This new Code came out for public consultation yesterday (8th January 2020). At just over 120 pages it is a lengthy piece of guidance but one with some extremely helpful practical examples. Anyone involved in direct marketing ought to really sit up and take notice because a number of common marketing practices are identified as being very difficult to square with legislation in this area. When I say legislation, the GDPR, Data Protection Act 2018 and the PECR (Privacy and Electronic Communications Regulations 2003) are potentially relevant. My recommendation is to read it in full.

I stress that this is a DRAFT Code and has not yet been approved by Parliament but these are some interesting snippets:

• In most cases it is unlikely that you will be able to make using an individual’s data for direct marketing purposes a condition of your service or buying your product.

• In most instances, buying additional contact details for your existing customers or supporters is likely to be unfair unless the individual has previously agreed to you having these extra contact details.

• You are unlikely to be able to justify tracing an individual in order to send direct marketing to their new address – such tracing takes away control from the individual to be able to choose not to tell you their new details.

• If you are planning to use cookies or similar technologies for direct marketing purposes you must provide clear and comprehensive information to the user about these and gain their consent (which must be to the GDPR standard).

• If the direct marketing has not been specifically requested, it is unsolicited and the PECR rules apply. This is true even if the customer has ‘opted in’ to receiving marketing in general from you.

• You cannot avoid the direct marketing rules by labelling your message as a survey or market research

• You must be able to justify that a message is a service message and not an attempt to promote or advertise for it to fall outside of the direct marketing definition. Care must be taken over the content and tone.

• Remember you do not automatically have an individual’s consent to process their personal data for direct marketing purposes just because you have a pre-existing relationship with them – for example because they are your customer, previously donated to your cause, or are one of your alumni.

• If you do not have the individual’s explicit consent you cannot process their special category data for direct marketing purposes.

• You cannot escape your GDPR and PECR obligations by asking existing customers or supporters to provide you with contact details for their friends and family to use for direct marketing purposes. In practice it is very difficult to comply with the GDPR when collecting details for direct marketing purposes in this way or to demonstrate your accountability.

• If you process an individual’s data to target them with advertising, merely omitting that individual’s name from the final marketing communication does not prevent the processing being for direct marketing purposes.

The new draft Code also sets out the position on business to business marketing more clearly than the existing Code, saying:

‘However, the GDPR does apply wherever you are processing personal data. This means if you can identify an individual either directly or indirectly, the GDPR applies, even if they are acting in a professional capacity. For example, you must comply with the GDPR if you have the name and number of a business contact on file or their email address identifies them (eg 

If you collect an individual’s contact details in their business capacity and you intend to send them direct marketing you must make them aware of this and have a lawful basis for the processing.’

This has always been my interpretation of the law but I have sometimes been challenged on it so it is good to see it stated so clearly!