ICO consultation on a direct marketing code of practice: response from the Fundraising Regulator

In December 2018, we responded to a consultation hosted by the Information Commissioner's Office (ICO) on a direct marketing code of practice.

Our response

The Fundraising Regulator’s commitment to working with the ICO is set out in our joint Memorandum of Understanding

General comments on this consultation

The Fundraising Regulator worked closely with the ICO in the run up to the General Data Protection Regulation (GDPR) deadline to make sure that fundraising practices that involve processing personal data are consistent with what the law requires. This included a GDPR event for fundraisers in February 2017, work to ensure that the Code of Fundraising Practice accurately reflects the changes in the law and getting the ICO’s views on GDPR guidance we developed for fundraisers with the Institute of Fundraising. 

This collaboration with the ICO has helped ensure that messages to the sector on data protection remains consistent and clear. However, the complexity of the regulations in some areas means the potential for misinterpretation of the rules by some charities remains high. We welcome continued close working on any new guidance that the ICO develops to minimise the risk of uncertainty and confusion for fundraisers. This includes consideration of how the direct marketing code once developed can work alongside the Code of Fundraising Practice.

In the absence of case law, the Fundraising Regulator follows the ICO’s lead as the primary statutory regulator for data protection. With this in mind, we welcome and support the ICO’s consultation on a Direct Marketing Code of Practice as a practical piece of guidance to help clarify and contextualise the law for direct marketers. 

In its 2016 Direct Marketing guidance, the ICO made it clear that the promotion of charitable aims and objectives is likely to be interpreted as direct marketing in law. The code will serve as an important tool in ensuring that the responsibility of charities to support their beneficiaries through fundraising strikes the right balance with the rights of individuals over their personal data. 

We appreciate that development of the code is likely to be an iterative process and that how the code is communicated is likely to be as important to its success as what it contains. With this in mind, the Fundraising Regulator would appreciate close collaboration with the ICO as the code develops to ensure messages are filtered through effectively and in as timely a way as possible to the charities we regulate. It would be particularly useful to coordinate our communications processes on this and consider opportunities for us to work together to promote the code across our networks once it is developed.

Consultation questions response

The code will address the changes in data protection legislation and the implications for direct marketing. What changes to the data protection legislation do you think we should focus on in the direct marketing code?

We worked closely with the ICO in the run up to the GDPR deadline to ensure that our Code of Fundraising Practice accurately reflects the law. Section 5.0 of this code, which incorporates ICO’s feedback, sets out the areas of GDPR consider to be of most relevance to charitable fundraisers, and those which we consider to be the primary areas that the Direct Marketing Code should focus on for fundraisers. These include the implications of GDPR and the Data Protection Act 2018 for:

  • Processing personal data and database practices (including storage of personal data)
  • Sharing, screening and selling personal data
  • Consent and legitimate interest as key bases for direct marketing, and where the soft-opt in / may be applicable 
  • Dealing with requests from individuals to enact their rights over their personal data 
  • Other governance duties, including: 
    • Paying the ICO’s fee
    • reviewing and approving internal policies 
    • Documenting activity
    • Keeping records of data processing 
    • Undertaking data protection impact assessments where necessary
    • Data security and international data transfers
    • Informing ICO (and in some cases, the individual) of data breaches where these are likely to harm the individual’s rights and freedoms. 

Apart from the recent changes to data protection legislation are there other developments that are having an impact on your organisation’s direct marketing practices that you think we should address in the code?

We have heard the data processing activities of some of the larger digital platforms and social media sites is causing some confusion and concern for charities, for example what is considered to be direct marketing in an online context and the extent to which charities are responsible for personal data gathered by such sites and shared with the charity. 

It would be useful to clarify any direct marketing issues that charities (and other organisations) may need to bear in mind when working with these platforms and new technologies that may affect the way data is processed for direct marketing purposes. In relation to this, additional clarification would be helpful regarding where a third party data processing relationship and the responsibilities associated with it begins and ends for organisations like charities. 

We have also heard that the potential impact of ePrivacy Regulation (ePR) on the ability for fundraisers to make live phone calls under legitimate interest is causing significant concern and clarity on this point would be welcomed at the earliest opportunity.

We are planning to produce the code before the draft ePrivacy Regulation (ePR) is agreed. We will then produce a revised code once the ePR becomes law. Do you agree with this approach?

There is a need for interim direct marketing guidance that covers the new data protection legislation, but the value of a draft code will depend on:

  • the length of time between the draft code being published and ePR becoming law; and 
  • the number and extent of changes in the final version.

In our view, if the gap between publication of the draft code and ePR is likely to be two years or less, and if revisions as a result of ePR are likely to be significant, the ICO should carefully consider the value of a draft code. This is because in our experience, it takes time for messages to filter through to influence smaller charities’ practices, and rapid development in advice can cause more confusion than clarity. Additionally, organisations may take a “wait and see” approach to a draft code if there is an expectation that the final version will differ significantly. 

If the interim period is likely to be short and the revisions significant, shorter, less formal guidance pieces about the requirements of GDPR on direct marketing and the likely impact of ePR on practice could serve to prepare the sector in the interim for how their practices need to change. 

Do you have any suggestions on how we should structure the direct marketing code?

The order in which legal bases for undertaking direct marketing appear and the extent to which they are covered in the guidance should be given careful consideration. The 2016 Direct Marketing Guidance inadvertently puts a heavy emphasis on consent as a basis for contact both in the order in which it appears and the amount of space devoted to guidance on it. This has confused some charities, as they assumed the weight given to explaining consent meant that it was the ICO’s “preferable” basis for direct marketing.  

The code should be presented in a way that gives equal weight to all of the legal bases relevant to direct marketing. It should also (as was helpfully clarified in the ICO consent guidance) emphasise that consent will be appropriate in some circumstances and not others, and that the appropriateness of legitimate interest should also be considered. 

Please provide details of any case studies or marketing scenarios that you would like to see included in the direct marketing code.

The Fundraising Regulator has worked with the Institute of Fundraising to identify marketing scenarios which charities find particularly challenging. The ICO helpfully provided feedback on the resulting six-part GDPR guidance, which focused on different areas of fundraising and also carried the ICO’s logo. 

In particular, case studies may be useful exploring the following scenarios:

  • The difference between a “soft opt in” relationship and a non-commercial relationship in charity membership terms. For example, there is a distinction between a charity that sells a membership on the basis of receiving entry to a national park (where the soft opt-in could apply) and one which asks you to sign up to be a “supporter” with the aim of sending you a free monthly newsletter (where the soft opt-in wouldn’t apply).
  • Where direct marketing communication with a “commercial subscriber” may be appropriate and where it may not be.
  • Where legitimate interest might be an appropriate basis for sharing an individual’s direct marketing data with a third party and where it may not be.

Do you have any other suggestions for the direct marketing code?

In our view, case studies should be carefully emphasised in the code as a tool to identify factors for consideration in an organisation’s own decision-making rather than illustrations of the “right” way to proceed in all cases. The latter was an assumption that arose with some of the case studies in the 2016 Direct Marketing Guidance. As a result, some charities erroneously assumed that they needed to follow the case study actions to the letter rather than consider their own context.