ICO Direct Marketing Code 'draft': 12 Highlights

January 2020

Just when I thought January was feeling dull, I got my hands on the ICO’s much-anticipated draft Direct Marketing Code of Practice! This replaces the Regulator’s existing Direct Marketing Guidance and will have statutory status.

It’s stressed that adhering to the code will be seen as a key measure of compliance with UK data protection laws. However, right now it is still a draft and is open for consultation until 4th March.

A detailed document, the code brings together much of the ICO’s other guidance in a marketing context with guidance on lawful bases, profiling, DPIAs, cookies etc.

It also covers more advanced techniques such as online behavioural advertising, social media targeting, mobile apps and location-based marketing. Topics which are either not covered or only touched upon briefly in the Direct Marketing Guidance.

The emphasis is firmly placed on planning your marketing activities and embedding data protection by design. It sets out what the ICO considers ‘right’ to look like.  While much may not come as a surprise to many, there are areas where some push-back can be anticipated and/or a desire for further clarity.

As with the ICO’s updated Cookie Guidance published last Summer, it’s almost certain there’ll be areas where organisations are falling short of what the ICO considers ‘right’ to be. How short they’ll fall remains to be seen, but there are now more and more ways to end up on the ICO naughty step – which is the one with the potential fines attached.

The code is more than 120 pages of adrenaline-pumping data protection action, and I’m sure many of you will be raring to get stuck into it.

However, for those who want the headlines first, I’ve put on my special data geek hat (I do have one) and read the lot. And here are my top twelve highlights! (Albeit, I make no apology for reducing 120 pages to about 5).

1. Direct Marketing Purposes

The code makes it clear from the off that direct marketing ‘purposes’ are broader than simply sending direct marketing communications. It says the focus should be on the purpose of the processing not the activity itself. If the ultimate aim is to send direct marketing communications, then all the processing activities leading up this would be processing for direct marketing purposes. The code states:

If you are processing personal data with the intention that it is used for communicating direct marketing by you or a third party you are processing for direct marketing purposes.

For example, if you are collecting personal data from various sources in order to build up a profile on an individual – such as the products they buy, the services they like to use, or the causes they are likely to support – with the intention that this is used to target advertising at them, whether by you or by a third party.

Other examples given include lead generation, list-brokering, data enrichment, data cleansing, audience segmentation or other profiling, and contacting individuals to ask them for their consent to receive direct marketing.

2. Data Protection Impact Assessments

Unsurprisingly, the code says if your direct marketing activity includes processing of a type likely to result in ‘high risk’, you must do a DPIA before you begin the processing. It gives the following examples that would be relevant in a direct marketing context:

  • large scale profiling;
  • data matching – e.g. for direct marketing;
  • invisible processing – e.g. list brokering, online tracking by third parties, online advertising, re-use of publicly available data;
    tracking the geolocation or behaviour of individuals – e.g. online advertising, web and cross device tracking, tracing services (telematching, tele-appending), wealth profiling, loyalty schemes; and
  • targeting children or other vulnerable individuals for marketing and profiling

It’s worth noting the ‘good practice recommendation’ suggesting a level of due diligence when any piece of marketing work commences;

Even if there is no specific indication of likely high risk in your direct marketing activity, it is good practice to do a DPIA for any major new project involving the use of personal data.

3. Consent

The code reiterates the ICO’s Consent Guidance, bringing this specifically into a marketing context and covering where the Privacy and Electronic Communications Regulations (PECR) require consent. The ICO has previously emphasised it sees ‘opt-in’ as the best approach for direct marketing, and this is reiterated here in another good practice recommendation:

Get consent for all your direct marketing regardless of whether PECR requires it or not. This gives you the benefit of only having to deal with one basis for your direct marketing as well as increasing individuals’ trust and control.

(There are quite a few good practice recommendations to watch out for dotted through the document).

The code goes on to say:

PECR requires consent for some methods of sending direct marketing. If PECR requires consent, then processing personal data for electronic direct marketing purposes is unlawful under the GDPR without consent.

If you have not got the necessary consent, you cannot rely on legitimate interests instead. You are not able to use legitimate interests to legitimise processing that is unlawful under other legislation.

It also stresses the requirement that for consent to be valid it should be unconditional. It provides the following example (which many of us will have come across):

A train company has signs in its carriages saying that free wifi is available for its passengers. In order to access the wifi the passenger is required to provide their name, email address and telephone number. There is a notice at the bottom of the sign up process which says: I understand that by submitting my details I am agreeing to receive marketing from the train company.

If the passenger does not tick the box they cannot access the ‘free’ wifi – in other words accessing the wifi is conditional on them receiving electronic direct marketing. It is not necessary for the train company to collect these details for direct marketing purposes in order to provide the wifi, therefore the consent is not valid

4. Legitimate Interests

It clearly sets out that the two lawful bases which are most likely to be appropriate for direct marketing purposes are consent and legitimate interests. It notes neither are an ‘easy option’ and both require work. (Albeit, there’s some concern that too much emphasis is placed on using consent).

If consent is not a requirement under PECR, the ICO says you might be able to rely on Legitimate Interests. There’s reference to the GDPR which states; “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Again, as in the ICO’s Legitimate Interest Guidance the word MAY is highlighted. The requirement for organisations to conduct an assessment is reiterated. An assessment which can demonstrate the use of people’s personal data is proportionate, has minimal privacy impact and would not come as a surprise.

For more information on how to assess legitimate interests see the DPN’s Legitimate Interest Guidance. This includes a template for a Legitimate Interests Assessment (LIA), as does the ICO’s Legitimate Interests Guidance.

5. Special Category Data

If you’re conducting profiling involving special category data for direct marketing purposes it’s made clear you’ll need to gain explicit consent. For example; health data, racial or ethnic origin, political opinions, religious beliefs or sexual life. The following example is given:

A supermarket wants to promote its baby club. It decides to use its loyalty card data to predict which of its customers might be pregnant in order to send them messages about its baby club. Because the supermarket does not have its customers explicit consent to do this, it has infringed the GDPR.

‘Explicit’ consent, is a further step than ‘normal’ consent. The ICO says in practice this means it:

  • must be confirmed in a clear statement (whether oral or written), rather than by any other type of affirmative action;
  • must specify the nature of the special category data; and
  • should be separate from any other consents you are seeking

It’s helpfully clarified that simply holding a list of customer names associated, for example, with a particular ethnicity or religion, will not trigger the conditions of GDPR Article 9. Unless you specifically target marketing on the basis of that inference.

It will be interesting to see what activities hitherto considered fairly unremarkable fall into the Special Category Data definition for marketing purposes.

6. Personal data collected indirectly & right to be informed

The code reiterates the requirement to fulfil the right to be informed when you haven’t collected personal data directly from the individual (e.g. you’ve sourced this from publicly available sources or a bought-in list).

It says the ‘disproportionate effort’ exemption to this right would need to be carefully balanced. If the processing has a minor effect on the individual, an organisation’s assessment might find that it’s not proportionate to put significant resources into information individuals. But it specifically states:

You are unlikely to be able to rely on disproportionate effort in situations where you are collecting personal data from various sources to build an extensive profile of an individual’s interests and characteristics for direct marketing purposes.

This represents a challenge for some. It goes on to say that if you do not actively tell people about your “invisible processing” you must carry out a DPIA before you start.

Also see –  Prospects, Leads, Bought-in Lists – Don’t forget the Right to be Informed

7. Online Advertising

There are no prizes for guessing the code says where cookies and other technologies are used PECR will apply. But it also highlights that where you are personalising adverts (based on for example an individual’s browsing history) this will be direct marketing.  It states:

In the vast majority of cases, online advertising involves the use of cookies and similar technologies and therefore PECR applies. Additionally, if you engage in behavioural advertising – for example by personalising adverts on the basis of things like an individual’s browsing history, purchase history or login information – this will constitute direct marketing.

This is because the decision to target that particular user with a specific advert is based on what you know, or perceive to know, about the interests and characteristics of that individual and the device(s) they use.

8. Data Enrichment, Matching & Appending

The general theme is approach this with caution. The ICO says you need to be careful enrichment isn’t unfair to individuals and it’s unlikely people will anticipate you are doing this or understand what it is. It says:

You are not able to enrich the personal data you hold if you and the third party (where applicable) did not tell people about this.

Furthermore, it says purchasing additional contact details for your existing customers or supporters is ‘likely’ to be unfair, unless they’ve expressly agreed.

9. Using third parties to send your marketing communications

Are you the instigator? (An area some organisations have fallen foul of in the past). The codes states that PECR applies to the ‘sender’, ‘caller’, or ‘instigator’ of the direct marketing message and beware you’re likely to be instigating if you “encourage, incite, or ask someone else to send your direct marketing message.”

So, if you encourage another company to send your B2C marketing emails then both of you need consent (one for being the instigator and one for being the sender).

10. Tell a friend campaigns

In short, and as many of us would have expected, this is a non-starter:

As you have no direct contact with the people you are instigating the individual to send the direct marketing to, it is impossible for you to collect valid consent. It is likely therefore that viral marketing and ‘tell a friend’ campaigns by electronic mail would breach PECR.

11. Social Media Targeting


When using “list-based” tools (e.g. Facebook custom audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (e.g. list of email addresses) you must be transparent and clearly inform people about this processing. The code says:

You must be upfront about this processing. Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information.

It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis. However you will still need to ensure you also meet transparency requirements.

If an individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools.

Many organisations may be currently relying on Legitimate Interests, especially when using hashed lists, and it’s not made clear why the ICO believes audience tools would not meet the three-part test.


The ICO recognises activities to find customers that are similar to yours are complex. The code says while the social media platform undertakes the majority of the processing activities, organisations using these are the ones instigating this activity.

The ICO’s conclusion is it’s likely the organisation and the platform are joint controllers. Organisations should be satisfied the platform has taken all necessary steps to provide appropriate transparency information to people. It goes on to say:

You also need to inform individuals who have provided information to you that you intend to process their data to create these other audiences and ensure that you have a valid lawful basis.

If individuals have objected to the use of their personal data for marketing purposes, you also must not use their data for the creation of a ‘lookalike’ audience.

12. Right to object & most recent indication of wishes

There’s a section of the draft code dedicated to individual rights, within which it specifically mentions that the most recent indication of an individuals’ wishes about the receipt of your direct marketing is the most important. It gives the following example:

If an individual specifically withdraws their objection or in the future actively solicits direct marketing from you, then this would override their original objection. However, failing to opt-out of your direct marketing at a later date (for example if you are using the electronic mail soft opt-in) does not override an individual’s previous Article 21(2) objection.

So, clarification on a point I know has caused some debate. If someone has unsubscribed, presenting them with an opt-out statement (i.e. relying on legitimate interests) will not override their previous objection.

As said the draft code stretches to more than 120 pages. There’s much detail to mull over and it remains to be seen what changes emerge following the public consultation.