Clause 77 of the Digital Economy Bill will establish a statutory Direct Marketing Code of Practice that has the same status as the Data Sharing Code of Practice. This Code should finally put to bed all the controversial issues with respect to Direct Marketing (e.g. whether there should be “opt-in” or “opt-out”), the meaning of “consent” in the context of marketing and when it is possible to engage in Direct Marketing without the consent of the data subject.
The Code, by law, will cover practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR). A reference to “good practice” in Clause 77 means that guidance on direct marketing is not limited to compliance with the PECR and DPA.
I also expect that the timing associated with the Bill (when it becomes law; say in the middle of next year) and the time spent consulting on a draft Code (say 3 months) will dictate that the final text will have to contain guidance on marketing and the impact of the General Data Protection Regulation (GDPR).
The ICO is obliged to consult the Secretary of State, trade associations, data subjects and NGOs who represent the interests of data subjects. The Secretary of State must lay the Code before Parliament and either House of Parliament can vote against the Code and if this happens the Code falls. I cannot see that happening without Government organising its payroll vote against the Code.
So what do I hope will be the content of the statutory Direct Marketing Code.
First, a Code that does not conflate “consent” with “fair processing” when considering data protection. If, for example, there is an “opt-out” marketing box in an obscure location or in the small print, this is not an example of unfair processing of personal data; it is an example of processing that does not have properly formed data subject consent. As a result, the processing is not associated with a Schedule 2 condition and therefore should cease.
For far too long, most ICO Guidance over relies on fair processing. For an extreme example, consider the Caerphilly County Borough Council Undertaking (see references) which related to covert surveillance of an employee suspected of fraudulently claiming to be sick.
The ICO concluded that in this case “the employer must be satisfied that there are grounds for suspecting criminal activity or equivalent malpractice”, and that as the data controller did not have sufficient evidence to warrant the authorisation of covert surveillance on an employee and as a result the covert surveillance of the employee’s activities was “unfair”. Urrrggggghhhh!!! .
I contend the processing of personal data was either unlawful or had no Schedule 2 grounds. The ICO’s focus on fairness leaves the misleading impression that the Caerphilly’s surveillance was somehow legitimate or lawful or both – when it isn’t.
In general, Schedule 2 raises the question: “can a controller process personal data?” and requires a legal basis ground for the processing. If a ground exists, next question is “how does the controller processes personal data? Answer is via the Data Protection Principles (e.g. securely, fairly, accurately etc etc). If there are no grounds associated with the processing, there can be no processing and the question of compliance with the Principles (e.g. fairness) does not arise.
Second, the Code should identify what constitutes properly formed “consent” and anticipate the GDPR requirements for consent in the marketing context. For example: what records should be kept in relation to consent; refreshing consent; what happens if consent is withdrawn and the operation of the objection to marketing (under the GDPR, current DPA and PECR). Recital 32 of the GDPR states that pre-ticked boxes do not constitute consent, so ICO Guidance on the importance of this and other relevant Recitals would be welcome.
I should add that I am not a fan of the phrase “opt-in model of consent” as used in recent Undertakings (e.g. British Red Cross; see references) as it implies “opt-out” consent is somehow different (which it isn’t if you follow my recent blog; see references). I should add that I am quite comfortable with a properly formed “opt-out” consent for marketing, especially as the right to withdraw consent/object to marketing is strengthened by the GDPR.
Third, as the right to be informed (and the right of access) includes the prospect of identifying Recipients of the personal data, the Code should cover the identification of those to whom personal data have been disclosed for a marketing purpose. This would allow data subjects to follow through with their marketing objections to the controller with objections to associated Recipients and so on.
It is interesting to note that this would resolve the query raised by Lord Justice Leveson in his phone hacking inquiry (transcript 26/1/2012, p17, morning session). Leveson discovered that Third Party list providers are a major source of ex-directory telephone numbers (e.g. usually provided by members of a family when they sign-up to something and miss out an obscurely position “opt-out”). As a result, he explained:
“And it just concerns me that I simply do not know whether somebody has got hold of my personal data, and I don't know how I would ever find out, and therefore, if I never find out, I don't know to make the complaint”.
As far as I can see, the GDPR fixes this problem; Lord Leveson should be able to find out. In this context, it is interesting to note that in the Optical Express Tribunal determined that the identity of Third Parties marketeers had to be identified to data subjects (see references).
Fourth, there has to be clarity of when personal data can be processed for marketing that is in the legitimate interests of the data controller which first surfaced in British Gas Trading Limited -v- Data Protection Registrar. As is well known (to delegates to my GDPR workshops), Recital 47 states that processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest – so when does this occur. Guidance please.
Finally, there has to be clarity as respects to all aspects of PECR and profiling for a marketing purpose.
The Code’s objective will be to ensure that the Code will be taken into account when a Court or Tribunal are considering a case (i.e. non-compliance with the Code can potentially increase any penalty). It anticipates the likely status of Codes of Conduct as specified in the GDPR.
In summary, a draft Marketing Code of Practice should surface towards the end of next year when the Digital Economy Bill becomes an Act. At this time, the UK approach to the GDPR should be clear: the options appear to be between a hard Brexit, a soft Brexit or, at the moment, a dog’s Brexit.
I therefore expect that the Code will become live at about the same time the GDPR comes into effect. However, one thing will be clear; being compliant with the Code will be a comfortable place to be.
So watch out for it and then engage with the Commissioner’s consultation.
Forthcoming Amberhawk's courses in November/December:
- GDPR Workshops: 10 November (Douglas IoM); 7 December (London)
- DP Practitioner Course: Starts 14 November (BCS syllabus; London)
- CISMP Course: Starts 28 November (BCS syllabus; London)
Marketing by opt-in, opt-out, consent or legitimate interest? Consider your ABC: http://amberhawk.typepad.com/amberhawk/2016/05/marketing-by-opt-in-opt-out-consent-or-legitimate-interest-consider-your-abc.html
Optical express enforcement: https://ico.org.uk/media/action-weve-taken/enforcement-notices/1042983/optical-express-enforcement-notice.pdf
Caerphilly undertaking (ENF0522453): https://ico.org.uk/media/action-weve-taken/undertakings/1560555/caerphilly-cbc-undertaking.pdf