail under PECR (although the GDPR will still apply where social media targeting involves processing personal data).

Online advertising and new technologies

• • The draft code contains more detailed guidance on online advertising and use of new technologies as compared to the current direct marketing guidance.

• • The draft code emphasises the need to be clear and transparent with individuals, on the basis that they may not understand how non-traditional marketing technologies work or how their data is used in this context. The draft code states that appropriate due diligence is necessary when buying or using such technologies for marketing purposes, given that this will often involve working with third parties such as social media platforms.

• • The draft code includes a detailed section on social media marketing which will be of particular interest. The code includes guidance on commonly used tools such as social media “audiences”, which are list based targeting tools that allow advertising to be displayed to users on a platform. The ICO stresses the importance of transparency and the need to be upfront about the processing: the ICO’s view (perhaps surprisingly) is that individuals will likely not expect to be targeted on social media, and that information about this processing should therefore not be buried in privacy policies. More surprisingly still, the draft code states that consent is likely to be the most appropriate legal basis for processing in this context, as it would be difficult to meet the three part test for legitimate interests. Given that social media audiences are widely used and consent is often not obtained for these activities, it is likely there will be significant push back on this from industry as part of the consultation process.

• • The code also makes a number of similar comments on “lookalike” social media targeting which will likely be equally unwelcome to the industry. In particular, the code notes that in the context of “lookalike” targeting, the advertiser is likely to be a joint controller together with the social media platform in relation to that activity, which is arguably in keeping with recent CJEU case law.

• In addition, the draft code includes guidance on a number of other new technologies not covered in the ICO’s existing guidance, such as over the top services, on demand and subscription TV, facial recognition, in-game and in-app advertising, geo-targeting, and direct marketing through connected devices, as well as the use of advertising IDs (for example in real-time bidding).

Service messages

• • The draft code confirms that the key factors for determining whether a message is a “service message” (e.g. messages sent to individuals for admin or customer service purposes) and therefore not direct marketing, is the phrasing, tone and context of the message. If a message has a neutral tone and is intended simply to provide information to the individual, it is likely to be a service message. However, if the message actively promotes or encourages an individual to do something (for example to use a particular service, special offer or upgrade) it is likely to be direct marketing.

• The draft code reiterates the ICO’s current guidance that if a service message includes elements that are direct marketing then the direct marketing rules apply to that message, even where it is not the main purpose of the message.

Special category data

• • Unsurprisingly the draft code states that profiling for direct marketing purposes using special categories of personal data requires explicit consent.

• • The draft code does clarify that holding a list of customer names does not itself amount to processing special category of personal data, even where names are associated with a particular ethnicity or religion. However, such personal data would be treated as special category data if those individuals are specifically targeted with marketing based on inferences about their religion or ethnicity. Similarly, if it is possible to infer a special category of personal data such as health information (e.g. disability from selling related products) this does not in itself trigger the requirements under Article 9 of the GDPR unless the organisation holds specific information about the individual’s condition or specifically targets marketing based on inferences about their health.

• In addition, the draft code clarifies that facial detection for direct marketing purposes does not automatically trigger Article 9 of the GDPR because this does not involve processing personal data which uniquely identifies an individual, but instead distinguishes one category of people from another. This is in contrast to facial recognition, which uses biometric data to uniquely identify an individual, and it is unlikely that facial recognition could be used to display direct marketing to specific individuals due to the difficulty in complying with lawfulness, transparency and fairness requirements under the GDPR in that context.

Publicly available information

• The draft code reminds controllers that publicly available information can still include personal data – such data is not exempt from the scope of GDPR or PECR just because it is publicly available and controllers should not assume it is “fair game”. The draft code is clear that once you have collected publicly available personal data you will be a controller of that data and must comply – for example, by disclosing your processing (including the source of the data) in your privacy notice and identifying a lawful basis.

Business to business direct marketing

• • The draft code echoes the ICO’s current guidance on business to business direct marketing, in particular that the PECR rules regarding electronic email (e.g. email and text messages) do not apply to messages sent to corporate subscribers (although do apply to messages sent to sole traders and partnerships). However, the code clarifies that even though PECR does not apply to most B2B marketing, the GDPR will still apply to the processing of business contact data if an individual can be identified from that information (for example email addresses in the format initials.lastname@company.com).

• In addition, the draft code states that the GDPR does not necessarily apply to the collection of hard copy business cards. The GDPR applies only if the business cards are filed or the details are added to a computer system (e.g. a customer relationship management tool or marketing database). Simply collecting business cards and placing them in a drawer does not mean the GDPR applies.

Data protection by design, accountability and DPIAs

• • The draft code emphasises the importance of accountability under the GDPR in relation to direct marketing and adopting a privacy by design and default approach, so that data protection is considered and addressed at the outset when planning direct marketing activities.

• In addition, the draft code states that DPIAs should be conducted in certain circumstances, including where there is data matching, invisible processing such as list brokering, online tracking by third parties, online advertising and re-using publically available data, tracking geo-location or behaviour (e.g. web and cross-device tracking, tracing services, wealth profiling and loyalty schemes) and targeting children or vulnerable individuals.

Lead generation and buying in contact details

• Data broking and lead generation has been an important area of focus for the ICO for some time, and the draft code builds on the ICO’s existing guidance in this area. In particular, the draft code states that organisations buying or renting direct marketing lists must conduct appropriate due diligence, and that providing clear and transparent privacy information will be key.

Additional contact details and tracing

• In most cases, purchasing additional contact details for existing customers or supporters will likely be unfair unless the individual has provided their consent. It also follows that “tracing” individuals is highly likely to be unfair and unlawful if there is no recent evidence that an individual expects updated contact details would be shared.

Suppression Lists

• • In line with the ICO’s current direct marketing guidance, the draft code states that organisations should maintain a suppression list of individuals that have opted out or objected to direct marketing in order to comply with PECR.

• • The draft code reflects the current ICO direct marketing guidance in that keeping a suppression list is not for “direct marketing purposes” but to comply with legal obligations. Therefore, the legal basis for processing the personal data in a suppression list is likely to be “necessary for compliance with a legal obligation” (Article 6(1)(c) GDPR).

• It is also unlikely that personal data in a suppression list would need to be deleted in response to a request for erasure by the data subject, because the personal data is processed for compliance with a legal obligation and therefore an exception to the right to erasure applies.

Regulatory communications

• • Direct marketing obligations under GDPR and PECR apply to communications which are sent to comply with regulatory objectives, comply with licence conditions or meet a wider public policy objective. Therefore, direct marketing rules can still apply even where a regulator asks or requires organisations to send specific communications to individuals.

• That said, the ICO does acknowledge that there may be situations where regulatory communications do not fall under the direct marketing rules, for example where the organisation has an obligation to inform individuals and the communication is in a neutral tone (without encouragement or promotion), is sent solely for the benefit of the individual, and is against the organisation’s interests, and the only motivation is to comply with a regulatory requirement. However, this appears to be a high threshold to achieve in practice.

What next?

• • Following the consultation, the code will be finalised and laid before Parliament. Parliament has 40 days to decide not to approve the code. If there is no objection, then the ICO must issue the code and it will come into force 21 days after it is issued.

• • It will be important for organisations to follow the development of the code, and at this stage to understand their current direct marketing practices and processes to ensure these comply with the GDPR and PECR. Taking such measures in advance will assist in preparing for when the code is finalised and enters into force.

• Much of the guidance in the draft code reflects similar messages and themes from the ICO contained in current direct marketing guidance as well as its updated Cookies Guidance, and also in its report on Adtech and Real Time Bidding and subsequent blog posts on that topic, with a particular focus now on online advertising, social media, lead generation and enriching data for direct marketing purposes. You can read our summary of the ICO Cookies Guidance here, and our summary of the ICO’s statements regarding Adtech here and here.