What is direct marketing?
Direct marketing is an advertising strategy that is deployed by many companies. It allows you to directly target the promotion of your products or services, in order to trigger an action (e.g. to visit a website or to buy something) in a selected group of consumers that have been identified as potential buyers. Electronic direct marketing frequently takes the form of emails, texts, picture messages, video messages, voicemails, direct messages via social media or any similar message stored electronically.
By targeting end-users with electronic direct marketing communications, companies are processing personal data as defined in the GDPR. However, the rules governing direct marketing communications are not only to be found in the GDPR, additionally the ePrivacy Directive (to be replaced by the ePrivacy Regulation) imposes specific rules in case of direct marketing communications.
How to justify direct marketing?
In the context of direct marketing, consent is key! Under the ePrivacy legislation, you need to obtain consent from the targeted individual before sending direct marketing communications in electronic form – marketing texts, emails or calls. The ePrivacy legislation prevails over the GDPR and therefore limits the possibility for controllers to rely on another legal basis in the list of article 6 GDPR. For the interpretation of consent the legislator has pointed to the strict interpretation to be found in the GDPR.
Upon request, a small building company provides potential clients with brochures setting out information about how the company works, the materials it works with etc. The request needs to be made by filling in an online form. Through this online form, the company also asks for the persons’ home address and email address, not only to be able to deliver the brochure but also to send them marketing messages about upcoming projects and events in the future. The company only allows the requesting individuals to opt-out of receiving marketing messages in case they untick three boxes covering marketing emails, post and text messages. However, unticking all three boxes results in the fact that the brochure will not be sent. This practice is not GDPR compliant.
Not valid: “By registering, you agree to receiving email marketing messages from us. If you do not want to receive such messages, tick here: ”
Additional obligations when relying on ‘direct marketing’:
Essential here is that, through the accountability principle, the GDPR requires you to be able to demonstrate that you have obtained consent for direct marketing. This means that you must keep evidence of who, when, how, and what you told people in the context of requesting consent. Also, very important in this regard is that the individuals concerned have the right to withdraw their consent at any time. Moreover, you need to make sure they can withdraw consent equally as easy compared to the granting of consent.
When is no consent needed?
Important to know is that under certain conditions you are still allowed to process contact details for direct marketing purposes when you did not obtain consent, however, only in cases where the exemption to the ‘opt-in consent rule’ – referred to as the ‘soft opt-in’ – is applicable. The exemption exists when three conditions are met:
While the ePrivacy legislation provides an exemption to the necessity for direct marketing, it does not relieve you from the obligation to ground your processing on one of the legal bases listed in article 6 GDPR.
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. This means that, when invoking the soft opt-in, you still have to perform the legitimate interest balancing exercise.
With regard to personal data bases that pre-existed the GDPR, it is not necessary for individuals to give consent again if the manner in which consent has been given complies with the conditions of the GDPR.
The clearest way to obtain consent is to make us of an ‘opt-in box’ that individuals concerned can tick in case they wish to receive direct marketing through specific channels (e.g. email, text messages…).
Example: Tick the boxes if you would like to receive information about our products and any special offers by post / by email / by telephone / by text message / by recorded call
Time for action!
Ask for consent when you engage in direct marketing
Check whether your consent requests are clear and prominent
Be transparent regarding who is sending the marketing messages
As individuals have the right to withdraw consent at any time, ensure that all direct marketing holds information on this right and provides the possibility to withdraw consent (e.g. unsubscribe button)
Make sure you keep clear records of what an individual has consented to, as well as when and how consent was obtained. This is necessary to demonstrate GDPR-compliance in the event of a complaint.