Chapter 16 Direct Marketing Flashcards
What makes DM so complex?
- Data protection & consumer protection requirement that vary from country to country
- involves data collected through the addressee’s device (location data, data collected through cookies)
- not only postal mail and email, but also messages sent through third-platform messages, push messages and in-app messaging
Examples of use of information collected through the addressee’s device
cookies on websites
HTML banners and beacons in email messages
data collected by apps on smartphones
What local laws are applicable?
of the countries where the sender and recipient are located
Definition of direct marketing
- any form of sales promotion, including by charities and political organisations
- it does not need to offer something for sale (it could be a promotion of a free offer or of the sender’s organisation)
- the communication should be directed to particular individual (individuals PD are processed to communicate a marketing message to them)
What is NOT considered DM?
- marketing communications not directed at individuals
- messages that are purely service related in nature (status of an order)
When does GDPR and ePrivacy directive apply?
GDPR - to all direct marketing communicatios, e.g. by post, phone, fax, email, online behavioral advertising
ePrivacy - DIGITAL marekting - DM communicated over electronic communications network (phone, fax, email, SMS, MMS, online behavioral advertising OBM)
Marketing requirement under GDPR
lawful basis
transparency
T&O measures, DPA with service providers
3rd country transfers only if adequate protection is in place
Right to opt out under GDPR
Individuals must have a specific right to refuse or opt out of direct marketing regardless if lawful basis is consent or legitimate interest
consent=withdraw the consent
LI=right to object
Must be always informed of the right to opt out - at the time of first communication, the right must be presented clearly and separated from other information
Can opt out across all marketing channels and of all forms of DM
C must honour request to opt out in a timely fashion and at to cost to individual
All PD must be deleted unless compelling legitimate grounds exist
Profiling must be completely removed
contact details should be suppressed rather than deleted as this way the opt-out record is retained
C should always cross-reference, cleanse and update their marketing contact list against internal opt-out records and national opt out registers before sending any DM communication
National opt out registers (Robinson Lists)=option to submit a global opt out from all DM over a particular communication channel
valid opt in consent from the individual overrides the opt out from Robinsons list
What are marketing requirements under ePrivacy laws
concern unsolicited messages and cookies/tracking technologies
prior opt-in consent for all forms of digital marketing, except person to person phone call
Exemption: email marketing on an opt out basis when contact details where collected in the context of the sale of a product or service
location-based marketing
use of cookies for OBA
How is ePrivacy directive implemented
in national laws, data protection or telecommunications
Enforcement varies - DP or TC regulator
What is OBA?
Website advertising targeted at individuals based on the observation of their behaviour over time
advertising is more relevant to the individual, improves effectiveness of click-through rates
How OBA works?
First party advertising - delivered by the website publisher itself
Third party advertising networks to serve OBA on behalf of website publishers=may track individuals behaviours across multiple, unaffiliated websites
Tracking works through cookie which is assigned a unique identifier (serial number specific to that cookie)
Is OBA subject to GDPR?
Yes, information collected for the purposes of OBA qualify as PD
online identifier
profiling
OBA is subject to GDPR&ePrivacy directive
Social Media provider and targeter are usually considered joint controllers and each of them will need their own legal basis
Other roles: marketing service and providers, ad networks, ad exchanges, demand side platforms, data management providers, data analytics companies
OBA and ePrivacy laws
ePrivacy laws will always apply for OBA in relation to the use of cookies to store and access information in the device of an individual
Use of cookies is only allowed if the user has given their consent
Consent under ePrivacy directive
the identical requirements for valid consent for the use of cookies apply as under GDPR:
- consent must be specific and informed: information about the intended use and purposes of the cookie must be given
- clear affirmative action: consent must be given before the cookie is placed on the computer or information stored in the computer is retrieved
- Freely given consent: user must have a choice and must provide an active indication that they do consent
Implementation of Art 5(3) of ePrivacy Directive varies between the member states
Information in case of 3rd party cookies
most OBA solutions apply the use of 3rd party cookies
Information:
- which 3rd party the individual cookie belongs to
- where the information on the processing by such 3rd party can be found (link to the cookie statement of the 3rd party)
Postal marketing
Only subject to GDPR as it is not digital marketing
Lawful basis:
- consent not required by GDPR but some national laws mandate it
- legitimate interests if consent is not required by law (Balancing test: existing customer; similar product/services as the DS would expect; if the marketer has pledged not to send direct marketing communication then it shouldn’t)
In some MS the C must cleanse their contact list against applicable national opt-out register; if it has a valid opt in consent, this is not necessary
Telephone marketing
Subject to ePD and GDPR
ePD:
- person-to -person: no consent required
- automated calling system: consent required
- MS can decide whether p-to-p telephone marketing should be conducted on an opt-in or opt-out basis:
- - individuals must have an option to opt out free of charge:
- - - some MS have introduced national opt-out registers
- - - some MS have mandated a requirement for prior opt-in consent (Slovenia)
Automated calling systems
always prior opt-in consent
phone number is automatically dialed and the prerecorded message is played
not apply when automatic dialing technology is used for calling and then P-to-P conversation begins
B2B telephone marketing
Restrictions to unsolicited TM under ePD apply to B2C and B2B
when processing employees’ contact details, GDPR applies
Electronic mail: email, SMS, MMS
Subject to GDPR and ePD
Any text, voice, sound, image sent over a public communication network which can be stored in the network or in the recepient’s terminal equipment until it is collected by the recipient
Prior opt in consent
Opt out exception:
- the electronic mail contact details where obtained in the context of the sale of a product or a service
- DM may be sent only for its own similar products and services (DC must not share the data with 3rd party)
- opportunity to opt-out given at the time the contact details were collected and any subsequent communication - simple and free of charge
Information requirement for electronic mail
Opt out request:
- opt-out email address,
- hypertext link
- mobile short code where you send a request - TextSTOP
The identity of a sender may not be concealed or disguised
- message must be clearly identifiable as commercial communication
- promotional offers and promotional competitions/games (if allowed) must be identifiable (discount) and conditions to qualify must be clear
-
Location based marketing
GDPR applies whenever the use of location data involves processing of PD (in most cases)
ePD - specific consent and opt-out provisions when LD are processed
B2B electronic mail marketing
varies amongst MS
when processing employees’ contact details, GDPR applies
What is location data?
Any data processed in an ECN or by ECS, indicating the geographic position of the terminal equipment of a suer of publicly available ECS = latitude, longitude, altitude, direction of travel of TE
The rules apply only to the location of TE not location of person
Consent requirements for LBM
opt in consent is needed to use location data to provide a value added service, e.g. Location based marketing service
Exemption: LD are processed in anonymised form only - doesn’t apply to LBM
Information requirements
- types of location data
- purposes and duration
- will data be transmitted to a third party for the purpose of providing a value added service
Right to withdraw consent
opting out must be simple and free of charge
- to opt out entirely
- to opt out temporarily on each connection to thee network or each transmission of a communication
LD may only be processed to the extent and for duration necessary to provide a value added service
Enforcement under GDPR for DM (including OBA)
fines and administrative sanctions
civil liability
criminal liability
Similar under ePD
