On 5 December 2022, the Information Commissioner’s office (ICO) published its new guidance on direct marketing (the Direct Marketing Guidance).
The Direct Marketing Guidance is accompanied by various resources, including checklists, FAQs, an online training module, specific guidance relating to SMEs, B2B marketing, data brokers, political campaigning and direct marketing in the public sector.
Back in 2020 the ICO published a Direct Marketing Code of Practice (the Code) which is required under s. 122 of the Data Protection Act 2018. A Code of Practice has “statutory force”, meaning that the ICO must take it into account in respect of any of its enforcement activities. The Code was hotly anticipated at the time (and controversial in some circles). However, the Code has never been finalised. We expect that this is because the ICO is waiting to see what comes of the proposed Data Protection and Digital Information Bill (the DPDI Bill). Nonetheless, we expect that the Direct Marketing Guidance has been published as an interim measure to help organisations with some of trickier issues around direct marketing, particularly around profiling and social media. We assume that this will form the basis of the finalised Code. It is therefore worth paying close attention to its contents.
The guidance covers the usual aspects that you would expect to see in direct marketing guidance, such as how to conduct email marketing, automated calls, suppression lists, service messages v marketing messages etc. For the purposes of this blog post we will focus only on the “newer” aspects of guidance, i.e. guidance around profiling for direct marketing, using custom and lookalike audiences and data matching / appending. We will also discuss interesting aspects of the separate B2B direct marketing guidance that was published at the same time as the main guidance.
However, it is first worth acknowledging how the obligations that the Direct Marketing Guidance talks about are classified.
Classification of obligations
Unlike the Code, the Direct Marketing Guidance differentiates between concrete legal requirements, best practice and options that businesses may want to consider to help them comply with data protection law. The ICO’s characterisation of the words must, should and could respectively are set out below. For consistency, these are used in bold throughout this post where appropriate.
“Where we use the word “must”, this means that the law requires you to do something (so it is a legal requirement).
Where we use the word “should”, this is what we consider important to help you comply. You should follow this unless you have a good reason not to (good practice). However, you may be able to take a different approach and still comply.
Where we use the word “could”, this refers to an option(s) that you may want to consider to help you comply (good practice).”
While there is no specific obligation to demonstrate or record a reason for not complying with a “should” obligation, it would be prudent for businesses to satisfy themselves as to what this reason is and record it as part of their internal governance practices.
Use of Special Category Data for direct marketing
The Direct Marketing Guidance sets out the rules around using Special Category Data for direct marketing, i.e. that explicit consent must be obtained since it is unlikely that another special category condition would apply to the use of this type of data in this context. What is particularly interesting, although not surprising, is that the Direct Marketing Guidance specifically highlights that drawing inferences about people’s race, political opinions or health from other information may also constitute Special Category Data. This is an area that the ICO looked at recently when it fined Easylife Ltd £1,350,000 for using information on customers’ purchase history to predict their medical conditions and target them with health-related products without their consent.
Using social media for direct marketing
The Direct Marketing Guidance specifically addresses the use of “custom” and “lookalike” audience tools, which are commonly used marketing tools by companies on social media platforms, albeit in less detail than in the draft Code.
A “custom” (or “list-based”) audience is an ad targeting service to help companies find its customers on social media and target them accordingly. This is usually done by the company inputting its customer list into the social media platform.
A “lookalike” audience works in a similar way but helps companies target new/potential customers who share similar characteristics with (or “look like”) their existing customer base.
The draft Code expressed concerns that people do not generally expect their personal data to be used for custom/ list-based audiences, it therefore noted that consent is likely to be the most appropriate lawful basis for this type of processing:
“Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information. It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis”.
This position came as a surprise to some, as organisations have rarely sought consent for this type of marketing. The new Direct Marketing Guidance does not contradict this view but it is not quite as explicit. Rather, it points to consumer surveys on people’s expectations, such as research conducted by Which? that said:
“79% of [those surveyed] were unaware that a social media platform matches profiles to customer lists that have been uploaded by organisations”
This is a not so subtle nudge that, as stated in the draft Code, the ICO considers consent to be the most appropriate lawful basis for the list-based audiences. However, unless and until this is explicitly stated in the Code, we suspect that most organisations will choose to continue this type of marketing on the basis of legitimate interests, dealing with the awareness point through increased transparency. The Direct Marketing Guidance also reminds organisations that, although a social media platform may undertake the actual processing, this is done at the instigation of the organisation/brand. This therefore creates joint controller obligations meaning that organisations will need to ensure they have a joint controller agreement in place with the social media platform, as required under the UK General Data Protection Regulation.
The Direct Marketing Guidance notably encourages organisations to consider the potential harms of profiling, such as perpetuating stereotypes or causing discrimination. Importantly, the Direct Marketing Guidance makes it clear that organisations should effectively address these risks. These considerations are especially relevant in cases where profiling gives rise to special category data, as in the case of Easylife’s fine.
How long consent lasts
The Direct Marketing Guidance contains some useful guidance on how long marketing consents last. It emphasises that businesses must make sure consent was validly given even if it was provided via a third party and provides that businesses:
“should not use consent for direct marketing that was given via a third party more than six months ago (unless people would expect your marketing at a later date, eg seasonal offers)”.
Interestingly, this six month time frame is also indicated in the draft Code as a “good practice recommendation” for consent collected by a third party. This is in contrast with the use of should here, which further clarifies that organisations should comply with the above “unless [they] have a good reason not to”.
The guidance on consent collected directly remains essentially the same, namely that how long consent lasts is dependent on the circumstances in each case. This includes people’s expectations and their relationship with the organisation. Notably, the Direct Marketing Guidance is less detailed than the Code in this area. Unlike the Code, the Direct Marketing Guidance does not, for example, discuss the PECR position on how long consent lasts.
B2B marketing on professional networking sites
In addition to the Direct Marketing Guidance, the ICO released at the same time guidance in relation to business-to-business marketing.
This guidance contains some interesting comments on the difference between individuals’ expectations on how their personal data may be used on personal social networking sites compared with professional networking sites:
“Individuals on professional networking sites may have different expectations about how their personal data is used compared to their personal use of other networking and social media sites. However, this depends on the particular circumstances and context.”
This differentiation is of course quite heavily qualified and makes clear that data protection law still applies in this context. However, it is useful for marketers that the ICO acknowledges that the reasonable expectations of users on these sites may be different. This implies that there may be situations where consent is not required for activities undertaken in relation to data provided through a professional networking site.
The Direct Marketing Guidance is a welcome piece of guidance for organisations seeking direction on less traditional, and more innovative, ways of direct marketing. Whilst the guidance does not actively contradict the draft Code, it does seem softer in certain areas, however it does not go into the same level of detail as the draft Code and does not explicitly deal with some of the more controversial aspects. Therefore, it remains to be seen whether or not the ICO’s position in relation to some of these more controversial issues has changed since the draft Code was published back in 2020, and so the publication of the Code in due course remains something that organisations will need to monitor and have regard to.
 See page 6, Direct Marketing Guidance
 See page 90, Direct Marketing Code of Practice