Chapter 3C: Direct Marketing Flashcards
What is Direct Marketing?
WP29 says…
“to fall under the scope of direct marketing, a communication by whatever means of advertising or marketing material directed at specific individuals.
Messages that do not process personal data to communicate the marketing message or those that are purely service related in nature are not direct marketing.
Re direct marketing, the GDPR applies to…
Direct marketing communications, regardless of delivery
Online advertising target at individuals based on browsing history
What right does the GDPR afford to data subjects re: direct marketing?
An absolute right to object to any form of direct marketing at any time (this extends to processing based on legitimate interest)
What does the GDPR require controllers to do re: direct marketing?
Explicitly/clearly inform individuals of their right to opt out at point of first communication, across all marketing channels
Honour opt out requests in a timely fashion and at no cost
Remove personal data and profiling after an individual has opted out
Controllers should suppress rather than delete contact details because they do not want to risk reacquiring that individual’s details again later
Ensure all compliance requirements under GDPR are met
Postal marketing is not subject to the ePrivacy directive: true or false?
True
Telemarketing is subject to the ePrivacy directive - true or false?
True
Who decides on whether person-to-person telemarketing should be conducted on an opt in or opt out basis?
Member states - however, most member states have implemented national opt-out registers which should be checked against controller’s call lists.
Individuals must be able to opt out for free
What are the rules re: email marketing/SMS marketing in the eprivacy directive?
In general, prior consent is required - limited exemption from the strict opt-in requirement for
direct marketing by electronic mail is allowed to those
individuals whose details the data controller obtained ‘in the context of the sale of a product or service’
The controller must market its own similar products and
services
Individuals must have the ability to opt out at the
time their contact details are collected
Individuals must be reminded of their ability to opt
out in each subsequent marketing communication
what is OBA?
Online Behavioural Advertising.
OBA increasingly happens through third party advertising networks - for example, where…
Third-party advertising networks have relationships with partnering
website publishers that enable them to place cookies on individuals’
computers with unique identifiers
Or
As websites track individuals’ website activities, profiles are assigned
to unique identifiers, enabling ad networks to deliver advertising
based on individuals’ interests
What does the GDPR say about OBA?
Clearly identifies information collected for OBA purposes as personal data; its definition of personal data specifically provides ‘online identifier’ as an example
• According to the former WP29, all parties to a thirdparty ad network relationship potentially may attract compliance responsibilities under the GDPR (the ad network itself, which will often qualify as a controller; a website publisher, which may qualify as a joint controller; and advertisers, which may qualify as independent
controllers.
What does the ePrivacy Directive say about OBA?
Article 5(3) (amended, 2009): The use of cookies to store or access information in an individual’s computer is allowed only on the condition that the individual concerned has given their consent, having
been provided with clear and comprehensive information
the ePrivacy directive will generally apply to OBA regardless of …
Of whether or not information collected from individuals constitutes personal data.
