Hot off the heals of the ICO's new October guidance on electronic marketing and live calls, the ICO has published additional new guidance and resources (including checklists and self-assessment toolkits).

There's plenty to digest, so watch this space for further insights from our team, but here are some interesting takeaways from our initial review of the new guidance:

  • If you're wondering how the latest guidance fits together with the October electronic/live call marketing guidance - there is overlap, but the new guidance explains responsibilities (generally) in relation to direct marketing activities (including underlying processing activities leading up to outreach), whereas the October guidance relates specifically to the 'outreach' (i.e. emails/live calls).
  • There's a retreat (which I'm sure will be welcome) from previous ICO guidance (in the ICO's draft direct marketing Code from 2020) in relation to the targeting of customers via social media (or indeed any similar platform) through so-called 'custom audience' tools (also known as 'customer match' or 'list-based targeting' tools). Previous guidance suggested that consent is the most appropriate lawful basis, but this suggestion isn't present in this latest guidance.
  • Great, so organisations can rely on legitimate interests to use custom audience/customer match tools? Yes (potentially), but it's not as straightforward as that. On top of the usual three-part balancing test, the ICO makes clear that there's work to do, to effectively rely on legitimate interests. Organisations must be upfront and clear about what they want to do, and should offer opt-outs at the point of initially collecting details. So, lots to do if organisations want to share/match data with platforms in a compliant way. 
  • At present, many platforms regard themselves as their customer's processor, where they process lists of (say) hashed email addresses for custom audience/customer match advertising. However, the ICO says "it is likely that you (the customer) and the platform are joint controllers". It remains to be seen whether platforms will update their terms to address this point (the ICO isn't the first regulator to say there's joint controllership).   
  • The ICO says that consents must describe the specific type of communication (e.g. "email" or "text") - a permission to send direct marketing by "electronic mail" will not be specific or informed enough to send marketing via email (which seems a bit silly, given that 'email' is short for 'electronic mail', but there we are). So, is it time to review your marketing opt-in wording?

If you need help ensuring that your direct marketing activities are on the right side of the line or have any questions about the guidance, get in touch with a member of the team!