Is Direct Marketing only allowed with Customer Consent post GDPR?

With the GDPR launch date approaching, we’ve decided to continue our GDPR industry insights by publishing our second article on the topic of customer marketing communication and GDPR compliance.

This time, we engaged with Data Privacy experts and Think Privacy AB co-founders Alexander Hanff and Fredrik Norberg to discuss their opinion on how iGaming operators should best approach this. Hanff is recognised as one of Europe’s leading privacy advocates and experts, whilst Norberg is a leading specialist in European Data Protection, with a strong background in multinational corporations.

As Axel Tandberg stated in our previously published PM, Hanff and Norberg also argue that there is no requirement under GDPR to ask customers for active consent in order to communicate with them for marketing purposes. Instead of asking customers to tick boxes, operators will find the legal ground of “Legitimate Interest” quite adequate. Legitimate Interest would also include many advantages both for the operator and it’s customers. Hanff and Norberg also dive a little deeper into the ePrivacy Directive, how it relates to GDPR and how this impacts an operator’s marketing.

Direct Marketing Without Consent

GDPR has swept through Europe and left very few online industries untouched. However, we still have a great deal to learn before we can fully understand the impact on how we process data.

One area impacted is marketing. There is a great deal of confusion over what type of marketing activities are permitted and which legal bases exist for these activities. The intent of this article is to clarify these issues and provide clarity. Firstly, marketing activities are not exclusively based on consent, and furthermore, most marketing activities are not regulated by GDPR, but through the ePrivacy Directive (soon to be replaced by a new ePrivacy Regulation).

Direct Marketing

When performing direct marketing towards customers and potential customers in Europe, as stated above there are two specific legal instruments you need to consider, (i) General Data Protection Regulation (GDPR) and (ii) e-Privacy Directive (ePD).

GDPR regulates processing of personal data, or in terms of marketing; the data that drives and pinpoints your activities. There are a few differences between application in some EU Member States but generally it is a fairly even playing field from one Member State to the next. However, GDPR only regulates how you process personal data, when it comes to how you communicate with existing or potential customers using electronic means (postal marketing is not restricted in the same ways), your activities are regulated by the ePD.

The problem with ePD is that it is a Directive not a Regulation, which means that different Member States have interpreted and applied the law in their own way; in other words, there are 28 different sets of rules to consider when performing direct marketing using electronic communications, and they are only similar on a very generic level.

The good news is that one of the requirements of the GDPR was to review the ePD with a mind to replace it with a new Regulation and this has been going through the legislative process since early last year. As it currently stands, we expect to have a finalised ePrivacy Regulation by spring 2019, which will come into force in early 2020; and because it is a Regulation it will be applied the same in all Member States (just like GDPR). That said, we still need to consider the 28 different applications of the ePD for direct marketing until the new Regulation comes into force.

So, what does this mean? Well, in short; first you must ensure that you collect and use personal data in compliance with GDPR; and then you must ensure your marketing activities comply with the ePD – that doesn’t mean you can’t conduct Direct Marketing – you just have to make sure you follow the rules.

When collecting and processing personal data for direct marketing purposes, there are two legal methods for doing this; either with consent from the data subject (the person you want to direct your marketing at) or as a legitimate interest of the business. Depending on your course of action, the consequences are quite different, so let us look at each in turn.

Direct marketing based on legitimate interest

GDPR specifically states that Direct Marketing may be regarded as a legitimate interest. It also states that data subjects have an absolute right to object to Direct Marketing. Legitimate interest cannot be used to simply circumvent the rights of the data subject. It still has to be lawful.

So, in order to use legitimate interest you must consider all other laws which may have some regulatory control of your activities. As we already stated, sending direct marketing via electronic communications is regulated by the ePrivacy Directive, which means if you comply with the ePD it is likely you can use Legitimate Interest.

In most circumstances, in order to comply with the ePD for the purposes of Direct Marketing, you must either have an existing relationship “in the context of the sale of a product or service” or you must have consent.  Since we are dealing with consent in the next section, let us look at what we mean by an existing relationship.

Under ePD if you have obtained the electronic contact details (email address or cell phone number etc.) of a data subject in the context of a sale (including quotes) it is considered that you have an existing relationship. In this case it is possible to engage in Direct Marketing of your products and services which are similar to the original sale (so you cannot market insurance at someone who purchased a cabbage) providing that the data subject had a simple opportunity to opt-out of direct marketing at the point their contact details were obtained and are given the same opportunity to opt-out in every direct marketing message they receive. These rules apply for emails and SMS messages and in some cases faxes.

With regards to telephone calls it is a little more complex because as we previously stated that different Member States applied the ePD in different ways. As a general rule it is permissible to make unsolicited marketing calls unless the data subject objects – one of the methods of objecting is to sign up to a “do not call” register and as such it is important that you screen all calls against any “do not call” registers in the Member State you are directing your calls. If you make Direct Marketing calls to phone numbers which are listed on such a register you could face potential fines, so it is in your best interest to check the registers.

If a number is listed on a register, it may still be possible to call it if the data subject has provided prior consent (see consent section below) for you to use direct marketing with them.

However, if the number is not registered, it is usually safe to make the call (you should however be aware of any Member State laws relating to the use of “automated” dialling technologies as these technologies may be treated differently), it should be noted however, that if there is any other personal data attached to the telephone number it must be processed under the rules of GDPR, which means if that personal data has not been collected in a fair and lawful fashion it cannot be used to make marketing calls.

So, based on the above we can regard the use of Direct Marketing as a legitimate interest if these conditions are met because the data is being used in a lawful fashion – if the data is not being used in a lawful way (for example, does not comply with the ePrivacy Directive) you cannot use legitimate interest as a legal basis for Direct Marketing.

Direct marketing based on consent

Direct Marketing based on consent is in some ways easier but in other ways more difficult than using Legitimate Interest.

First of all, you must understand what consent is:

  • It must be freely given;
  • It must be for a specific purpose;
  • The person must understand what they are consenting to.

So if we take the first point, you need to understand that consent cannot be obtained as a condition of accessing a service (unless it is necessary for the provision of the service). It is therefore unlikely that requiring a person to consent to direct marketing in order to use a service would be considered as freely given consent.

The second point means that you cannot obtain consent for one purpose and then use the data for another unless there is a reasonable expectation by the data subject that their data will be used in this new way. As you would probably expect, this is a difficult thing to prove so it is widely recommended to avoid. This means for example, that if a person agrees to receive direct marketing by email, it’s not ok to conduct direct marketing activities over the telephone.

For the third point, in order for the data subject to understand what they are consenting to, you must provide them with all the relevant information in plain language.

Furthermore, under GDPR it is now required that you are able to prove you have obtained consent, which means you must somehow record the consent process, such as having a check box which is initially empty but when selected, stores a record in a database indicating it has been selected, when, from which IP address etc.

So whereas consent might seem like an obvious way to conduct Direct Marketing it is not without its challenges.

Right to Object

It is important to understand however, that whether you use Legitimate Interest or Consent as your legal basis for Direct Marketing, data subjects have an absolute right to object to Direct Marketing which means that should they request you stop marketing to them, you must honour that request and cease all direct marketing activities.

Unlike Legitimate Interest used for other processing activities, where the data subject has a right to object but it is not an absolute right – in the case of using Legitimate Interest for Direct Marketing, because they have an absolute right to object to Direct Marketing – that is an absolute right irrespective of the legal basis used.

Of course, if a person does request you cease marketing activities towards them, you are then obligated to ensure that other principles of GDPR are met such as storage limitation, purpose limitation and data minimisation.  In other words, if someone ask you to cease your direct marketing activities towards them and you have their data only for such a purpose, it is likely you would be required to delete that data.

Conclusion

So as you can see – consent is not the only means for conducting Direct Marketing activities but if you choose to use Legitimate Interest you must ensure it is lawful and complies with the ePrivacy Directive (or other laws which may impact how you are permitted to conduct marketing activities).  In the case of unsolicited telephone marketing you should screen against ”do not call” registers and in all cases of unsolicited direct marketing, you must provide an opportunity for the data subject to opt-out.

If you use consent, you must ensure that it is freely given, for a specific purpose and is informed; you must also be able to prove that consent was obtained which means there must be some way for you to record consent at the point it is given.

Alexander Hanff, co-founder of Think Privacy, has a decade of experience in the global privacy and data protection arena. Recognised as one of Europe’s leading privacy advocates and experts, Alexander has been deeply involved in the development of European law including the GDPR and ePR and also acted as expert advisor to the European Parliament Rapporteur.

Fredrik Norberg, co-founder of Think Privacy, is an LL.M., CIPP/E and a specialist in European Data Protection Law and graduated law school with a thesis on the general obligations established by GDPR. Fredrik has a strong background of working in both large multinational corporations as of small start-ups.

To read our previous PM on ‘How to Communicate with Players post GDPR’, written by Axel Tanberg, Senior Advisor at PrivacyWorks, click here.