DMA updates code of practice in line with the ICO data and cookie laws

[tweetmeme source=”getintheinbox” only_single=false]

A week or so ago members of the DMA UK released the latest DMA code of practice which has been updated to include the new requirements defined by the new Data and Cookie laws introduced in the UK recently.  These laws were introduced to be in line with the increased EU privacy laws…This same blog but a far more polished version is on the Pure360 resources and community site.

What’s changed?

In a nutshell brands have to be far more upfront with their collection of data; how they collect it, what they will do with it, and, specifically reference the use of cookies and other tracking technology on their site.  Also users must now consent to the use of cookies (or other similar tracking technology) unless the use of the cookie(s) is strictly necessary for the operation of the service being expected by the user; for example:

–          On a site that you can log into – ecommerce for instance – the site will need to set up a cookie to keep you logged in as you navigate around: this is a necessary cookie for the service.

–          On a site with a shopping cart, cookies are sometimes used to keep track of the items you have added to your cart as you look around further: this is a necessary cookie for the service.

–          Most brands like to know who does what on their website and some allow third parties who advertise on their site to track usage across multiple sites to ensure they display the most appropriate ads: these cookies are not necessary for the service  provided and subsequently consent from the user is legally required to set them up.

One new bit that is right at the end of the additions is the requirement to provide an online mechanism for opting out of data processing for direct marketing purposes – there is also a separate statement for third party opt-out.

The latest copy is available in read-only format for everyone and a downloadable format for DMA members on the code of practice page their site.

The ICO have clearly published their advice on the new cookies Regulations sets out these changes and explains what steps you need to take to ensure you comply. There is also the full blurb on Cookies and pretty much anything else you might be curious about.


What does this mean for you?

There are three main points to draw attention to:

  1. How to implement and inform subscribers

    You need to ensure that you clearly inform site visitors and subscribers of how you will use any data you gleam from them on your site, be it from your usage or data you provide deliberately.

    Implementing a clear, prominent statement explaining the personal data to be collected, how it is collected, who is collecting it and how it will be used immediately prior to or at the time of collection, is actually quite easy. Make sure you have a privacy policy that covers all of the DMA requirements for your data collection and usage on your site, linked from every page. Then also make sure you have a link to it on every form on your site that users use to provide you with data.

Then all you have to do is live up to it.

  1. Attain consent to the use of cookies and ‘similar tracking technology’.

    Enforcing non-consent of non-essential cookies is still posing a problem because browsers are not yet compliant with it – but they will be soon. So it will be down to the website owners to either stop using some arbitrary and third party-ad cookies or build their own consent box for users to accept on entry. The ICO’s advice on the new regulations is very helpful and they are not putting a lot of pressure on…yet.

    Who has implemented this already?

    The ICO have already implemented this on their site  When you visit it there will be a small section at the top asking you to tick a box and hit a button, very subtle, unintrusive but noticeable enough, functioning without interrupting and low tech too. Have a look for yourselves at the top of

  2. Provide and opt-out mechanism for the processing of personal data for direct marketing purposes.

    Essentially all you need to do is state that all marketing emails have a working unsubscribe link and then have email in address there for people to use if they want to stop all or some emails.

    If you are concerned about scrapers and bots picking up the unsubscribe email address, write it out in text without a link and describe the punctuations, eg:
    If your opt-out address is write the following: “Unsubscribe-at-pure360-dot-co-dot-uk” And don’t link it.

    I would not advise creating a form for people enter their email address to opt-out. This is because anyone can enter any email address in and hit go, unless you implement a ‘double opt-out’ which again would confuse people if someone else enters submits their address, requires technology to implement this and it’s not worth the hassle in comparison to the risks.