In considering complaints under these rules, the ASA will have regard to Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and the Data Protection Act 2018 in the case of personal data, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in the case of activities relating to electronic communications. Marketers must comply with this legislation and guidance is available from the Information Commissioner's Office. Although the legislation has a wide application, these rules relate only to data used for direct marketing purposes. The rules should be observed in conjunction with the legislation, and do not replace it: in the event of doubt, marketers are urged to seek legal advice.
Responsibility for complying with the rules on the use of personal data rests primarily with marketers who are controllers of personal data. Others involved in sending marketing communications (for example, agencies or service suppliers) also have a responsibility to comply.
These rules do not seek to cover all circumstances. Other narrow grounds for processing or limited exemptions set out in the GDPR may be available to marketers, but if a marketer wishes to rely on them it would need to be able readily to explain how they are applicable.
"Consent” is any freely given, specific, informed and unambiguous indication of a consumer's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
A "controller" is any person or organisation that, alone or jointly with others, determines the purposes and means of the processing of personal data;
“Electronic mail” in this section encompasses text, voice, sounds or image message, including e-mail, Short Message Service (SMS), Multimedia Messaging Service (MMS).
“Personal data” is any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A "preference service" is a service that, to reduce unsolicited contact, enables consumers and businesses to have their names and contact details in the UK removed from or added to lists that are used by the direct marketing industry.
“Special categories” of personal data means: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Marketers must not make persistent and unwanted marketing communications by telephone, fax, mail, e-mail or other remote media.
At the time of collecting consumers’ personal data from them, marketers must provide consumers with the following information (in, for example, a privacy notice), unless the consumer already has it:
the identity and the contact details of the marketer or the marketer's representative
the contact details of the data protection officer of the marketer, where applicable
the purposes for which the collection of the personal data are intended and the legal basis for collection
the legitimate interests of the marketer or third party, where processing is based on these interests (see rule 10.5)
the recipients or categories of recipients of the personal data, if any
where applicable, that the marketer intends to transfer personal data to a recipient in a third country or international organisation. If so, marketers must refer to the existence or absence of an adequacy decision by the European Commission, or to the appropriate or suitable safeguards or binding corporate rules referred to in Article 46 or 47 of the GDPR, or to the compelling legitimate interests under the second subparagraph of Article 49(1) GDPR, and the means to obtain a copy of the transfer mechanisms relied on or where they have been made available
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
the existence of the right to request from the marketer access to and rectification or erasure of personal data or restriction of processing concerning the consumer or to object to processing as well as the right to data portability
if relying on consent as the legal basis, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
the right to lodge a complaint with a data protection supervisory authority
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the consumer is obliged to provide the personal data and of the possible consequences of failure to provide such data
the existence of automated decision-making, including profiling producing legal or similarly significant effects on consumers, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the consumer.
Where marketers have obtained consumers’ personal data from other sources (for example, third party list providers), they must provide consumers with the information listed in rule 10.2 (in, for example, a privacy notice), unless the consumer already has it, in compliance with at least one of these three options: (i) within a reasonable period, at the latest within one month after obtaining the personal data; or (ii) if the data are to be used for communication with the consumer, at the latest at the time of the first communication with the consumer; or (iii) where a disclosure to another recipient is envisaged, no later when the personal data is first disclosed. In such cases, marketers must also provide, within the same timeframes, information on the categories of personal data concerned, the source from which the personal information originates, and if applicable, whether it came from publicly accessible sources but a marketer does not need to provide the information in rule 10.2.11 above.
In all cases where marketers intend to further process personal data for a purpose other than that for which it was obtained and referred to (for example, in the original privacy notice), they must ensure that the new purpose is not incompatible with the original purpose, and provide consumers with information (in, for example, a further privacy notice) on that other purpose before processing it.
Marketers must either obtain prior consent (see Definitions) from consumers before processing their personal data to send marketing communications, or be in a position to demonstrate that the processing is necessary for the purposes of their or a third party’s legitimate interests. The legitimate interests provision does not apply where such interests are overridden by the interests or fundamental rights and freedoms of the consumer which require protection of personal data, in particular where the consumer is a child; and it does not provide a basis for processing personal data to send marketing communications by electronic mail (although, see rule 10.6 below).
Marketers must have obtained consent before using contact details to send marketing communications to consumers by electronic mail, unless (i) the communications are for the marketer’s similar products and services, (ii) the contact details have been obtained during, or in negotiations for, a sale; and (iii) marketers tell those consumers that they may opt out of receiving future marketing communications, both when they collect their contact details and on every subsequent occasion they send marketing communications to them. Marketers must give consumers a simple means to opt out. Certain organisations cannot rely on this exception from consent – charities, political parties and not-for-profits where there is no sale or negotiation for a sale. This rule does not apply where the consumer is a corporate subscriber: see rule 10.14 below.
Marketing communications sent by electronic mail (but not those sent by Bluetooth technology) must contain the marketer's full name (or, in the case of SMS messages, a recognisable abbreviation) and a valid address; for example, an e-mail address or a SMS short code to which recipients can send opt-out requests.
Fax and non-live-sound automated-call marketing communications must contain the marketer's full name and a valid address or freephone number to which recipients can send opt-out requests.
Marketers must obtain explicit consent before processing special categories (see Definitions) of personal data, unless the data has already manifestly been made public by the consumer and the use of it was fair and within the reasonable expectations of the consumer.
Consumers are entitled to have their personal data suppressed so that they do not receive marketing. Marketers must ensure that, before use, databases have been run against relevant suppression files within a suitable period. Marketers must hold limited information, for suppression purposes only, to ensure that no other marketing communications are sent to those consumers as a result of information about those consumers being reobtained through a third party.
Marketers must do everything reasonable to ensure that anyone who has been notified to them as dead is not contacted again and the notifier is referred to the relevant preference service.
When relying on consent as the basis for processing personal data, marketers must inform consumers that they have the right to withdraw their consent, at any time. Marketers must ensure that it is as easy for consumers to withdraw consent as it was to give consent.
When relying on legitimate interests as the basis for processing personal data, marketers must stop such processing if the consumer objects. Marketers must explicitly inform consumers, clearly and separately from any other information, of their right to object no later than the time of their first communication with the consumer.
Consent is not required when marketing business products by fax or by electronic mail to corporate subscribers (see III j), including to their named employees. Marketers must nevertheless comply with rule 10.10 and offer opt-outs in line with rules 10.6 and 10.7.
Marketers must comply with rule 10.5 when processing the personal data of children. Where marketers process the personal data of children under 13 in relation to an offer of online services on the basis of consent, they must obtain the verifiable consent of the child’s parent or guardian. Where marketers process the personal data of children under 13 for other marketing purposes (in other words, not in relation to an offer of online services) on the basis of consent, marketers must obtain the verifiable consent of the child’s parent or guardian, unless they can demonstrate compelling reasons for relying on the child’s consent and that they have had particular regard to the child’s privacy rights.
Please see Section 5: Children
When collecting personal data from a child, marketers must ensure that the information provided in Rule 10.2 is readily intelligible to a child (or their parents if relying on Rule 10.15).
Marketers should avoid using the personal data of a child to create personality or user profiles especially in the context of automated decision-making that produces legal effects or similarly significantly affects a child.