At the same time, with the enforcement of the GDPR, there is evidence of increasing awareness of data protection rights combined with a simultaneous loss of trust in online spaces. Hence, marketers must tread cautiously. In this blogpost about marketing under the GDPR, we discuss 7 common questions marketers must know about.
Personal data in the online marketing sphere in the EU is regulated by two laws; one being the general law on data protection, i.e., the GDPR, and the other is the ePrivacy Directive. The ePrivacy Directive supplements the GDPR and is generally considered lex specialis for the subject matters that it covers, i.e., electronic communication services. Electronic communication includes communication using internet (such as emails, applications, etc.), telephonic communication, instant messaging services and so on.
A few of the specific purposes for which personal data of users is processed in order to assist and develop online marketing strategies are as follows:
All processing of personal data must comply with one of the lawful grounds of processing mentioned under Article 6 of the GDPR. Furthermore, each processing activity/set of processing activities must have a specific purpose, and the lawful ground must be aligned with such purpose. As stated in 1 above, where the personal data processing is in the context of electronic communication services, care must be taken to examine if the context of processing is covered within the ePrivacy Directive or not.
In 2 above, we have identified five specific purposes for which personal data may be processed in the context of online marketing. From these five purposes, three specific processing contexts emerge: (a) Marketing analytics; (b) Targeted content marketing; and (c) Direct online communication.
Recital 47 of the GDPR states that direct marketing may be based on ‘legitimate interests’ of the controller. However, that does not mean that you can rely upon it by default. At the very first instance, you must check the applicability of the grounds mentioned in point 3 above. If they are applicable, prior consent must be obtained in any case.
Reliance on ‘legitimate interests’ is based on a balancing exercise between the benefits/interests and the effect on the rights and interests of the data subjects. As long as the rights of the data subjects do not override the interests of the controller (or a third party), these interests being sufficiently definite, it may be possible to rely on this ground.
Some factors to be considered while determining the legitimacy of this ground are:
The ePrivacy Directive provides specific circumstances where it is in the legitimate interest of the controller to pursue certain marketing activities. This is specific to existing customers. Article 13 (2) read with Recital 41 of the ePrivacy Directive states that in case contact details have been obtained from customers in the context of sale of a product/service, the same contact details may be used for direct online marketing of similar products or services, provided that a clear, distinct and free of cost opt-out mechanism is provided to the customers, on the instance of each message. This is sometimes referred to as a “soft opt-in”. Please note that this does not extend to a third party’s products/services.
An example would be when visitors to your website have expressed interest in your products or services by signing up or filling an enquiry form. You can rely on legitimate interests to send them communication about similar services that you offer. However, even in these cases, you must comply with additional conditions (refer to point 5 below).
While using legitimate interest as a processing ground, make sure that an express right to object or opt-out is provided to data subjects and that they are clearly informed of this right, along with the manner in which they may exercise it. Please ensure that the opt-out mechanism is user friendly. For instance, while sending promotional material to customers, via email, you could provide an “unsubscribe” link that simply requires users to click on it without any further action. From a practical perspective it is relevant to review how the ‘opt-outs’ are managed across the organisation, taking care that they don’t escape notice, and are implemented without undue delay.
The central principles of transparency and accountability of the GDPR must always be complied with. Therefore, simply because you are relying on legitimate interest, does not absolve you of your responsibility to ensure data subjects’ right to information.
There are certain standard requirements for consent under the GDPR, i.e. consent must be informed, freely-given and specific. Explicit consent however, holds the data controller to higher standards of accountability, meaning that not only must the consent comply with the standard requirements, but that it must be obtained in such a manner that it leaves no doubt for misinterpretation on the part of the data subjects.
In the context of marketing, instances where reliance is placed on profiling/ automated decision-making, explicit consent must be obtained from data subjects. This is inferred from Article 22 of the GDPR, which recognizes that automated decision-making and profiling can have significant and serious consequences for individuals. In case of advertising this could be exclusion or discrimination of individuals, decisions affecting free choice of individuals, etc. The criteria that Article 29 Working Party recommends that you rely upon while determine the necessity of explicit consent includes:
If you are running advertisements on third party websites, please be aware that these websites may be collecting personal data from users who click on your advertisements. You may think that this does not implicate you since the users are on another website whose privacy policy and terms and conditions are applicable. However, do note that in many cases, the information that is collected when users click on your advertisements are subject to a different privacy policy or a specific data processing agreement between you and the website. In many cases, this agreement will explicitly state that personal data is processed by the website on your behalf, making you, in turn, the controller under GDPR. Oftentimes, it includes prohibitions on transferring personal data to them. However, practically, the fact is that you are bound by their terms and have no actual control over the data that they process.
So, make sure that you review the terms and conditions while signing up for advertising space with any third-party website. Make sure you involve your legal department and ask questions to the website’s privacy officer if you need to. If not anything else, at least make sure that the personal data processing is limited and the purposes/uses clearly identified.
In many cases, these campaigns are tied to tracking/conversion pixels that are placed on your website. Make sure you know how the technology works and what information is actually collected by these cookies before you place them to your website. Read more about cookies here.