Note: This advice is given by the CAP Executive about non-broadcast advertising. It does not constitute legal advice. It does not bind CAP, CAP advisory panels or the Advertising Standards Authority.

The ASA enforces rules on the use of personal data and the practise of data collection by marketers. 

This article explains how the rules apply and answers the following questions:

Does the ASA enforce data protection laws?

The ASA does not enforce data protections laws, but it does enforce the CAP Code rules on the use of personal data for marketing purposes. These rules are stated in Section 10 (Use of data for marketing).

Advertisers must comply with these Code rules as well as the separate legal frameworks that apply to marketers’ use of consumer data. The Information Commissioner’s Office (ICO) is responsible for enforcing data laws. These laws include:

  • Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”)
  • the Data Protection Act 2018
  • the Privacy and Electronic Communications (EC Directive) Regulations 2003

So, the ASA does not enforce laws such as GDPR, and CAP cannot advise on these. But the rules in Section 10 of the Code cover many of the same principles, and are designed to complement these laws.

More information about the data laws can be found at ico.org.uk.  [Return to topic list]

Who needs to follow the Code rules?

The CAP Code applies to all UK advertisers, and the rules in Section 10 apply to marketers that use personal data for direct marketing purposes.  

Our guidance on Remit: Country of origin explains the criteria for deciding whether an ad falls within the remit of the ASA or a regulator in another country.

Marketers who are the “data controller” (responsible for deciding how to process personal data) need to comply with these rules. And any third parties who send marketing communications on the behalf of these marketers are also held responsible.  [Return to topic list]

What do the Section 10 rules cover?

The rules in Section 10 tell marketers what they need to tell consumers, and how data should be collected. More specifically, the rules cover:

  • how data should be used once it is collected  (Code rules 10.1, 10.4, 10.10, and 10.11)
  • what information needs to be given to consumers, when collecting their data  (Code rules 10.2, 10.3 and 10.16)
  • what information needs to be given to consumers, in marketing communications (Code rules 10.7 and 10.8)
  • when marketers need consumers’ consent to use their data, using an ‘opt in’ mechanism (Code rules 10.5, 10.6, 10.9, 10.12, 10.14 and 10.15)
  • when marketers can rely on having a legal legitimate interest, so can use an ‘opt out’ mechanism (Code rules 10.5 and 10.13)
  • what additional requirements apply to 'special category' and children’s personal data (Code rules 10.9, 10.15, 10.16 and 10.17)  [Return to topic list

What else is in Section 10?

As well as the rules that marketers needs to follow, Section 10 also contains some useful definitions of the following concepts:

  • “consent”
  • “controller”
  • “electronic mail”
  • “personal data”
  • “preference service”
  • “special categories”

These definitions help to understand how the rules apply in practice.

For example, with several exceptions that are explained in our advice on Data Protection: Consent, marketers need to have received the consumer’s “consent” before sending them marketing communications through “electronic mail”.  So it is important for marketers to understand exactly what counts as “electronic mail”, as well as what counts as “consent”.  [Return to topic list]

What other resources are available?

See our advice on Data protection: Consent and Data protection: Legitimate interests, for guidance on the requirements that apply when advertisers use personal data to send marketing communications through different media.

The following CAP News articles provide an explanation of some of the most important rules in this part of the Code:

Stay up to data: four key tips on using personal data for marketing

Using consumers’ data for marketing – Consent and legitimate interest

[Return to topic list]

More on