Reflection of surrounding buildings on RPC's building.

ICO consults on new direct marketing code of practice

Published on 02 June 2020

What is new about the ICO’s proposed new Direct Marketing Code of Practice (the New Code)?

The key takeaway

The ICO states that it intends the New Code to apply to all processing of data for “direct marketing purposes”. This includes all processing activities that lead up to, enable or support the sending of direct marketing by an organisation or a third party. If the intention of the processing is direct marketing, it will be caught!  Examples the ICO has selected include: (i) collecting personal data to build a profile of an individual with the intention to target advertising at them; (ii) list brokering; (iii) data enrichment; and (iv) audience segmenting.

The background

As required by the Data Protection Act 2018, the New Code will supersede the ICO’s existing Direct Marketing Guidance. The public consultation on the New Code was launched on 8 January and ended on 4 March. The aim of the New Code is to provide practical guidance and promote good practice in respect of processing for direct marketing purposes in compliance with data protection and e-privacy rules. 

The development

Whilst we await the final version, here are a few of the key takeaways from the current draft: 

Sending direct marketing messages

The New Code reiterates that no matter which method is used for sending direct marketing messages, the GDPR will apply when personal data is processed. The New Code advises businesses to keep a “do not email or text” list (also known as a suppression list) of those who object or opt out of direct marketing.

Social media platforms

When using social media presence to target direct marketing at individuals or using the platform’s advertising services and technologies, the New Code stresses the need to be clear about what data is being used and why. 


The use of location-based marketing techniques must be transparent. People should also be told about the type of tracking. The New Code states that it will be difficult to demonstrate the legitimate interests requirement when using location-based marketing, as it is unlikely to be in people’s reasonable expectations that their location will be tracked in order to send them ads.

Service messages

Consent is not required where a company sends a service message to an individual (such as a telecommunications company texting an alert of 90% of monthly data usage). In determining what a service message is, factors such as tone and phraseology will be key.

Viral marketing “tell a friend campaigns”

The New Code states that viral marketing “tell a friend campaigns” are likely to breach the Privacy and Electronic Communications Regulations 2003 (PECR) as it is almost impossible to obtain valid consent, particularly as the instigating organisation: (a) has no direct contact with the ultimate recipients; (b) will not know what the referring individual has told their friends about the processing; and (c) will not be able to verify whether the friend provided GDPR standard consent. 

Providing notice for indirectly collected data

The ICO clarifies that where an organisation buys in data from a third party it can send out the privacy information alongside the marketing materials provided that: if applicable (a) valid consent has been obtained under PECR; and (b) the privacy information (required under Article 14, GDPR) is sent within one month of obtaining the data.

Publicly available information

An individual posting their details on social media is not an agreement to his/her content being analysed and for them to be profiled for direct marketing purposes. If an organisation collects publicly available personal data, as a controller it must still comply with the GDPR and PECR.

Why is this important?

Once adopted, the ICO says it will monitor compliance with the New Code through proactive audits. It has also said that direct marketers who do not follow the New Code will find it difficult to demonstrate that their processing complies with the GDPR or PECR.

Any practical tips?

Remember that all processing activities that lead up to, enable or support the sending of direct marketing will be caught by the New Code. Basically, if you’re thinking of collecting or using any data for any direct marketing activities, you are likely to need to follow the new guidance.