New CAP Code rules on the use of data for marketing
How have the Committee of Advertising Practice’s (CAP) rules on the use of data for marketing changed as a result of the General Data Protection Regulation (GDPR)?
The Advertising Standards Agency (ASA) previously regulated data protection issues under Section 10 (Database practice) and Appendix 3 (Online behavioural advertising) of the CAP Code. Section 10 regulated the general use of data for direct marketing, while Appendix 3 ensured that data based on the browsing behaviour of web users was collected and used in a controlled and transparent manner. Following the introduction of GDPR, CAP carried out a public consultation on the use of data for marketing.
As a result of the consultation, the CAP Code rules on the use of data for marketing purposes have been amended and new rules have been introduced.
Narrowing CAP’s remit
Section 10 has been updated to clarify that the ASA will now only regulate data protection issues specifically related to marketing (to avoid encroaching on the remit of the Information Commissioner’s Office (ICO), who is better placed to deal with wider data protection matters). As such, “pure data protection matters” now fall outside of the ASA’s remit (these matters are widely interpreted to include any matters that replicate GDPR provisions, for example, data security and transfers of data outside the EEA, or matters where the interpretation of GDPR is unclear).
The ASA maintains to power to refer marketing data matters to the ICO where necessary and the ASA and CAP will also be advised by an independent expert panel (the Direct Marketing Commission - an independent industry watchdog) when “legitimate interests” is being used as the basis for processing data in marketing cases.
Removal of Appendix 3 from the Code
Appendix 3 has been removed from the Code and going forward, online behavioural advertising, will be regulated under Section 10.
Alignment with GDPR
The updated Section 10 rules now reflect key GDPR definitions and requirements in that they:
- include key definitions, such as consent, controllers and personal data
- clarify that others involved in sending marketing communications (ie data processors), such as marketing agencies or service suppliers, are responsible for compliance with data use rules (alongside data controllers)
- prohibit persistent and unwanted marketing communications (Rule 10.1)
- mirror Article 13 and 14 fair processing notice requirements to ensure proper transparency in data collection (Rules 10.2 and 10.3)
- allow personal data to only be further processed for reasons that are compatible with the original purpose for obtaining the data (Rule 10.4)
- mirror GDPR requirements that consent must be given before marketing data is processed (Rules 10.6 to 10.8 and 10.12)
- mirror GDPR requirements that marketers must have a legitimate interest to process customer data where they do not have prior consent (Rule 10.5)
- include specific rules for special categories of data – such as personal data that reveals the racial / ethnic origin, political opinions or religious beliefs of a consumer (Rule 10.9)
- make clear that suppression records should be kept to ensure that marketing communications are not sent to individuals who have asked not to receive them (Rule 10.10)
- require marketers to make reasonable efforts to avoid marketing to consumers that they know to be deceased (Rule 10.11), and
- clarify that consent is not required for corporate subscribers (Rule 10.14).
The new rules, contained in Section 10, are already in force, however, they are subject to a 12-month review, and the ASA accepts that for the first six months it is likely to deal with most matters informally (unless a formal ruling is required in the interests of the public or a particular sector).
It is likely that these new rules are likely to be revised further in the near future, as CAP has launched a separate consultation specifically related to data for marketing in respect of children and prize winners (CAP is yet to publish the outcome of this consultation) and has also confirmed that it will reconsider the new rules once the new Regulation on Privacy and Electronic Communications (the ePrivacy Regulation) is implemented.
Why is this important?
Businesses should by now be fairly comfortable with the new data rules for marketing, as the changes broadly reflect the general requirements under GDPR. While the ASA has suggested that it will deal with matters informally for six months, marketers should not think that the ASA is taking its self-regulation duties lightly. Data protection has been marked as being high on the ASA’s agenda and the ASA has purposefully maintained the power to refer matters to the ICO, who may then impose harsh penalties for non-compliance.
Any practical tips?
Marketers should ensure that they are familiar with the new Section 10 rules and other data protection legislation generally. Marketers should ensure that they have appropriate systems and procedures in place to collect data in a transparent manner, to properly obtain consent (potentially by implementing an opt-in rather than an opt-out system) or have a legitimate interesting in using the personal data of the relevant consumers. In so far as possible, marketers should also consider the type of consumer whose data they wish to deal with – ie have people in the distribution list asked not to be included in marketing communications, are they known to be deceased or does their data fall into a special category for the purposes of the relevant communication – if so, marketers should consider the additional Code rules which may restrict the use of personal data in those particular circumstances.