The UK’s data protection watchdog, the ICO, is consulting on a draft code of practice that will replace existing guidance and help organisations to stay on the right side of data protection and e-privacy rules when undertaking direct marketing. The code will replace the ICO’s existing direct marketing guidance.
Just as the GDPR seeks to ensure that data protection law is fit for the digital era, the new code modernises existing guidance by dealing with relatively new data use cases and technologies. In particular, consent is now seen by the ICO as a pre-requisite to lawfully market to individuals on social media (though the use of ‘custom audiences’) and via in-app push notifications. The code also urges business to tread carefully when profiling individuals and ‘enriching’ existing databases by buying in additional personal data.
The draft code also places increased emphasis on compliance with the GDPR more generally, in particular transparency obligations in relation to profiling individuals for marketing purposes and conducting data protection risk assessments to demonstrate accountability.
Although the code is not yet in force, and may change, organisations would be wise to reflect on it now, and consider whether they would need to update their existing marketing practices (e.g. obtain new consents) to bring them into line if it came into effect in its current form.
The consultation and draft code can be viewed here and we will bring you our analysis in due course.