Insights Committee of Advertising Practice publishes top four tips on using personal data for marketing


To mark Data Protection Day on 28 January 2022, CAP published an advice note on the key rules to comply with when using personal data for marketing:

  1. personal data: Section 10 of the CAP Code outlines the rules that marketers need to follow when they are using consumers’ personal data, which is any data that can be used to identify a particular living person; when a customer’s name is matched up with their contact details (e.g. their postal address, e-mail address, phone number, or any other means of information that’s specific to the named individual) or an identifier such as an IP address or cookie, this is likely to count as their personal data;
  2. collecting personal data: Code rules 10.2 and 10.3 state that certain information must be provided to consumers whenever personal data is obtained, including the marketer’s contact details, the reason and legal basis for collecting the data, the identities of third parties who the data will be shared with, how long it will be stored, and consumers’ right to ask for it to be deleted;
  3. consent: Code rule 10.6 provides that if personal data will be used to send marketing communications by electronic mail, the consumer needs to have given the marketer their explicit consent beforehand; “electronic mail” includes text, voice and video messages sent by e-mail, SMS, or any other form of digital messaging; direct messages on social media platforms or in apps, for example, are likely to count as electronic mail; consent to receive messages must be given before they are received through clear affirmative action, such as a tick box, and should not be bundled in with consent to receive other types of message, i.e., it must be “specific”; and
  4. Code rule 10.10 covers consumers’ right to ask the marketer not to contact them; if a consumer makes this request, marketers should accept it and ensure that they do not send any further marketing communications; marketers should retain just enough data about those consumers to meet their obligations to suppress their data.

To access the full advice note, click here.