ICO brings direct marketing into the 21st century

The dawn of 2020 saw a number of developments on the data protection front, not least a new draft Direct Marketing Code from the ICO. The draft is out for consultation until 4 March and the finalised version is expected later this year.  There is a notable focus on 21^st century marketing/profiling and enrichment practices, including via social media, facial detection and email tracking.  Here are some of the key takeaways:
 
Direct marketing purposes:  This is not just about communicating with individuals.  Direct marketing purposes include all processing activities leading up to, enabling or supporting the sending of the direct marketing.  This means individuals have the absolute right to opt out of, not just the communication, but also the profiling activities leading up to the communication, e.g. audience segmenting and data enrichment as well as data cleansing, matching or screening. 
 
Online advertising:  Behavioural targeted advertising falls squarely within the definition of direct marketing and individuals have an absolute right to opt out of this type of advertising.  Contextual advertising (i.e. targeted to the content of the page rather than the identity or characteristics of the visitor) does not constitute direct marketing because it is not ‘directed to’ an individual.   However, this conclusion appears to be premised on the assumption that personal data is not processed for ad targeting.  The draft Code does not comment on the use of frequency capping (whereby contextual ads are only targeted at individuals who have not seen them before). 
 
The guidance makes a brief reference to 'push notifications' being caught by ePrivacy rules but does not provide further detail (so we must assume that they are of a type that fall within the definition of electronic mail for the purposes of these rules, i.e. capable of being stored and collected at a later stage).
 
Location and email tracking:  ePrivacy rules on location data do not apply to GPS data or location information collected at a purely local level (e.g. by Wi-Fi equipment installed by businesses offering Wi-Fi on their premises).  However, GDPR rules apply and you must be transparent about any location-based marketing techniques.  You are also likely to need consent as it is unlikely to be in people's reasonable expectations that you will track their location in order to send adverts to them.  If you use 'tracking pixels' within your direct marketing mails, then the direct marketing rules apply to the email and the cookie consent rules apply to the extent that information is stored or accessed on the device used to read the email.
 
Social media:  ePrivacy rules (regarding consent for electronic marketing) apply to in-app notifications and direct messaging in a social media context but advertising via a social media feed is not caught by such rules.  However, such advertising does constitute direct marketing and you need to be upfront about targeting individuals via social media.  Use of list-based tools such as Facebook Custom Audiences or LinkedIn Contact Targeting to display direct marketing to users of those platforms is likely to require user consent. 
 
If you provide personal data to social media platforms in order to enable those platforms to create "look-alike" audiences for targeted marketing purposes, you are likely to be acting as a joint controller with the platforms in respect these processing activities.  You need to be transparent with individuals within the original dataset about your intention to use their personal data to create "look-alike" audiences and have a lawful basis to do so.  You must also be satisfied that the social media platform has provided appropriate transparency information to the individuals comprised within the "look-alike" audience.  This guidance is in line with recent CJEU decisions regarding joint controllership, i.e. the ability to exert control/influence over the data processing is key regardless of whether you have access to the data.
 
Some very 21^st century stuff about facial detection technologies:  The draft Code distinguishes between facial recognition (seeks to identify or verify a specific individual) and facial detection (seeks to distinguish between different categories of individuals).   It is unlikely that you will be able to use facial recognition technology to display direct marketing to specific individuals because of the difficulty of complying with lawfulness, fairness and transparency requirements.  You are also likely to need explicit consent (since you would be processing special category biometric data used to uniquely identify individuals).  
 
Segmenting audiences into categories using facial detection for direct marketing may be possible but you need to be careful not to bring special category data into play (by tracking an individual across an area i.e. singling them out) and you need to ensure that there is no scope creep, as well as ensuring general compliance with GDPR.
 
Putting up "direct marketing walls":  You need to tread carefully if you make access to a service/benefit conditional on the individual receiving direct marketing.  Generally, this cannot be done.  It is only possible in very limited cases, e.g. if the whole point of signing up to a retail loyalty scheme is to receive marketing offers.  You can however incentivise people to provide their personal data for direct marketing purposes (e.g. discounted products or access to special offers) but you cannot unfairly penalise people who don't, e.g. not allowing people to collect loyalty scheme points to redeem against further purchases.
 
Buying in new technologies:  The draft Code outlines suggestions for the due diligence you should undertake when using new technologies, for example, regarding the capabilities and functions of the technology, and establishing whether a data protection by design approach has been taken.  It is clear that the manufacturers of such technologies should consider undertaking a data protection impact assessment ("DPIA") even if not mandated by law to do so (i.e. if they want to be able to provide some comfort to customers around privacy law compliance).  Of course, there may be an obligation on the purchasers of the technologies to conduct their own DPIAs in any event and such purchasers will need to meet the requirements of ePrivacy rules and GDPR. Contractual assurances are not good enough.
 
Enrichment:  It is very difficult to rely on the "legitimate interests" ground for processing personal data if engaging in intrusive profiling for direct marketing purposes, e.g. collecting and combining vast amounts of personal data from various different sources to create profiles for direct marketing purposes.  This type of profiling is generally not in an individual's reasonable expectations and is rarely transparent enough. 
 
When enriching a personal dataset with a personal dataset received from a third party, both you and the third party need to have told individuals about this.  Further, buying and appending additional contact details for existing customers is unlikely to be fair unless they have expressly agreed – this is because it removes choice about marketing channels. If you obtain personal data from a third party source (e.g. a data broker or publicly available source) you must provide a privacy notice which includes the name of the third party source or publicly available source and the categories of personal data (except in very limited circumstances). 
 
You are unlikely to be able to claim that providing a privacy notice to individuals involves disproportionate effort where you are collecting personal data from various sources to build an extensive profile for direct marketing purposes.  The timing for providing the information is a maximum of one month or it could be earlier if you are disclosing the information to others or propose to communicate with the individual – then it should be provided before disclosure or at the time of first communication.
 
Where the direct marketing is based solely on automated profiling, explicit consent is required if the direct marketing can be said to have a significant effect (similar to a legal effect).  Examples include targeting known gamblers with adverts for betting sites or targeting individuals known to be in financial difficulty with marketing for high interest loans.
 
Data brokering:  Since data is being collected from a variety of sources rather than directly from the individual, it is particularly important to ensure that the processing is transparent, fair and lawful.  The draft Code does not completely rule out reliance on the "legitimate interests" ground for processing but points to an EDPB onion that suggests that consent should be required for data brokering (and to a similar view in an Article 29 Working Party Opinion on the notion of legitimate interests).  Further, the draft Code points out that it is unlikely to be in people's reasonable expectations that you will be building extensive profiles on them in order to sell these to lots of organisations.  An important point is that, where data is shared on the basis of consent, the appropriate legal basis for the subsequent direct marketing purposes is consent.  Switching the legal basis would mess up the effectiveness of consent withdrawal mechanisms and would mean that the original consent would have misrepresented the degree of control in the hands of the individual.
 
Special category data:  Holding information about the nature of the products you sell to an individual will not trigger a requirement to comply with a special category data condition unless you hold specific information about that individual's condition or specifically target marketing on the inference of their health status.  So, it looks like holding personal data about the disability aids that an individual bought will not trigger a requirement for explicit consent.