In the wake of the GDPR, the UK’s Committee of Advertising Practice has amended the CAP Code to introduce new rules on the use of data for marketing. It has also launched a consultation on potential further rule changes relating to child marketing data and prize winners.
As discussed in a recent blog post (see here), CAP has been considering its future regulation relating to use of data in marketing and advertising, following the entry into force of the GDPR. As such, in May 2018, CAP suspended existing Code rules regulating data protection issues (Section 10 – Database practice; and Appendix 3 – Online behavioural advertising), and initiated a Consultation on the collection and use of data for marketing.
In its Regulatory Statement on the new rules (see here), CAP identified the following aspects of the GDPR as being particularly relevant to advertising rules:
- a new definition of personal data;
- a more detailed definition of consent;
- stricter requirements for offering online services to under 16s;
- reference to direct marketing as a “legitimate interest” for processing data; and
- (related to that) a right to object to processing for the purposes of direct marketing carried out on the basis of a “legitimate interest”.
The rule changes cover three key data protection issues:
- Removing rules on “pure data protection matters”
Although CAP considers that responsible data processing is an “intrinsic part of marketing, especially in a digital age”, CAP has decided to remove the rules on pure data protection matters (for example, data security and transfers of data outside the EEA) on the basis these rules are “unlikely to attract an expectation of regulation by the UK’s advertising regulator”. This conclusion is supported by the fact the ASA receives a low level of complaints on such matters, with complainants much more likely to address their grievances to the UK’s data protection regulator the ICO. The removal of ASA jurisdiction in this area is to be welcomed – as Consultation respondents had noted, there is otherwise the potential for uncertainty arising from having two different regimes regulating this area.
- Amending Section 10 (Database Practice) of the CAP Code to comply with the GDPR
The amendments to Section 10 reflect and align with the GDPR, for example reflecting key GDPR definitions and mirroring the Article 13 and 14 fair processing notice requirements. They also include confirmation around responsibility for compliance with data rules (while marketers are likely to be data controllers and so primarily responsible, others involved in sending marketing communications are also responsible – agencies beware!). In addition, there is a new rule requiring marketers to do everything reasonable to ensure anyone notified to them as dead is not contacted again.
- Removing Appendix 3 (Online behavioural advertising) of the CAP Code
This Section is removed and online behavioural advertising is instead addressed under the general marketing-related data protection rules set out in Section 10.