Targeted advertising: A legal overview

In December 2022 the Information Commissioner's Office (ICO) published its new guidance on direct marketing, which supplements the Direct Marketing Code (DMC) that was issued in 2020. Whilst the DMC has not yet been finalised, both this and the new guidance provide organisations with information on what steps they should take to ensure compliance with the rules around direct marketing, including targeted advertising.

In this article, we provide a brief overview of the key considerations to bear in mind when carrying out targeted advertising practices, based on the new guidance and the DMC.

Targeted Advertising Overview

In short, targeted advertising is a technique whereby content is selectively delivered by an organisation to an individual (data subject) to maximise the impact and revenue generation of that content. For example, if a product is targeted at those of retirement age, there is no benefit for the business or brand to target an advert to individuals in their twenties.  

The process of selecting the relevant individuals to serve advertisements to is known as "profiling" and can take many forms, such as:  

  • Segmentation of an organisation's customer base to allow them to treat individuals differently based on what the organisation already knows about them. For example, by segmenting customers into electric only, gas only and dual fuel to target them with specific advertising.
  • Profiling a data subject based on data collected over time about them, such as age, location or their preferences/interests. This includes what those individuals might have looked at on a website and their purchase history. Typically, cookies, online account information and search history information can be used to collect this data.
  • Profiling an organisation's customer base as a whole (rather than individually) to identify common characteristics and establish what its 'typical' customer 'looks like'. With this information, an organisation can look to target other potential customers that fit the profile of its 'typical' customer. An organisation may use social media platform analytics or advertising services (for example Facebook Custom Audiences) to identify other social media users that fit the criteria of the organisation's 'typical' customer and serve newsfeed advertising to them on social media.

Since profiling typically involves the processing of vast amounts of personal data in a way which  is not usually visible to data subjects, targeted advertising is generally seen as a more risky practice in terms of privacy. Data protection laws must therefore be observed closely when engaging in such activities.

Practical points to consider before carrying out targeted advertising

Make sure data subjects are aware of how you will use their personal data (e.g. via a pop up that details what cookies the organisation wishes to deploy and for what purposes) and ensure that all relevant policies (e.g. privacy and cookies policy) are updated to clearly reflect this.

Ensure that a clear legal basis is identified for the processing of the relevant personal data – in the context of targeted advertising this will likely be:

  • Consent (individuals should be given a genuine choice about whether to agree to have their data used in this way).
  • Legitimate interests (in particular, if relying on soft opt-in – discussed below) – when relying on legitimate interests, it is sensible to conduct a “legitimate interests assessment”, in order to review and record the decision to rely on this as a legal basis.

Processing special category data. Such as, data relating to health or sexual orientation for the purposes of profiling or targeted advertising is very likely to require explicit consent.

Individuals have rights in relation to their personal data, such as the right of access (e.g. a right to receive a copy of any profile which has been built about them), right of deletion, and the right to object. These rights must be made clear to individuals, often through a privacy policy, when collecting their personal data. Organisations should ensure they have processes in place to comply with personal data rights. Ways in which this can be done include giving individuals the opportunity to manage cookie settings in a preference centre should they wish to withdraw consent to certain/all cookie use.

Soft opt-in only applies when the products or services being advertised are sufficiently similar to those bought by the relevant individual. If the products being marketed are not similar, then it will not be possible to rely on the soft opt-in exception.

Consent for targeted advertising, and the soft opt-in

In the UK, targeted advertising is regulated by the UK General Data Protection Regulation (UK GDPR), in respect of the personal data used in order to carry out the practice, and the Privacy and Electronic Communications Regulations (PECR), which regulates direct marketing by electronic means.

PECR makes it clear that express consent is required from data subjects in order to (i) deploy certain cookies to collect data about them; and (ii) send them any form of electronic marketing (which would include targeted advertising).

The exception to this rule is often referred to as the "soft opt-in" and allows organisations to send marketing emails or texts (without the need to obtain consent) to their customers, provided certain criteria are met. The soft opt-in rule is based on the assumption that your existing customers will likely want to receive marketing about products or services that are similar to those they have already purchased or expressed an interest in. Whilst this is a helpful workaround for organisations, it is important to remember there are three key factors that must be satisfied:

  • The individual must be someone who has actually purchased a product or service from you, or who has expressed an interest in doing so.
  • The products or services being marketed must be similar to those which the individual has previously purchased/expressed an interest in.
  • The individual must be given the ability to opt-out of receiving such marketing –both at the time their data is initially collected and in every electronic marketing communication that is sent to that individual.

Importantly, irrespective of how consent for direct marketing is obtained, individuals must have the ability to withdraw that consent at any time. This is often addressed through an "unsubscribe" link in the relevant marketing communication. This is in addition the transparency obligations imposed by the UK GDPR, which requires links to cookie and privacy policies to be provided to recipients of direct marketing, to inform them of the way in which their data will be processed.

It is also worth noting that if a targeted advertising campaign falls foul of the rules set out under the UK GDPR and/or PECR, the relevant organisation will also likely be in breach of the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code) (which itself requires an advertiser to comply with the requirements of UK GDPR and PECR).

Key contacts