You would expect both brands and those working with data within the direct marketing (DM) industry to be among the first to voice their concerns when, on 8th January 2020, the ICO published its highly controversial consultation on the draft Direct Marketing Code of Practice.
Who would blame anyone (including the ICO) for taking a cynical view of their pleas that it has the potential to cause mass disruption to the industry - and UK plc - at a time when many have just found their feet following EU GDPR and the Data Protection Act 2018 (DPA 2018)? At the very least (and there’s plenty more to consider), the proposed changes to the obligation to inform, greater restriction around the reliance on legitimate interest, and to the combining of data will most likely affect a business’s ability to compete. Furthermore, it will be highly disruptive for data subjects, both consumer and business.
While the ICO has worked to understand the complexities of DM, it is reasonable to think that its view is biased towards its majority stakeholders - complainers. We know beyond doubt that in our space, despite large-scale data processing, publicity about the regulatory change, and a general increase in public awareness around data protection rights, consumer complaints have actually decreased since May 2018.
It is for this reason that I am calling on senior figures within large organisations and industry bodies to voice their reservations before the deadline for feedback closes on 4th March. Share your views with the ICO and provide balance to its perspective.
If we don’t, the marketing landscape for UK businesses will, in all likelihood, transform into an environment that is far more restrictive than the GDPR permits, Regulations which industry and commerce have moved heaven and earth to comply with.
It is hard to understand the need to increase restriction
To offer two examples referred to in the proposed Code of Conduct: a mobile network operator will find themselves in the absurd situation of being able to notify customers who are reaching their monthly data limit. However, if the message also encourages the customer to take up a special offer to buy more data, then it would be perceived as a piece of DM.
Similarly, if a GP sends an SMS stating, “Our flu clinic is now open. If you would like a flu vaccination, please call the surgery on 12345678 to make an appointment,” this, too, would be likely to be considered DM.
If left unchallenged and unchanged, this crazy situation could become a reality and it would be far from ideal for organisations - and crucially the public - who have come to expect a certain level of service, experience and journey. It is hard to understand the need to increase restriction given the extensive consultation between 2016 and 2018 prior to the introduction of GDPR and the DPA 2018.
There is significant evidence indicating that the interpretations that were formed during that period, shared with the ICO, and have been widely practiced since, are meeting the expectations of data subjects as evidenced by the reduced levels of complaint. Furthermore, those that have fallen foul of the new regulation have not come from DM activity, with the largest fines to date being levied for mass data breaches, the control of which I believe was the GDPR’s greatest mandate.
There will always be those willing to take the risk
It is true that within the context of GDPR, legitimate interests initially created a grey area. However, in my experience people are particularly cautious and risk averse (especially those in the DM industry) when using legitimate interest as a lawful basis for processing personal data. Of course, there will always be those willing to take the risk, walk the line between being on the right and wrong side of the law, as well as those flagrantly breaking it and that won’t change no matter how restrictive the rules are.
At a time when businesses continue to be in a state of flux and feelings of uncertainty over future trading relationships with Europe in the wake of Brexit are high on the corporate agenda, why force through unnecessary changes now on an industry that has accepted and embraced new ways of marketing? Especially when the UK Government has been so explicit in its desire for UK plc to become as competitive as possible on the world stage.
This new draft code will inevitably make it harder for small- and medium-sized businesses to compete and, in the process, deliver even greater power to the likes of Google and Facebook.
The ICO performs an essential and important role, but it must also provide clear interpretation of regulation and deliver clarity through its codes of practice.
To this end, we would support close collaboration between industry bodies and the regulator to develop industry-specific guidance that is balanced, relevant, contextual and specific. This approach would promote greater clarity and certainty and ultimately compliance to a much higher standard.
To provide feedback to the ICO’s Direct Marketing Code Consultation Team visit here by 4th March.