8 Developments to Be Aware of in Data Protection for Direct Marketers

At Westminster Insight’s Data Protection Conference on 29th April, we were delighted to welcome Chris Combemale, CEO of the Data and Marketing Association (DMA), who shared his expert insights on the latest developments in data protection for direct marketers.  

With over 35 years of international experience across Europe, the USA, and Asia/Pacific, Chris has led major agencies, brands, and marketing technology companies, and now plays a key role in shaping industry best practice and legislation. 

 As a continuation of the discussion at our conference, Chris has outlined 8 key developments that direct marketers need to be aware of following the proposed reforms in the Data Protection and Digital Information (No.2) Bill (DUA Bill). These reforms aim to drive growth, provide greater legal certainty, and maintain high standards of data protection. 

1.The Definition of Direct Marketing 

The focus on growth is inextricably linked to direct marketing. The first important point to note is the current definition of Direct Marketing. In DPA 2018 the legal definition is broader than some might expect “The communication (by whatever means) of advertising or marketing material which is directed to particular individuals”, and DUA bill adds this definition to GDPR and PECR to provide total clarity. 

2. Legitimate Interests as a lawful basis 

The most important reform is the greater certainty around the use of Legitimate Interests as a lawful basis for direct marketing.  “Legitimate interests” is one of the six equal lawful bases for processing personal data. When relying on legitimate interests as a lawful basis, organisations must demonstrate that the processing is necessary for the legitimate interest and carry out a “balancing test” to document how their legitimate interests are balanced with the rights of data subjects. 

Since the implementation of GDPR, many lawyers and Data Protection Officers have created uncertainty by advising companies that consent was “safer” even though LI and consent are equal in the text. In fact, it has become widely believed across society that GDPR requires consent even for legitimate local community activities. This has limited growth at a critical time in economic recovery without providing any additional protections to individuals. 

Amendments to Article 6.1.f in DUA provided greater certainty to the scope of Legitimate Interests and includes three specific examples which are drawn from Recitals 47, 48 and 49 of GDPR, and specifically mentions Direct Marketing.  

This is wholly consistent with GDPR which is risk-based and proportionate.  Recital 4 states clearly that Privacy is a fundamental right, not an absolute right, and must be balanced with other rights such as the right to conduct a business. There is nothing more fundamental to the right to conduct a business than finding new customers and retaining existing customers. A business would not exist without customers nor a charity without donors.  

It is critical to remember that individuals always retain an unfettered right to object to marketing communications of any kind and at any time and are further protected by consumer protection services such as MPS and TPS which the DMA run. 

3. Charity soft opt in for email:  

This is critical amendment for charities that matches the soft opt in for email that has existed in since 2003 for commercial products and services.  

Supporting data from Salocin group, Wood for the Trees analysing the lifetime value of contactable email donors versus non-contactable identified the potential for £290 million of increased donations.  

4. Cookies exemptions 

Both governments that worked on the Bill shared the objective of eliminating cookies consent banners as they are interruptive, and the consent is meaningless. DUA does not get all the way there, but includes significant exemptions to consent requirements and, importantly, delegated powers to SoS that will be used to create further exemptions over time. The DUA exemptions include:  

• Strictly necessary 

• Statistical purposes for own use  

• Enhance website functionality 

• Security and software updates 

• Emergency assistance 

The net effect of these exemptions is that websites who use cookies only for first party relationships and do not take advertising may be exempt from cookie banners, especially B2B websites, pure play ecommerce sites and charity websites.  

Even if you still have some consent requirements your consent banners will be simpler, easier to manage and have less options that confuse customers, leading to operational cost savings and improved customer experience. 

5. AI and machine learning 

AI and machine learning are used by marketers to gain insight into their customers and make suggestions for products or services that are relevant to their interests. Amendments to Article 22 GDPR provide greater certainty that these marketing activities may continue normally for improved relevance and ROI while ensuring fairness and eliminating bias in algorithms. 

6. Codes of Conduct in PECR 

The DMA has been working on a Code of Conduct for Direct Marketing with the ICO for several years. Articles 40 and 41 of GDPR create collaborative regulation of data protection for the first time, with industry associations specifying how the legislation should be applied to their sector, and an independent monitoring body operating under delegated authority from the ICO to investigate and adjudicate on any complaints brought against Code Signatories. The DUA Bill establishes Codes of Conduct for PECR that could be contained in the same document as a GDPR Code of conduct. The text of the bill enables a complete Code of Conduct for Direct Marketing that will provide certainty on how the legislation should apply to the sector. 

7. Reform to the Information Commissioner’s Office 

Reforms to the ICO include specific objectives that the ICO must consider innovation and competition alongside data protection and privacy. This is wholly consistent with Recital 4 of GDPR and the principles set-out in the DMA Code, and a very important clarification for direct marketing. 

8. Market Research Provisions 

The Bill encourages more research activity in the UK and reduces compliance costs in the sector by incorporating “scientific research carried out as a commercial activity” into the definition of scientific research. This reform will bring clarity and legal certainty to researchers in the commercial sector that they can benefit from the privileges the regime affords to scientific research, covering new product development and innovation alongside market research. 

Chris Combemale’s expert overview at our conference made clear that the DUA Bill offers a real opportunity for the direct marketing sector to grow while upholding strong data protection standards. His 8 key developments provide crucial clarity for organisations, helping them balance innovation and compliance more effectively. As the reforms progress, understanding these changes will be vital for marketers aiming to stay ahead, serve their customers better, and ensure they operate within a more certain and supportive regulatory environment.