Until 25 May 2018, regulation of data protection issues in relation to advertising was governed by Section 10 and Appendix 3 of the CAP Code (‘Code’). Section 10 regulated the use of data for direct marketing and could be split up into two broad categories:
- rules relating to ‘pure’ data protection matters; and
- rules relating to data protection issues with a marketing dimension.
The arrival of GDPR
GDPR provides Europe’s new framework for data protection laws and was designed to offer greater protection and rights to individuals. Once GDPR came into force on the 25 May 2018, CAP suspended Section 10 and Appendix 3 of the Code and launched a public consultation which looked at:
- removing the ‘pure’ data protection rules in section 10;
- amending the Section 10 rules that concerned marketing to ensure that they were GDPR compliant; and
- removing Appendix 3 and instead regulating those issues under Section 10 of the Code.
Following the consultation, CAP decided to implement the changes above, although some specific matters relating to children and prize-winners were reserved for further consultation at a later date.
How have these changes affected data protection in advertising?
First, any ‘pure’ data protection rules in Section 10 were removed. This was decided on the understanding that the UK’s adverting regulator, the Advertising Standards Authority (‘ASA’) should not itself be regulating important issues such as data security, transfer and access. Instead, it was deemed that such significant concerns relating to personal data ought to be regulated by the Information Commissioner’s Office (‘ICO’).
Secondly, the Section 10 rules relating to marketing were amended to be GDPR compliant. For example, the insertion of Rule 10.2 and 10.3, which deals with transparency about data collection, was brought in to reflect Articles 13 and 14, as well as taking into account Recitals 39, 58 and 61, of GDPR. Similarly Rules 10.5, 10.9, 10.12 and 10.13, concerning lawful processing, special categories of personal data, withdrawal of consent and the right to object respectively, were all incorporated to reflect GDPR requirements. The incorporation of Rules 10.16 and 10.17 dealt with specific GDPR necessities involving children. However, when it came to amending Rule 10.15, which is concerned with the age consent to marketing can be given by children in the absence of consent from the holder of parental responsibility, CAP decided to carry out further public consultation.
Finally, Appendix 3, which dealt with online behavioural advertising, was removed. The justification for doing so was that such matters would be regulated by a revised Section 10 in line with the standards introduced by the GDPR.
When will these changes to data protection regulation be enforced?
The revised Section 10 will be implemented immediately. However, the executive summary to the regulatory statement states ‘the ASA is likely to deal with matters informally, but reserves the right to tackle some cases formally where it believes, having consulted with relevant bodies, that a formal ruling is in the public’s and the sector’s interest.’
When it comes to formal decision making under Section 10, for example where legitimate interest arguments have been put forward as a basis for processing personal data for the purpose of producing and/or distributing a marketing communication, the ASA and CAP Executives will be guided by the Direct Marketing Commission (an independent industry watchdog). In cases where the issue at hand is particularly contentious and the outcome has the potential to affect widespread industry practice, CAP retains its discretion to refer cases to the ICO.
Stay tuned to MediaWrites for more analysis going forward.