Chapter 16 - Direct Marketing Flashcards
What makes the application of data protection rules in direct marketing complex?
-The complexity arises because direct marketing often triggers not only data protection requirements but also various consumer protection regulatory requirements that vary from country to country.
-direct marketing involves the use of data collected through the addressee’s device, such as location data from a smartphone or data collected through cookies.
-Direct marketing messages are sent via multiple channels, including postal mail, email, third-platform messages, push messages, and in-app messaging
What is the concept of direct marketing according to the Article 29 Working Party (WP29)?
-WP29 considers direct marketing to include any form of sales promotion, including direct marketing by charities and political organisations for fundraising purposes.
-Direct marketing messages do not need to offer something for sale; they could be a promotion of a free offer or the sender’s organisation.
-Direct marketing involves communication directed to particular individuals, meaning data protection laws apply when individuals’ personal data are processed to communicate the marketing message
What are the differences between digital and nondigital marketing under the GDPR and ePrivacy Directive?
-GDPR applies to all direct marketing communications, whether communicated by post, phone, fax, electronic mail, or otherwise.
-It also applies to online advertising targeted at individuals based on their internet browsing history.
-The ePrivacy Directive applies to digital marketing communications, such as phone, fax, email, SMS, and MMS, but does not apply to postal marketing.
-The ePrivacy Directive also specifies rules that impact the use of online behavioural advertising
What is the right to opt out under the GDPR?
-GDPR requires individuals to have a specific right to refuse or opt out of direct marketing sent by the data controller, regardless of whether data collection and further processing is based on the ‘legitimate interest’ lawful basis or consent.
-Individuals must be informed of their right to opt out at the time of the first communication
-marketers must allow individuals to opt out across all marketing channels.
-Data controllers must honor opt-out requests in a timely fashion and at no cost to the individual
What are the marketing requirements under the GDPR?
-Data controllers must satisfy all compliance responsibilities under the GDPR, including:
- Ensuring there is a lawful basis for the collection and use of the data subjects’ personal data, normally either the data subject’s unambiguous consent or reliance on the ‘legitimate interests’ basis.
- Providing individuals with fair processing information explaining their personal data will be used for marketing purposes and on what legal basis this takes place.
- Implementing appropriate technical and organisational measures to protect the personal data processed.
- Not exporting personal data outside of the European Economic Area (EEA) unless adequate protection is in place.
- Fully satisfying all other compliance duties under the GDPR
What are the marketing requirements under ePrivacy laws?
-When sending digital marketing, data controllers must comply with the specific rules set out in the ePrivacy Directive.
-This includes consent and information requirements for marketing by phone, fax, electronic mail, SMS, instant messaging, push notifications, and other messages.
-Most forms of digital marketing require prior opt-in consent, although a limited exemption exists for email marketing communicated on an opt-out basis to individuals whose details were collected in the context of the sale of a product or service
How does online behavioural advertising (OBA) work?
-OBA is website advertising targeted at individuals based on the observation of their behaviour over time.
-Advertisers instruct third-party advertising networks to serve advertising on their behalf.
-The ad network places a cookie on the individual’s computer, assigns a unique identifier to the cookie, and records information about the individual’s behaviour.
-When the individual revisits the website or another partnered website, the ad network examines the cookie and delivers advertising based on the individual’s likely interests
What are the GDPR compliance requirements for OBA?
-GDPR states that information collected for OBA should qualify as personal data.
-OBA methods entail the processing of personal data, allowing the tracking of users even when dynamic IP addresses are used.
-The European Court of Justice (ECJ) has clarified that social media providers, publishers, and ad networks can be considered joint controllers under EU data protection law.
-The EDPB has provided guidelines on targeting social media users, emphasizing the need for legal basis and compliance with GDPR requirements
What are the consent requirements for postal marketing?
-There is no express requirement in the GDPR to obtain individuals’ consent to send direct postal marketing.
-However, some member states’ national rules mandate a requirement for consent.
-In the absence of a mandated national requirement, data controllers may rely on their legitimate interests as an alternative lawful ground, considering factors such as whether the individual is an existing customer, the nature of the products and services, and previous communications
What are the ePrivacy laws related to OBA?
-ePrivacy Directive applies to OBA regardless of whether the information collected constitutes personal data.
-Article 5(3) of the ePrivacy Directive states that the use of cookies to store or access information on an individual’s device is allowed only with the individual’s consent, having been provided with clear and comprehensive information.
-The consent requirement under the ePrivacy Directive is identical to the consent requirement under the GDPR
What changes are proposed in the new ePrivacy Regulation?
-The new ePrivacy Regulation will repeal and replace the ePrivacy Directive and provide updated rules for unsolicited commercial communications and website analytics. Proposed changes include:
- Territorial scope: The rules apply to the processing of data of users located in the European Union.
- Consent: Consent requirements will be aligned with those of the GDPR and extend to legal persons.
- Opt-in for marketing messages: Explicit consent is required, with a soft opt-in for messages related to the sender’s own similar products or services.
- Cookie and tracking data: Strict regulations for content and metadata, with consent required for use.
- Further compatible use: Allows further use of data obtained, subject to a positive compatibility assessment
What are the consent requirements for marketing by electronic mail?
-ePrivacy Directive requires prior opt-in consent from individuals to send them marketing by electronic mail.
-Data controllers typically achieve this by presenting individuals with a fair processing notice at the time their data are collected.
-ePrivacy Directive allows a limited exemption for direct marketing by electronic mail to individuals whose details were obtained in the context of the sale of a product or service, provided certain conditions are met
What are the consent requirements for telephone marketing?
-There is no express requirement in the ePrivacy Directive to obtain individuals’ consent for person-to-person telephone marketing, although consent is necessary for automated calling systems.
-Member states may decide under their national laws whether person-to-person telephone marketing should be conducted on an opt-in or opt-out basis.
-Most member states have implemented national opt-out registers for telephone marketing
What are the consent requirements for fax marketing?
-ePrivacy Directive requires prior opt-in consent from individuals to send them fax marketing.
-Data controllers typically achieve this by presenting the individual with a fair processing notice at the time their personal data are collected.
-The treatment and permissibility of B2B direct fax marketing vary amongst member states, and data controllers must have a lawful basis under the GDPR to process employees’ personal data before instigating B2B fax marketing
What are the consent requirements for location-based marketing?
-ePrivacy Directive requires individuals to give opt-in consent to use their location data to provide a value-added service, including location-based marketing services.
-Data controllers must inform individuals of the types of location data collected, the purposes and duration of the processing, and whether the data will be transmitted to a third party.
-Data controllers must offer individuals the ability to withdraw their consent and only process location data to the extent and duration necessary to provide the service
What are the enforcement risks for non-compliance with the GDPR and ePrivacy Directive?
-Data controllers that fail to comply with the GDPR and ePrivacy Directive expose themselves to risks of enforcement, including fines and administrative sanctions by DPAs, civil and criminal liability.
-The nature and likelihood of enforcement risk can vary significantly across member states.
-In some EU member states, enforcement of ePrivacy regulations is in the hands of consumer protection and telecoms regulators rather than the DPA