In considering complaints under these rules, the ASA will have regard to Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and the Data Protection Act 2018 in the case of personal data, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in the case of activities relating to electronic communications. Marketers must comply with this legislation and guidance is available from the Information Commissioner's Office. Although the legislation has a wide application, these rules relate only to data used for direct marketing purposes. The rules should be observed in conjunction with the legislation, and do not replace it: in the event of doubt, marketers are urged to seek legal advice.
Responsibility for complying with the rules on the use of personal data rests primarily with marketers who are controllers of personal data. Others involved in sending marketing communications (for example, agencies or service suppliers) also have a responsibility to comply.
These rules do not seek to cover all circumstances. Other narrow grounds for processing or limited exemptions set out in the GDPR may be available to marketers, but if a marketer wishes to rely on them it would need to be able readily to explain how they are applicable.
“Consent” is any freely given, specific, informed and unambiguous indication of a consumer's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
A "controller" is any person or organisation that, alone or jointly with others, determines the purposes and means of the processing of personal data;
“Electronic mail” in this section encompasses text, voice, sounds or image message, including e-mail, Short Message Service (SMS), Multimedia Messaging Service (MMS).
“Personal data” is any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A "preference service" is a service that, to reduce unsolicited contact, enables consumers and businesses to have their names and contact details in the UK removed from or added to lists that are used by the direct marketing industry.
“Special categories” of personal data means: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
the identity and the contact details of the marketer or the marketer's representative
the contact details of the data protection officer of the marketer, where applicable
the purposes for which the collection of the personal data are intended and the legal basis for collection
the legitimate interests of the marketer or third party, where processing is based on these interests (see rule 10.5)
the recipients or categories of recipients of the personal data, if any
where applicable, that the marketer intends to transfer personal data to a recipient in a third country or international organisation. If so, marketers must refer to the existence or absence of an adequacy decision by the European Commission, or to the appropriate or suitable safeguards or binding corporate rules referred to in Article 46 or 47 of the GDPR, or to the compelling legitimate interests under the second subparagraph of Article 49(1) GDPR, and the means to obtain a copy of the transfer mechanisms relied on or where they have been made available
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
the existence of the right to request from the marketer access to and rectification or erasure of personal data or restriction of processing concerning the consumer or to object to processing as well as the right to data portability
if relying on consent as the legal basis, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
the right to lodge a complaint with a data protection supervisory authority
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the consumer is obliged to provide the personal data and of the possible consequences of failure to provide such data
the existence of automated decision-making, including profiling producing legal or similarly significant effects on consumers, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the consumer.
Marketers must not make persistent and unwanted marketing communications by telephone, fax, mail, e-mail or other remote media.
At the time of collecting consumers’ personal data from them, marketers must provide consumers with the following information (in, for example, a privacy notice), unless the consumer already has it:
Where marketers have obtained consumers’ personal data from other sources (for example, third party list providers), they must provide consumers with the information listed in rule 10.2 (in, for example, a privacy notice), unless the consumer already has it, in compliance with at least one of these three options: (i) within a reasonable period, at the latest within one month after obtaining the personal data; or (ii) if the data are to be used for communication with the consumer, at the latest at the time of the first communication with the consumer; or (iii) where a disclosure to another recipient is envisaged, no later when the personal data is first disclosed. In such cases, marketers must also provide, within the same timeframes, information on the categories of personal data concerned, the source from which the personal information originates, and if applicable, whether it came from publicly accessible sources but a marketer does not need to provide the information in rule 10.2.11 above.
In all cases where marketers intend to further process personal data for a purpose other than that for which it was obtained and referred to (for example, in the original privacy notice), they must ensure that the new purpose is not incompatible with the original purpose, and provide consumers with information (in, for example, a further privacy notice) on that other purpose before processing it.
marketing communications are suitable for those they target
marketing communications are not sent unsolicited to consumers if explicit consent is required (see rule 10.13)
anyone who has been notified to them as dead is not contacted again and the notifier is referred to the relevant preference service
marketing communications are not sent to consumers who have asked not to receive them (see rule 10.5) or, if relevant, who have not had the opportunity to object to receiving them (see rule 10.9.3). Those consumers should be identifiable
databases are accurate and up-to-date and that reasonable requests for corrections to personal information are effected within 60 days.
Marketers must either obtain prior consent (see Definitions) from consumers before processing their personal data to send marketing communications, or be in a position to demonstrate that the processing is necessary for the purposes of their or a third party’s legitimate interests. The legitimate interests provision does not apply where such interests are overridden by the interests or fundamental rights and freedoms of the consumer which require protection of personal data, in particular where the consumer is a child; and it does not provide a basis for processing personal data to send marketing communications by electronic mail (although, see rule 10.6 below).
Marketers must have obtained consent before using contact details to send marketing communications to consumers by electronic mail, unless (i) the communications are for the marketer’s similar products and services, (ii) the contact details have been obtained during, or in negotiations for, a sale; and (iii) marketers tell those consumers that they may opt out of receiving future marketing communications, both when they collect their contact details and on every subsequent occasion they send marketing communications to them. Marketers must give consumers a simple means to opt out. Certain organisations cannot rely on this exception from consent – charities, political parties and not-for-profits where there is no sale or negotiation for a sale. This rule does not apply where the consumer is a corporate subscriber: see rule 10.14 below.
Marketing communications sent by electronic mail (but not those sent by Bluetooth technology) must contain the marketer's full name (or, in the case of SMS messages, a recognisable abbreviation) and a valid address; for example, an e-mail address or a SMS short code to which recipients can send opt-out requests.
Fax and non-live-sound automated-call marketing communications must contain the marketer's full name and a valid address or freephone number to which recipients can send opt-out requests.
Marketers must obtain explicit consent before processing special categories (see Definitions) of personal data, unless the data has already manifestly been made public by the consumer and the use of it was fair and within the reasonable expectations of the consumer.
who is collecting it (and the representative for data protection queries, if different)
why it is being collected
if the marketer intends to disclose the information to third parties, including associated but legally separate companies, or put the information to a use significantly different from that for which it is being provided; if so, an opportunity to prevent that from happening must be given.
Consumers are entitled to have their personal data suppressed so that they do not receive marketing. Marketers must ensure that, before use, databases have been run against relevant suppression files within a suitable period. Marketers must hold limited information, for suppression purposes only, to ensure that no other marketing communications are sent to those consumers as a result of information about those consumers being reobtained through a third party.
Marketers must do everything reasonable to ensure that anyone who has been notified to them as dead is not contacted again and the notifier is referred to the relevant preference service.
When relying on consent as the basis for processing personal data, marketers must inform consumers that they have the right to withdraw their consent, at any time. Marketers must ensure that it is as easy for consumers to withdraw consent as it was to give consent.
the disclosure of personal information to third parties for direct marketing purposes
the use or disclosure of personal information for any purpose substantially different from that which consumers could reasonably have foreseen and to which they might have objected.
When relying on legitimate interests as the basis for processing personal data, marketers must stop such processing if the consumer objects. Marketers must explicitly inform consumers, clearly and separately from any other information, of their right to object no later than the time of their first communication with the consumer.
processing sensitive personal data, including information on racial or ethnic origin, political opinion or religious or other similar beliefs, trade union membership, physical or mental health, sex life, criminal record or allegation of criminal activity
sending marketing communications by fax
sending marketing communications by electronic mail (excluding by Bluetooth technology) but marketers may send unsolicited marketing about their similar products to those whose data they have obtained during, or in negotiations for, a sale. Data marketers must, however, tell those consumers they may opt out of receiving future marketing communications both when they collect the data and at every subsequent occasion they send out marketing communications. Marketers must give consumers a simple means to do so
sending non-live-sound marketing communications by automated calling systems.
Consent is not required when marketing business products by fax or by electronic mail to corporate subscribers (see III j), including to their named employees. Marketers must nevertheless comply with rule 10.10 and offer opt-outs in line with rules 10.6 and 10.7.
Marketers should avoid using the personal data of a child to create personality or user profiles especially in the context of automated decision-making that produces legal effects or similarly significantly affects a child.
Please see Section 5: Children
CAP is carrying out further consultation on this rule, and the ASA will have regard to the Data Protection Act 2018 when interpreting it.
Marketers must not knowingly collect from children under 12 personal information about those children for marketing purposes without first obtaining the consent of the child's parent or guardian.
When collecting personal data from a child, marketers must ensure that the information provided in Rule 10.2 is readily intelligible to a child (or their parents if relying on Rule 10.15).