New CAP Code updates on the use of personal data for marketing

Rosie O’Gorman| Trainee Solicitor | EY Law | +44 (0) 20 7783 0073 |

Following a public consultation which launched in May 2018, the Committee of Advertising Practice (CAP) has published changes to its rules on the use of personal data for direct marketing (the CAP Code). The changes are intended to ensure that the CAP Code addresses data protection issues that are most relevant to direct marketing and reflects the standards in the General Data Protection Regulation 2016 (GDPR). CAP identified the following features of the GDPR as the most relevant:
• The new definition of ‘personal data’ and the addition of concepts such as ‘online identifiers’
• The additional detail added to the definition of ‘consent’
• The more stringent rules regarding online services offered to children below the age of 16
• More detailed transparency requirements applied to those who process data
• The listing of direct marketing as a legitimate interest for processing personal data
• A data subject’s right to object to the processing of their personal data in regard to direct marketing undertaken as a ‘legitimate interest’

Primary responsibility for complying with the rules on the use of personal data rests with marketers who are also controllers of personal data. Agencies, service suppliers and other parties who are involved in sending marketing communications as data processors also have a responsibility to comply with the rules.

The changes to the CAP Code are as follows:

The removal of rules relating specifically to ‘pure data protection matters’
The CAP Code acknowledges that processing data in a responsible manner is an ‘intrinsic part of marketing, especially in the digital age’. Pure data protection matters (such as data security and transfer of data) have been deemed ‘unlikely to attract an expectation of regulation by the UK’s advertising regulator’ the Advertising Standards Authority (ASA) and thus removed from the Code. Matters of this nature will usually be lodged with the Information Commissioner’s Office (ICO) and so, following the removal of ASA jurisdiction, there will be just one regulator in this area.

The amendment of Section 10 to ensure GDPR compliance
Key GDPR definitions, transparency provisions, and the fair processing notice requirements in Articles 13 and 14 have been reflected in the amendments to Section 10 of the Code. There is an additional rule that states marketers must do everything reasonable to ensure that anybody who has been notified to them as dead is not contacted again. Other data rules from the GDPR and the necessity for compliance with these by marketers are also included.

The removal of Appendix 3 (Online behavioural advertising) of the Code
This is now covered under the new Section 10.

The new section 10 rules will take effect immediately and will be subject to a 12-month review. Issues that arise in the first six months of the rules taking effect will likely be dealt with informally by the ASA, however the body reserves the right to deal formally with cases where it believes that a formal ruling is in the public’s and the sector’s interest, following consultation with the relevant bodies.

CAP is considering what guidance is required in support of the recent changes and we will provide updates when available.