The Committee of Advertising Practice ('CAP') has published a consultation paper proposing to amend its rules relating to data protection in light of the General Data Protection Regulation ('GDPR'). The GDPR is the new legal framework of data protection law across the EU, which comes into force on 25 May 2018, replacing the UK's Data Protection Act 1998.
CAP rules on Data Protection
Some of CAP's existing rules regulate issues relating to data protection. Section 10 regulates the use of data for direct marketing generally, and Appendix 3 regulates the use of web-viewing behaviour data to serve online display advertising ('online behavioural advertising' or 'OBA').
CAP's proposal seeks to better establish what matters should in fact be governed by CAP and what matters should be left to the expertise of the Information Commissioner's Office ('ICO'), whose role it will be to enforce the GDPR in the UK. As such, the consultation puts forward a number of proposals for:
- removing section 10 rules relating to "pure data protection matters" which should regulated by the GDPR and ICO;
- amending the surviving "marketing-related" section 10 rules (and definitions) to ensure that they are aligned with the GDPR; and
- removing Appendix 3 on online behavioural advertising, consolidating all rules in respect of data protection within the new section 10 rules.
What do the existing rules in section 10 cover?
CAP's existing section 10 rules on Data Practice cover:
- the storage and transfer of data;
- access to data;
- the consent required to send marketing communications; and
- the information that must be included in marketing communications.
So what's new?
As of the 25 May 2018, anyone controlling or processing personal data will have to comply with the GDPR. CAP's proposed amendments take steps to align its rules with those of the GDPR. Therefore, a number of definitions have been included within the rules to reflect the GDPR meanings. This includes the definition of "consent", "personal data", "marketers", "controllers" and "special categories" of personal data. Marketers should review these definitions carefully to understand what rules will apply to the activities they are carrying out.
Some of the proposed rules identify the (extensive amount of) information that must be provided to the consumer when you collect their personal data. This includes, the identity and contact details for the marketer, the purpose of collecting the data, the lawful basis for processing the data (e.g. consent or 'legitimate interests'), and the period for which the data will be held, among others.
The GDPR also provides consumers with a number of rights in respect of how you handle their data. These are also reflected in the proposed rules providing additional obligations on you as a marketer, including that:
- marketers must obtain explicit consent before processing special categories of personal data (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, etc.);
- consumers have the right to withdraw their consent at any time if this is the lawful basis on which you are processing their data, and consumers may object to you processing their data on 'legitimate interests' grounds;
- marketers must not knowingly collect personal data from children under 12 for marketing purposes without obtaining verifiable consent of the child's parent or guardian; and
- when collecting personal data from any child, marketers must ensure that the information to be provided to the consumer (as set out in proposed rule 10.2) is intelligible to a child.
There are a number of existing rules which will remain but are nonetheless worth mentioning:
- marketers must not make persistent and unwanted communications by telephone, fax, mail, e-mail or other remote media;
- consumers are entitled to have their personal data suppressed so that they do not receive marketing; and
- marketers must do everything reasonable to ensure that anyone who has been notified to them as dead is not contacted again.
A number of existing rules have also been removed to acknowledge that certain aspects of data protection should be solely regulated by the GDPR and ICO, as such matters are not within the Advertising Standards Authority's ('ASA') area of expertise. These include the rules in respect of access to data, data security and data transfers outside of the European Economic Area. Of course, marketers will still have to comply with the rules covering these areas as required by the GDPR, but it will be not the ASA assessing whether you are compliant.
With the GDPR coming into force on 25 May 2018, marketers should make sure they are GDPR compliant as soon as possible. The consultation on CAPs own rules will close on 19 June 2018 and CAP will announce when it intends for its new rules to be enforced.
During the period between the GDPR's entry into force and CAP adopting their new rules, the ASA will not administer the existing rules on direct marketing, but will make advertisers aware of any relevant complaints against them, and of the need to comply with GDPR.
You can access a copy of CAP's consultation paper here.
For more information on this topic, please contact Sonal Patel Oliva, David Bond or your usual contact within Fieldfisher's Brand Development Team.
Co-authored by Alex Harbin.