IAF Comment Letter on ICO Draft Code of Practice for Direct Marketing
Read IAF Comment Letter
The Information Accountability Foundation (IAF) team is concerned that society is sleep walking into an era where knowledge discovery will be precluded by a restrictive reading of the data protection law, especially with respect to knowledge application.  For that reason, the IAF filed comments on the UK ICO’s draft code of practice on direct marketing ("Draft Code").

Guidance needs to follow the basic premise of effective regulation in a digital age: controls should be proportional to the risk. The GDPR and the United Kingdom Data Protection Act of 2018 (“2018 ACT”) require organisations to differentiate their approach to the use of personal data according to levels of risk in many circumstances. The GDPR specifically differentiates and adds more requirements for profiling where there are legal and similarly significant effects and establishes different requirements for instances where the risk does not rise to that level. The IAF believes that many types of direct marketing are at a lower level of risk.

The IAF is concerned that the Draft Code suggests the mere processing of data to generate insights, without a sense of tangible negative effects, will be considered to have consequential effects.  By extension, the requirements of the GDPR relative to these effects extend these same requirements to knowledge discovery where there is often less direct impact to individuals. stated earlier, observation has become overly ubiquitous in today’s society.

The IAF believes that the movement to limit third-party cookies will have some societal benefits in this area.  However, even with those changes, the technology and processing behind market segmentation will be complex and understanding that process will not be most individuals’ main concern.  So, the role of organisations and regulatory agencies becomes more important.  Organisations must conduct assessments at almost every stage of the processing and must be able to demonstrate those assessments were conducted in an honest and competent fashion.  Regulators most oversee and enforce laws so organisations believe the likelihood of enforcement is high.


While these comments are directed at the ICO, there are indications that other data protection authorities may have similar views.  Knowledge discovery may create insights that are detrimental to individuals when used in an inappropriate fashion. This type of potential risk is why the GDPR is “risk based” and requires assessment of risk.  But to restrict profiling and knowledge discovery to only where consent is an effective governance process creates reticence risk.  The assessment and balancing of risks through processes as outlined in the GDPR, conducted honestly and competently, is the better answer.
Read IAF Comment Letter
Anonos Comment Letter on ICO Draft Code of Practice for Direct Marketing
read Anonos Comment Letter
Anonos submitted a comment letter to the ICO on the Direct Marketing Code of Practice (“Draft Code”) using the following approach.
  • First, we asked the ICO to address four questions for the benefit of society and industry:

    • May different legal grounds co-exist to support separate processes comprising lawful direct marketing, or must a single, unitary legal basis be established to support all end-to-end processing steps (e.g., collection, analytics, outreach, etc.) of personal data for direct marketing?
    • Can direct marketing itself serve as the purpose for which data is collected based on consent?
    • Can the further processing of personal data for direct marketing purposes be based on Legitimate Interests when supported by pseudonymised microsegments to respect and enforce the fundamental rights of data subjects?
    • Does all profiling necessarily constitute automated decision making?
  • Second, we proposed a cooperative, trans-disciplinary approach to addressing the issues discussed in the Draft Code.


  • Third, we highlighted three “fictions” that are fundamental to overcoming misunderstandings related to:
    • The relationship between the ICO and industry participants.
    • Changing data privacy protection approaches.
    • The role of the GDPR in reconciling conflicts between innovation and privacy.
  • Fourth, we commented on several aspects of the GDPR’s provisions and their application in the context of the Draft Code including:
    • Lawful Basis for Processing Personal Data
    • Shortcomings of Consent in Complex Situations
    • Benefits of Proper Legitimate Interests Processing
    • Purpose Limitation, Data Minimisation and Storage Limitation
    • Further Processing and the Compatible Purpose Test
    • Profiling and Automated Decision Making
    • GDPR Technical & Organisational Safeguards to Enable Lawful Direct Marketing
  • Fifth, we presented Anonos Microsegmentation which uses consent as the "centerpiece" of the direct marketing puzzle, with other "pieces" like Legitimate Interests legal basis allowing for lawful data processing when appropriate and necessary.
read Anonos Comment Letter