Consolidated ICC code

Article 19 – Data protection and privacy

When collecting personal data from individuals, care should be taken to respect and protect their privacy by complying with relevant rules and regulations.

Collection of data and notice
When personal information is collected from consumers, it is essential to ensure that the individuals concerned are aware of the purpose of the collection and of any intention to transfer the data to a third party for that third party’s marketing purposes. (Third parties do not include agents or others who provide technical or operational support to the marketer and who do not use or disclose personal information for any other purpose). It is best to inform the individual at the time of collection; when it is not possible to do so this should be done as soon as possible thereafter.

Use of data
Personal data collected in accordance with this code should be

  • collected for specified and legitimate purposes and not used in any mannerincompatible with those purposes;
  • adequate, relevant and not excessive in relation to the purpose for which they are collected and/or further processed;
  • accurate and kept up to date;
  • preserved for no longer than is required for the purpose for which the data were collected or further processed.

Security of processing
Adequate security measures should be in place, having regard to the sensitivity of the information,in order to prevent unauthorised access to, or disclosure of, the personal data.
If the information is transferred to third parties, it should be established that they employ at least an equivalent level of security measures.

Children’s personal information
When personal information is collected from individuals known or reasonably believed to be children 12 and younger, guidance should be provided to parents or legal guardians about protecting children’s privacy if feasible.

Children should be encouraged to obtain a parent’s or other appropriate adult’s permission before providing information via digital interactive media, and reasonable steps should be taken to check that such permission has been given.

Only as much personal information should be collected as is necessary to enable the child to engage in the featured activity.

Data collected from children should not be used to address marketing communications to the children’s parents or other family members without the consent of the parent.

Identifiable personal information about individuals known to be children should only be disclosed to third parties after obtaining consent from a parent or legal guardian or where disclosure is authorised by law. (Third parties do not include agents or others who provide technical or operational support to the marketer and who do not use or disclose children’s personal information for any other purpose.)

Additional rules specific to marketing communications to children using digital interactive media can be found in chapter D, article D5.

Privacy policy
Those who collect data in connection with marketing communication activities should have a privacy policy, the terms of which should be readily available to consumers, and should provide a clear statement if any collection or processing of data is taking place,whether it is self-evident or not.

In jurisdictions where no privacy legislation currently exists, it is recommended that privacy principles such as those of the ICC Privacy Toolkit (available from ICCwebsite) are adopted and implemented.

Rights of the consumer
Appropriate measures should be taken to ensure that consumers understand and exercise their rights

  • to opt out of marketing lists (including the right to sign on to general preference (services);
  • to require that their data are not made available to third parties for their marketing purposes; and
  • to rectify incorrect data which are held about them.

Where a consumer has expressed a wish not to receive marketing communications using a specific medium, whether via a preference service or by other means, this wish should be respected. Additional rules specific to the use of the digital interactive media and consumer rights are to be found in chapter D.

Cross-border transactions
Particular care should be taken to maintain the data protection rights of the consumerwhen personal data are transferred from the country in which they are collected to another country.
When data processing is conducted in another country, all reasonable steps should be taken to ensure that adequate security measures are in place and that the data protection principles set out in this code are respected. The use of the ICC model clauses covering agreements between the originator of the marketing list and the processor or user in
another country is recommended (available from ICCwebsite)


Code campaign supported by :