One of the questions we\u2019ve most commonly been asked in recent months is \u201cdoes the GDPR mean we have to get fresh consents from our entire marketing database?\u201d In many (indeed, perhaps most) cases, the answer is \u201cno\u201d \u2013 though the explanation for this is not all that straightforward, and so the confusion here is easy to understand.<\/p>\n
This confusion stems in large part from Recital 171 of the GDPR, which reads: \u201cWhere processing is based on consent pursuant to Directive 95\/46\/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation<\/em>, so as to allow the controller to continue such processing after the date of application of this Regulation\u201d (emphasis added).<\/p>\n The idea here is that, if you collected consent for data processing pre-GDPR, then you can continue to rely on that consent post-GDPR. So far, so good. But the sting in the tail is that this holds true only if the consent you obtained pre-GDPR was obtained to a GDPR standard \u2013 ie the consent was \u201cunambiguous\u201d and demonstrable (ie auditable) in line with the requirements of Art 7. Since these requirements didn\u2019t apply pre-GDPR, it follows for most businesses that the consents they obtained pre-GDPR won\u2019t be valid once the GDPR comes into effect \u2013 and so they may need to go out and get new GDPR-standard consents. That, or accept the risk of non-compliance.<\/p>\n At this point, you might be thinking \u201cSo all our marketing consents are invalid? Do we really have to go and get fresh marketing consents from x thousand \/ million customers?\u201d Things are not quite as bleak for marketers as it may seem, however.<\/p>\n To begin with, marketing under the GDPR (whether postal, phone, email, SMS or any other form of marketing) is regulated exactly like any other data processing activity. This means that you have to show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In fact, it often won\u2019t be. This is because the GDPR acknowledges that direct marketing will often be a \u201clegitimate interest\u201d of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR. Recital 47 of the GDPR actually says that:<\/p>\n \u201cThe processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.\u201d<\/p><\/blockquote>\n This means, for example, that if a business wishes to send postal marketing about a new product to its customer base, it can often do so in reliance on its \u201clegitimate interests\u201d \u2013 it generally does not need its customers\u2019 consent to this mailing. It will, however, always need to offer them an opt-out (Art 21(2)).<\/p>\n Marketing regulation under the GDPR is only half the story, however. Europe also has a separate law \u2013 the Privacy and Electronic Communications Directive (or e-Privacy Directive) that contains supplemental rules governing consent requirements for e-marketing, ie marketing sent over electronic communication channels (such as phone, fax, email and SMS, for example). When sending e-marketing, these supplemental consent rules apply in addition to the need for businesses to identify lawful processing grounds under the GDPR.<\/p>\n Put as simply as possible, these rules require opt-in consent for email and SMS marketing, unless an individual\u2019s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time. If so, first party email and SMS marketing is possible on an opt-out basis (though third party email and SMS marketing still require opt-in). Similarly, phone direct marketing is also generally possible on the basis of opt-out provided the call list is first screened against the relevant country\u2019s national do-not-call registry (as well as the business\u2019s in-house opt-out list).<\/p>\n Consequently, much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (ie consent). In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.<\/p>\n This is not quite the end of the story, however. The e-Privacy Directive is, itself, undergoing reform presently \u2013 to be replaced by a new e-Privacy Regulation at some point in the future. The European Commission originally set an optimistic goal of achieving adoption of the e-Privacy Regulation by May 2018 \u2013 ie to see it enter into force at the same time as the GDPR \u2013 though this timeline has not been achieved. Sometime in early 2019 now looks more realistic.<\/p>\n Nevertheless, broadly speaking, the original draft of the e-Privacy Regulation proposed by the Commission largely retains (at Art 16) existing e-marketing rules as they apply under the current e-Privacy Directive. The European Parliament has, to date, seemed relatively accepting of at least this aspect of the Commission\u2019s proposed reforms, making it likely that opt-out e-marketing will remain possible once the e-Privacy Regulation is finally adopted.<\/p>\n Still, it is worth remembering that it is only draft law at present and so e-marketing rules may evolve further as the Council of the EU and the Parliament enter their trilogue negotiations. Marketers will need to monitor developments here closely.<\/p>\n While it will be good news for businesses that their existing lawful opt-out marketing is generally unaffected by GDPR, businesses which previously sought opt-in consent may now find themselves technically needing to refresh those consents for GDPR compliance \u2013 an ironic result for businesses that had previously looked beyond strict legal compliance and had taken a best practice, opt-in approach to marketing.<\/p>\n These businesses will undoubtedly also be acutely aware that, if they ask their customers to re-consent, many simply won\u2019t bother \u2013 making their decision of whether to approach customers and ask for fresh consents under the GDPR one of choosing between the lesser of two evils: either putting at risk valuable marketing contacts or risking non-compliance.<\/p>\n So if you find yourself pressed by your marketing teams to advise if they need fresh consents for their continuing direct marketing activities post-GDPR, your starting point should be to look at whether they are conducting those activities lawfully today and, if so, the lawful basis on which those activities are conducted (both under the Data Protection Directive and the e-Privacy Directive).<\/p>\n If marketing is already lawfully conducted on an opt-out basis, the GDPR is unlikely to change this (or require new consents to be sought). If conducted on an opt-in basis, then further review and risk assessment may be needed.<\/p>\n Phil Lee is a partner in Fieldfisher<\/a>\u2019s Privacy, Security and Information law group, working out of the London team. He also founded Fieldfisher\u2019s Silicon Valley office in California in 2012. Email phil.lee@fieldfisher.com<\/a>. Twitter @EUPrivacyLawyer<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" One of the questions we\u2019ve most commonly been asked in recent months is \u201cdoes the GDPR mean we have to get fresh consents from our entire marketing database?\u201d In many (indeed, perhaps most) cases, the answer is \u201cno\u201d \u2013 though the explanation for this is not all that straightforward, and so the confusion here is […]<\/p>\n","protected":false},"author":226,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,140],"tags":[],"class_list":["post-4576","post","type-post","status-publish","format-standard","hentry","category-data-protection","category-digital-marketing"],"yoast_head":"\r\nMarketing regulation under the GDPR<\/h3>\n
Marketing regulation under the e-Privacy Directive<\/h3>\n
Looking forward to the e-Privacy Regulation<\/h3>\n
The law of unintended consequences?<\/h3>\n
Summary<\/h3>\n
\n