Marketing Privacy and Cookies Policy

The Marketing Privacy and Cookies Policy defines mandatory privacy requirements for marketing, cookies, tracking technologies, analytics, advertising technology, audience segmentation, direct marketing, preference management, suppression, third-party tags, campaign review and related PII processing. Its stated purpose is to ensure these activities are governed through clear purpose records, transparent notice, appropriate consent or preference controls, suppression and withdrawal handling, third-party oversight, and audit-ready evidence. The policy applies across controller, joint controller, processor and subprocessor contexts, with controller obligations applying where the organization determines marketing purposes and means, and processor obligations applying where marketing, analytics, tracking or campaign-related PII is handled under documented customer or upstream processor instructions. A central requirement is that marketing and tracking purposes must be recorded before processing begins. For controller activities, the Process Owner or Business Owner must record each marketing campaign, channel, processing purpose, PII category, audience source, lawful-basis linkage, tracking technology category, vendor or tag dependency, notice linkage, consent or preference dependency, retention linkage and transfer flag in REG02 before the campaign or tracking activity begins. The Privacy Lead / PIMS Manager must confirm current REG07 notice linkage and REG05 consent or preference linkage before campaign launch. Where joint marketing, shared-audience, co-branded campaign or shared tracking activity is involved, joint-controller responsibility allocation must be recorded in REG08 before launch. The policy gives detailed operational requirements for consent, preferences, cookies and tracking controls. It requires the organization to identify whether consent, preference, objection, contractual instruction or another approved basis is required for each marketing channel and to record the decision in REG02 and REG05 before collection or campaign use. Non-essential cookies, tags, pixels, SDKs and similar tracking technologies must remain inactive until the required consent or preference state is available in REG05. Consent or preference signals must not be overwritten, bypassed or ignored during website, application, campaign or tag-manager changes, and validation evidence must be recorded before release. Consent, preference, withdrawal, suppression and version evidence must be recorded in REG05 within one business day after capture, change or withdrawal. Transparency and third-party governance are also core themes. The Privacy Lead / PIMS Manager must create or update the marketing privacy notice or cookie notice record in REG07 before launching a new marketing channel, tracking technology, analytics configuration or material campaign change. Notice content must align with REG02 marketing purposes, PII categories, recipient categories, vendor categories, tracking technology categories, preference choices and transfer flags before publication. Marketing vendors, analytics providers, advertising platforms, tags, pixels, SDKs and data-sharing partners must be recorded in REG08 before production use, with processor, joint-controller or independent-controller classification confirmed before onboarding or renewal. International vendors, tags, analytics providers, advertising platforms, audience transfers or data-sharing transfers must be routed to REG09 before go-live where applicable. The policy also establishes requirements for campaign review, suppression, opt-out routing, enforcement and continual oversight. Audience source, segmentation criteria, PII categories, suppression exclusions, preference constraints and notice linkage must be verified before campaign launch, and individuals with withdrawal, objection, do-not-contact or suppression status must be excluded before activation. Marketing objections, opt-outs, withdrawal requests, unsubscribe failures and direct marketing complaints must be routed to REG06 within two business days, and suppression or preference status must be updated within one business day after validation. Governance controls include quarterly review of marketing privacy control status in REG12, annual review of active marketing vendors in REG08, quarterly metrics for missing consent or notice linkages, tracker and consent-state exceptions, overdue fulfilment items, and audit findings or corrective actions recorded in REG12.