Earlier this month, CAP, the Committee of Advertising Practice, announced new rules on the use of data for marketing. What are these new rules, and how will they impact your marketing activity?
What is CAP?
Whether or not you’re governed by an industry body like the Financial Conduct Authority, if you advertise in the UK, you also need to abide by the CAP rules. You can read more about what this means in our blog on How to comply with the CAP code.
Why is CAP proposing changes on the use of data?
In its announcement, the Committee says that:
‘These changes are intended to ensure that its rules cover data protection issues most relevant to marketing, and that they align with the standards introduced by the General Data Protection Regulation (GDPR).’
Previously, CAP’s regulation of data protection issues was carried out under two sets of rules: section 10 and Appendix 3.
Section 10 regulated the use of data for direct marketing generally. Appendix 3 focused on online advertising, and included rules on the transparency and control of data collected and used to deliver ads based on web-users’ browsing behaviour (sometimes known as ‘remarketing’).
What changes are planned?
CAP consulted on:
- Proposals to remove section 10 rules relating to ‘pure data protection matters’. This is proposed on the basis that ‘these rules are unlikely to attract an expectation of regulation by the UK’s advertising regulator’
- Proposals to amend marketing-related section 10 rules (and definitions) to ensure that they are aligned with the GDPR
- A proposal to remove Appendix 3 (Online behavioural advertising (OBA)) of the CAP Code and to regulate OBA under an updated Section 10.
The new Section 10 rules are immediately effective, and will be subject to a review after 12 months.
In the first six months they are in force, the announcement says that ‘the ASA is likely to deal with matters informally, but reserves the right to tackle some cases formally where it believes…that a formal ruling is in the public’s and the sector’s interest’.
The Direct Marketing Commission, an independent industry watchdog, will be used by the ASA and CAP as a panel to advise on cases involving ‘legitimate interests’ and related matters.
You may remember from our blogs on the GDPR that ‘legitimate interest’ is one of the five lawful bases for processing data under the GDPR. Although in the run up to the GDPR’s introduction in May, there was a focus on using consent as a lawful basis for processing data, in practice, many firms have chosen to use legitimate interest as their basis.
What happens next?
CAP is going to carry out further consultation in two specific areas: marketing to children and publication of prize-winners’ names. This consultation will be published ‘imminently’ and will last for four weeks.
How to make sure you stay on the right side of data rules
1. Familiarise yourself with the rules
CAP’s full regulatory statement can be read here, along with copies of the consultation responses and CAP’s evaluation of them.
You can read more about the GDPR to understand your requirements under that regulation. We also have specific advice on GDPR compliance for small businesses and for regulated firms, and you can read tips here on how to avoid GDPR pitfalls in your marketing.
2. Get it right on record keeping
Compliant record-keeping underpins both the GDPR and many regulator-specific requirements. The FCA, for instance, has strict rules on the audit trails you need to establish for the approval, publication and archiving of your financial promotions.
3. Take control of your data
How much oversight do you have of the way your firm’s data is used? In professional services in particular, Marketing teams may not be the only ones processing and using contact data – with consultants and advisers often in control of their own client and prospect communications.
If this is a risk to your marketing compliance, find out how to take back control of your marketing activity to reduce the risk of regulatory breaches.
4. Make compliance with data rules an in-built element of your marketing
A sure-fire way to reduce the risk of data non-compliance is to embed a culture where best practice is inbuilt. Of course, this is easier said than done. Our five tips for embedding a compliance culture into your business may help.
Best practice data management for all firms
Whether you work in a regulated industry or not, you need to comply with data protection rules. Meeting the new requirements – and any other rules – is far easier if you make a culture of compliance non-negotiable in your firm.
Read more about how to do this in our whitepaper, How to embed a compliance culture into your business. The whitepaper is free and can be downloaded here.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.