By John Wilks, Claire Sng and Ella Castle
In the wake of GDPR, the UK’s Committee of Advertising Practice has amended the CAP Code to introduce new rules on the use of data for marketing. It has also launched a consultation on potential further rule changes relating to child marketing data and prizewinners.
As discussed in a recent blog post (see here), CAP has been considering its future regulation relating to use of data in marketing and advertising, following the entry into force of GDPR. As such, in May 2018, CAP suspended existing Code rules regulating data protection issues (Section 10 – Database practice; and Appendix 3 – Online behavioural advertising), and initiated a Consultation on the collection and use of data for marketing.
In its Regulatory Statement on the new rules (see here), CAP identified the following aspects of GDPR as being particularly relevant to advertising rules:
- a new definition of personal data;
- a more detailed definition of consent;
- stricter requirements for offering online services to under 16s;
- reference to direct marketing as a “legitimate interest” for processing data; and
- (related to that) a right to object to processing for the purposes of direct marketing carried out on the basis of a “legitimate interest”.
The rule changes cover three key data protection issues:
1. Removing rules on “pure data protection matters”
Although CAP considers that responsible data processing is an “intrinsic part of marketing, especially in a digital age”, CAP has decided to remove the rules on pure data protection matters (for example, data security and transfers of data outside the EEA) on the basis these rules are “unlikely to attract an expectation of regulation by the UK’s advertising regulator”. This conclusion is supported by the fact the ASA receives a low level of complaints on such matters, with complainants much more likely to address their grievances to the UK’s data protection regulator the ICO. The removal of ASA jurisdiction in this area is to be welcomed – as Consultation respondents had noted, there is otherwise the potential for uncertainty arising from having two different regimes regulating this area.
2. Amending Section 10 (Database Practice) of the CAP Code to comply with the GDPR
The amendments to Section 10 reflect and align with the GDPR, for example reflecting key GDPR definitions and mirroring the Article 13 and 14 fair processing notice requirements. They also include confirmation around responsibility for compliance with data rules (while marketers are likely to be data controllers and so primarily responsible, others involved in sending marketing communications are also responsible – agencies beware!). In addition, there is a new rule requiring marketers to do everything reasonable to ensure anyone notified to them as dead is not contacted again.
Removing Appendix 3 (Online behavioural advertising) of the CAP Code
This Section is removed and online behavioural advertising is instead addressed under the general marketing-related data protection rules set out in Section 10.
CAP indicated in its Evaluation of Consultation Responses (see here) that it will have regard to relevant Information Commissioner Office (ICO) and industry guidance relating to online behavioural advertising.
These rule changes announced at the beginning of this month, have been introduced with immediate effect. However, the rules will be under review for a 12 month period and CAP has said the ASA aims to deal with issues informally for the first 6 months, i.e. there will be a grace period for advertisers to get used to the new approach.
CAP intends to use independent industry watchdog the Direct Marketing Commission (DMC) to provide advice in cases where “legitimate interest” is put forward as the basis for processing personal data for marketing communications. Additionally, CAP will refer matters to the ICO where an issue is particularly contentious and the outcome has the potential to affect widespread industry practice. Such a co-ordinated approach, like the updating of the Code to take account of GDPR more generally, is to be welcomed, so as to avoid uncertainty and inconsistency. While the ICO will doubtless continue to be the main point of call for data protection related complaints (and marketers will want to concern themselves primarily with compliance with GDPR and other privacy law rather than the CAP Code in relation to data processing matters), it is highly desirable given the ever-increasing importance of data in marketing and advertising that the CAP Code is consistent with and complements GDPR.
ON THE HORIZON
Further changes are expected in future months. As we reported in September (see here), in light of GDPR, CAP has been considering changes to the requirement to announce details of prize promotion winners (Rule 8.28.5 of the CAP Code). The ASA is not currently enforcing Rule 8.28.5, and has now opened a further consultation on this issue as well as the subject of using data in marketing to children which will close on 7 December 2018 (see here). As per our previous article, and given the changes that have already been announced following the implementation of the GDPR, it seems likely that the requirement to publish names of prize winners will not be reinstated following the conclusion of the consultation. In addition, those interested in data aspects of direct marketing may wish to respond to the ICO’s consultation on its Direct Marketing Code (see here); the closing date for that one is 24 December 2018.