Head of Data, Privacy & Information Security | Commercial | Private Equity
This website will offer limited functionality in this browser. We only support the recent versions of major browsers like Chrome, Firefox, Safari, and Edge.
In December 2022 the Information Commissioner's Office (ICO) published its new guidance on direct marketing, which supplements the Direct Marketing Code (DMC) that was issued in 2020. Whilst the DMC has not yet been finalised, both this and the new guidance provide organisations with information on what steps they should take to ensure compliance with the rules around direct marketing, including targeted advertising.
In this article, we provide a brief overview of the key considerations to bear in mind when carrying out targeted advertising practices, based on the new guidance and the DMC.
In short, targeted advertising is a technique whereby content is selectively delivered by an organisation to an individual (data subject) to maximise the impact and revenue generation of that content. For example, if a product is targeted at those of retirement age, there is no benefit for the business or brand to target an advert to individuals in their twenties.
The process of selecting the relevant individuals to serve advertisements to is known as "profiling" and can take many forms, such as:
Since profiling typically involves the processing of vast amounts of personal data in a way which is not usually visible to data subjects, targeted advertising is generally seen as a more risky practice in terms of privacy. Data protection laws must therefore be observed closely when engaging in such activities.
Make sure data subjects are aware of how you will use their personal data (e.g. via a pop up that details what cookies the organisation wishes to deploy and for what purposes) and ensure that all relevant policies (e.g. privacy and cookies policy) are updated to clearly reflect this.
Ensure that a clear legal basis is identified for the processing of the relevant personal data – in the context of targeted advertising this will likely be:
Processing special category data. Such as, data relating to health or sexual orientation for the purposes of profiling or targeted advertising is very likely to require explicit consent.
Soft opt-in only applies when the products or services being advertised are sufficiently similar to those bought by the relevant individual. If the products being marketed are not similar, then it will not be possible to rely on the soft opt-in exception.
In the UK, targeted advertising is regulated by the UK General Data Protection Regulation (UK GDPR), in respect of the personal data used in order to carry out the practice, and the Privacy and Electronic Communications Regulations (PECR), which regulates direct marketing by electronic means.
PECR makes it clear that express consent is required from data subjects in order to (i) deploy certain cookies to collect data about them; and (ii) send them any form of electronic marketing (which would include targeted advertising).
The exception to this rule is often referred to as the "soft opt-in" and allows organisations to send marketing emails or texts (without the need to obtain consent) to their customers, provided certain criteria are met. The soft opt-in rule is based on the assumption that your existing customers will likely want to receive marketing about products or services that are similar to those they have already purchased or expressed an interest in. Whilst this is a helpful workaround for organisations, it is important to remember there are three key factors that must be satisfied:
Importantly, irrespective of how consent for direct marketing is obtained, individuals must have the ability to withdraw that consent at any time. This is often addressed through an "unsubscribe" link in the relevant marketing communication. This is in addition the transparency obligations imposed by the UK GDPR, which requires links to cookie and privacy policies to be provided to recipients of direct marketing, to inform them of the way in which their data will be processed.
It is also worth noting that if a targeted advertising campaign falls foul of the rules set out under the UK GDPR and/or PECR, the relevant organisation will also likely be in breach of the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code) (which itself requires an advertiser to comply with the requirements of UK GDPR and PECR).