The ASA have released changes to its rules on the use of children’s personal data for marketing purposes and on naming prize winners. These changes have been introduced in order to align with the Data Protection Act 2018 (“DPA”) and General Data Protection Regulation (EU 2016/679) (the “GDPR”). The changes take effect from the 14th March 2019.

Children’s personal data marketing

After (informal) consultation with the ICO (the UK data protection regulator), the ASA have provided a benchmark on the capacity of children to provide consent to marketing.

The GDPR is European legislation and sets the age of consent to marketing for a child at 16 years. Member states are permitted to lower this age of consent to a minimum of 13 years. The UK has opted for the age of 13 under the DPA.

Previously, the CAP Code included a blanket requirement for marketers to obtain verifiable consent from a parent or guardian of a child under the age of 12, before using their data for marketing purposes. Now, the age of 13 years is considered a reasonable benchmark for a child to provide consent to processing of personal data for both general marketing purposes and marketing in relation to the offer of online services.

Prize winner’s names

Previously, promoters were required to obtain consent from entrants to publish their names. However, the GDPR created some uncertainty around whether it was permissible to publish the name of prize winners, given the new strict requirements for obtaining valid consent.

The amended CAP Code has tried to strike a balance between demonstrating to a satisfactory standard that the prize has been won, and minimising the personal information published:

1. Is personal data being processed at all? The CAP Code has limited the information published to surname and county, and considers that in many cases this will not be sufficient to identify an individual. Where the individual may be identified, the information should not be published, but the promoter must provide the details of the prize winner and winning entry to a relevant regulatory body if challenged.

2. Are you being transparent? The GDPR gives individuals clear rights in relation to their personal data. The updates to the CAP Code address these rights and promoters must inform entrants at or before the time of entry of their intention to publish the information and give them the opportunity to object or reduce the amount of information published.

3. Can GDPR standard consent be met? Under the GDPR an individual must be able to withdraw their consent and it must be freely given. This is a difficult threshold to meet in most circumstances, not least where you may be preventing someone from entering a competition if they don’t agree. The amendments to the CAP Code have addressed this by no longer prescribing consent as the legal basis for processing, acknowledging that promoters could rely on legitimate interests where appropriate.