The Nuances of CAP Code Section 10 that You Should Know
Originally posted on 20 March, 2019 on the DMA website
The Advertising Standards Authority (ASA) revised their rules for the use of data in marketing in early November of last year. The rules were changed to bring them in line with GDPR and make sure that they are fit for purpose in an era where all marketing relies on data. One of the most exciting changes is that the ASA will use the Direct Marketing Commission (DMC) as an expert resource on Legitimate Interest and other data related complaints. Obviously, these rules do not replace GDPR but fit into the UK’s self-regulatory framework - it is much better to have a discussion with the DMC or the ASA rather than the Information Commissioner’s Office (ICO).
Section 10 of the Committees of Advertising Practice (CAP) Code was changed after a full stakeholder consultation and went into immediate effect on 6 November. In lieu of a transition period the ASA will deal informally with complaints for the first six months and will review these rules after twelve months of adjudications. With only two months left in the informal period it seems a good time to highlight a couple a small differences to GDPR and the DMA Code.
Section 10.2.6 covers the transfer of data outside of the UK. The CAP code talks about what you should do when you “intend” to move the data outside of the UK. This is really aimed at data controllers who want to process the data offshore. Remember GDPR covers all situations where you pass data outside the EU. If the support team for your marketing tech is located outside of the UK you could run into an issue where you transferred the data without “intending” to. The ASA may or may not object to this, but I suspect the ICO would without the proper notifications, procedure and contractual relationships in place.
Section 10.7 is aimed specifically at digital marketers and requires that the full name and address of the marketer be included in the message. There are guidelines of what to do in an SMS message given the character limit. There is also a carve out for bluetooth communications where the ASA does not require any form of identification to be included in bluetooth messaging. I am not sure why a marketer would not want to include their name in a message but it is important to note that this exception IS NOT in the DMA Code. The Responsible Marketing Committee’s view is that a marketer cannot “be honest, fair and transparent throughout their business” if they are unwilling to identify themselves in a marketing message.
The last section I want to discuss is 10.15 which covers collecting data from children. The CAP code sets the age limit at 12 while the DMA code has no age limit. Instead the DMA code points out that children are a vulnerable audience, so whether you collect data and what data you collect should be a function of the product and services you offer with the age being treated appropriately.
If you have not looked at the revision of Section 10 of the CAP code you should. In conjunction with the DMA Code it is a key component of the UK’s self regulatory framework for marketing, which is always going to be better than facing a legal review. You will not find anything there that you would not expect, so I would not panic but I would sign up for the ASA’s CAP Code adjudication alerts so you can keep an eye on how this revised section of the CAP code is being applied.