CAP Code changes to reflect GDPR

CAP Code changes to reflect GDPR

First ICO significant fines for data breaches of GDPR


The Committee of Advertising Practice (CAP) who is responsible for the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code), announced changes to the CAP Code on 6 November. The changes, to take effect immediately, come after a consultation and informal discussions with the Information Commissioner’s Office (ICO) to align the CAP Code with the new data protection regime of the General Data Protection Regulation (GDPR).


Prior to GDPR being in force, rules in the CAP Code relating to data protection were found in Section 10 and Appending 3 (which were suspended from 25 May). These rules were generally characterised by CAP as rules that relate to ‘pure data protection matters’ or data protection issues with a marketing dimension.

The consultation considered and ultimately approved the following changes to the CAP Code:

  1. Removal of rules in section 10 relating to “pure data protection matters”, as it is unlikely that the Advertising Standards Authority (ASA) is the appropriate body to regulate such matters. The ICO would be the appropriate body in that case.
  2. Amending Section 10 to ensure that marketing-related rules reflect the GDPR.
  3. Removal of Appendix 3 (Online behavioural advertising) and instead regulate it within the revised Section 10.


Section 10 now includes new definitions for “consent”, “personal data”, “marketers”, “controllers” and “special categories of data” and a requirement to provide information to data subjects about the processing of their personal data (i.e. by way of a privacy notice).

Other notable changes include;

  • a restriction on making persistent and unwanted marketing communications;
  • personal data must not be processed in a way not compatible with the original purpose for which the data was obtained;
  • consent must be obtained in order to send marketing communications or must be able to demonstrate that any processing of personal data that is not reliant on consent is necessary for the purpose of a legitimate interest;
  • must “do everything reasonable to ensure that anyone who has been notified to them as dead is not contacted again”;
  • suppression files should be maintained to ensure that no marketing communications are sent to individuals who do not wish to receive such communications; and
  • CAP has agreed to use the Direct Marketing Commission, who is an independent watchdog, as an expert panel to provide advice to CAP and the ASA where direct marketing is being undertaken by marketers using legitimate interest as their basis for processing.


These changes are broadly in line with the current requirements of data protection legislation and should not impose any noticeably different or significantly enhanced compliance requirements. However, marketers should be aware of the ASA’s power to refer matters to other regulatory bodies. This was highlighted by ICO’s attitude in their consultations with CAP, suggesting that there is benefit in CAP’s self-regulation of marketing-related data protection matters.

It is noted that the ASA is likely to deal with matters informally in the first six months, however they may tackle some cases more formally where it is in the public interest or where it is deemed required by it or other regulatory bodies. A further review of the CAP Code is also expected when the new Regulation on Privacy and Electronic Communications comes into force. 

Search our site