ICO issues direct marketing code for consultation

The much-awaited draft code, required by the Data Protection Act 2018, is aimed at helping organisations to meet their obligations. The draft code, which also addresses marketing under the Privacy and Electronic Communications Regulations 2003 (PECR), is now available for consultation until 4 March.

The 124-page draft code addresses many of the old questions but also marketing when using new technologies and social media. Some of the highlights include:

  • If you collect data directly from individuals, you must provide privacy information at the time you collect their details. If you collect personal data from sources other than the individual (e.g. public sources or from third parties) you must provide privacy information within a reasonable period of obtaining the data and no later than one month from the date of collection.
  • If you are considering buying or renting direct marketing lists, you must ensure you have completed appropriate due diligence.
  • If you are using new technologies for marketing and online advertising, it is highly likely that you require a Data Protection Impact Assessment.
  • Even if you are not using cookies, it is likely that consent will be the appropriate lawful basis under the GDPR for any behavioural advertising or profiling that you wish to engage in, for the same reasons as online advertising more generally.
  • When sending direct marketing to new customers on the basis of consent collected by a third party, the ICO recommends that you do not rely on consent that was given more than six months ago.

See ICO's draft Direct Marketing Code of Practice.