Chapter 16 Direct Marketing

Question 1

What makes DM so complex?

Answer 1

• Data protection & consumer protection requirement that vary from country to country
• involves data collected through the addressee’s device (location data, data collected through cookies)
• not only postal mail and email, but also messages sent through third-platform messages, push messages and in-app messaging

Question 2

Examples of use of information collected through the addressee’s device

Answer 2

cookies on websites
HTML banners and beacons in email messages
data collected by apps on smartphones

Question 3

What local laws are applicable?

Answer 3

of the countries where the sender and recipient are located

Question 4

Definition of direct marketing

Answer 4

• any form of sales promotion, including by charities and political organisations
• it does not need to offer something for sale (it could be a promotion of a free offer or of the sender’s organisation)
• the communication should be directed to particular individual (individuals PD are processed to communicate a marketing message to them)

Question 5

What is NOT considered DM?

Answer 5

• marketing communications not directed at individuals
• messages that are purely service related in nature (status of an order)

Question 6

When does GDPR and ePrivacy directive apply?

Answer 6

GDPR - to all direct marketing communicatios, e.g. by post, phone, fax, email, online behavioral advertising
ePrivacy - DIGITAL marekting - DM communicated over electronic communications network (phone, fax, email, SMS, MMS, online behavioral advertising OBM)

Question 7

Marketing requirement under GDPR

Answer 7

lawful basis
transparency
T&O measures, DPA with service providers
3rd country transfers only if adequate protection is in place

Question 8

Right to opt out under GDPR

Answer 8

Individuals must have a specific right to refuse or opt out of direct marketing regardless if lawful basis is consent or legitimate interest
consent=withdraw the consent
LI=right to object

Must be always informed of the right to opt out - at the time of first communication, the right must be presented clearly and separated from other information

Can opt out across all marketing channels and of all forms of DM

C must honour request to opt out in a timely fashion and at to cost to individual

All PD must be deleted unless compelling legitimate grounds exist
Profiling must be completely removed

contact details should be suppressed rather than deleted as this way the opt-out record is retained

C should always cross-reference, cleanse and update their marketing contact list against internal opt-out records and national opt out registers before sending any DM communication

National opt out registers (Robinson Lists)=option to submit a global opt out from all DM over a particular communication channel

valid opt in consent from the individual overrides the opt out from Robinsons list

Question 9

What are marketing requirements under ePrivacy laws

Answer 9

concern unsolicited messages and cookies/tracking technologies

prior opt-in consent for all forms of digital marketing, except person to person phone call
Exemption: email marketing on an opt out basis when contact details where collected in the context of the sale of a product or service
location-based marketing
use of cookies for OBA

Question 10

How is ePrivacy directive implemented

Answer 10

in national laws, data protection or telecommunications
Enforcement varies - DP or TC regulator

Question 11

What is OBA?

Answer 11

Website advertising targeted at individuals based on the observation of their behaviour over time
advertising is more relevant to the individual, improves effectiveness of click-through rates

Question 12

How OBA works?

Answer 12

First party advertising - delivered by the website publisher itself
Third party advertising networks to serve OBA on behalf of website publishers=may track individuals behaviours across multiple, unaffiliated websites
Tracking works through cookie which is assigned a unique identifier (serial number specific to that cookie)

Question 13

Is OBA subject to GDPR?

Answer 13

Yes, information collected for the purposes of OBA qualify as PD
online identifier
profiling
OBA is subject to GDPR&ePrivacy directive
Social Media provider and targeter are usually considered joint controllers and each of them will need their own legal basis
Other roles: marketing service and providers, ad networks, ad exchanges, demand side platforms, data management providers, data analytics companies

Question 14

OBA and ePrivacy laws

Answer 14

ePrivacy laws will always apply for OBA in relation to the use of cookies to store and access information in the device of an individual
Use of cookies is only allowed if the user has given their consent

Question 15

Consent under ePrivacy directive

Answer 15

the identical requirements for valid consent for the use of cookies apply as under GDPR:
- consent must be specific and informed: information about the intended use and purposes of the cookie must be given
- clear affirmative action: consent must be given before the cookie is placed on the computer or information stored in the computer is retrieved
- Freely given consent: user must have a choice and must provide an active indication that they do consent
Implementation of Art 5(3) of ePrivacy Directive varies between the member states

Question 16

Information in case of 3rd party cookies

Answer 16

most OBA solutions apply the use of 3rd party cookies
Information:
- which 3rd party the individual cookie belongs to
- where the information on the processing by such 3rd party can be found (link to the cookie statement of the 3rd party)

Question 17

Postal marketing

Answer 17

Only subject to GDPR as it is not digital marketing

Lawful basis:
- consent not required by GDPR but some national laws mandate it
- legitimate interests if consent is not required by law (Balancing test: existing customer; similar product/services as the DS would expect; if the marketer has pledged not to send direct marketing communication then it shouldn’t)

In some MS the C must cleanse their contact list against applicable national opt-out register; if it has a valid opt in consent, this is not necessary

Question 18

Telephone marketing

Answer 18

Subject to ePD and GDPR
ePD:
- person-to -person: no consent required
- automated calling system: consent required
- MS can decide whether p-to-p telephone marketing should be conducted on an opt-in or opt-out basis:
- - individuals must have an option to opt out free of charge:
- - - some MS have introduced national opt-out registers
- - - some MS have mandated a requirement for prior opt-in consent (Slovenia)

Question 19

Automated calling systems

Answer 19

always prior opt-in consent
phone number is automatically dialed and the prerecorded message is played
not apply when automatic dialing technology is used for calling and then P-to-P conversation begins

Question 20

B2B telephone marketing

Answer 20

Restrictions to unsolicited TM under ePD apply to B2C and B2B
when processing employees’ contact details, GDPR applies

Question 21

Electronic mail: email, SMS, MMS

Answer 21

Subject to GDPR and ePD
Any text, voice, sound, image sent over a public communication network which can be stored in the network or in the recepient’s terminal equipment until it is collected by the recipient

Prior opt in consent
Opt out exception:
- the electronic mail contact details where obtained in the context of the sale of a product or a service
- DM may be sent only for its own similar products and services (DC must not share the data with 3rd party)
- opportunity to opt-out given at the time the contact details were collected and any subsequent communication - simple and free of charge

Question 22

Information requirement for electronic mail

Answer 22

Opt out request:
- opt-out email address,
- hypertext link
- mobile short code where you send a request - TextSTOP

The identity of a sender may not be concealed or disguised
- message must be clearly identifiable as commercial communication
- promotional offers and promotional competitions/games (if allowed) must be identifiable (discount) and conditions to qualify must be clear
-

Question 23

Location based marketing

Answer 23

GDPR applies whenever the use of location data involves processing of PD (in most cases)
ePD - specific consent and opt-out provisions when LD are processed

Question 24

B2B electronic mail marketing

Answer 24

varies amongst MS
when processing employees’ contact details, GDPR applies

Question 25

What is location data?

Answer 25

Any data processed in an ECN or by ECS, indicating the geographic position of the terminal equipment of a suer of publicly available ECS = latitude, longitude, altitude, direction of travel of TE
The rules apply only to the location of TE not location of person

Question 26

Consent requirements for LBM

Answer 26

opt in consent is needed to use location data to provide a value added service, e.g. Location based marketing service
Exemption: LD are processed in anonymised form only - doesn’t apply to LBM

Question 27

Information requirements

Answer 27

• types of location data
• purposes and duration
• will data be transmitted to a third party for the purpose of providing a value added service

Question 28

Right to withdraw consent

Answer 28

opting out must be simple and free of charge
- to opt out entirely
- to opt out temporarily on each connection to thee network or each transmission of a communication

LD may only be processed to the extent and for duration necessary to provide a value added service

Question 29

Enforcement under GDPR for DM (including OBA)

Answer 29

fines and administrative sanctions
civil liability
criminal liability

Similar under ePD