GDPR and ePrivacy Regulation
GDPR and ePrivacy Regulation are two different laws but they work alongside each other.
If you are new to GDPR, check out our basic GDPR guidelines before reading any further.
GDPR is primarily about data processing and addresses associated practices.
On the other hand ePrivacy regulation, scheduled to be ready by 2019, is about electronic marketing communications.
Most of the people are unaware that communications will not only need to comply with GDPR but will also need to obey e-Privacy Directive 2002/58/EC, in case of Malta, Privacy and Electronic Communications Regulations (PECR).
Related post: GDPR: What’s the fuss about?
A new EU ePrivacy Regulation will replace the e-Privacy Directive and several local laws implementing it.
This ePrivacy Regulation will sit alongside GDPR which replaced the Data Protection Directive.A new EU ePrivacy Regulation will replace the e-Privacy Directive Click To Tweet
Marketing under GDPR:
Marketing is regulated under GDPR just like any other processing activity.
This means you need a lawful basis to process data for direct marketing purposes.
The term direct marketing includes postal, phone, e-mail, SMS or any other form of marketing.
You can derive a lawful basis through consent or legitimate interest.
GDPR acknowledges that processing of data for direct marketing purposes may be regarded as a legitimate interest under Recital 47.
This means you can process the data for marketing purposes without consent.
Here’s the catch: –“processing personal data for direct marketing purposes” is not the same as “performing direct marketing” itself. Simply speaking, just like you need a lawful basis to process the data (defined by DPA and GDPR), you need another lawful basis to send email, SMS and automated telephone marketing (defined by PECR and ePrivacy Regulation).
This is why the two laws work together in a marketing context.
Marketing under PECR/ e-Privacy Regulation:
Under PECR, it is mentioned that you can send marketing content to individuals either if you have consent or an existing relationship (soft opt-in).
A soft opt-in applies when you have obtained an individual’s details as part of the sales process, where you’re only marketing your own products / services, and you provide an opt-out in every marketing communication.
Most of the private organisations have been using soft opt-in, also referred to as the opt-out method, for marketing purposes.
So, if you are doing the same, you can continue using the soft opt-in procedure and there is no need for consent, as it appears.
Advanced Marketing under GDPR and e-Privacy Regulation:
If you want to send more targeted marketing campaigns based on tracking demographics, preferences, browser behaviour and related profiling activities, then you need extra data.
All this extra information will help marketing campaigns become more valuable and relevant.
But here is the thing – data protection regulations (DPA and GDPR) will require you to have another lawful basis to process this extra information you obtained for profiling purposes.
For this, you need consent or legitimate interest again. But now you may not choose to rely on legitimate interests because of the below Recital 47:
At any rate the existence of a legitimate interest would need careful assessment, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
This means you can only use legitimate interest as the lawful basis if the data subject can reasonably expect what you are going to do with it at the time of providing the data itself.
It is highly unlikely for any data subject to expect that their data will be used to carry out profiling, segmentation and creating dynamic content, to show them ads on Google, Facebook and so on.
So, legitimate interests may not sound like the most appropriate lawful basis in this situation.
Related post: GDPR: Consent is Not the King
Well, there will still be a way out! You can still use legitimate interest if you follow certain important rules.
You need to make sure that the individual should reasonably expect that the data they provide will be used for profiling.
You can do so by setting the expectation at the point of sign-up. Display that your marketing content contains tailored content, and recommendations based on what they like.
Also, since you are using information in a way that is not expected, you’ll need to inform the individual about what you’re planning to do with their data.
So, it is important to provide a link to the relevant privacy notice section to inform them exactly what you plan to do with the data.
To facilitate this, it is advisable to use a multi-layered privacy notice.
While there are different ways of interpreting a law, it is important to abide by the basic rules of GDPR.
Remember, GDPR is all about transparency and accountability – to ensure all you do is fair and not excessive.
Summary of Marketing under GDPR and ePrivacy Regulation:
The crux of the story is as follows:
• If your marketing plan doesn’t use additional data analytics to do profiling, then you can get away with legitimate interests as your lawful basis for processing data under GDPR and a no consent approach or soft opt-in or opt-out procedure as your lawful basis for performing marketing under PECR/e-Privacy Regulation, provided you always give them an option to unsubscribe. Here you must make sure to send only generalised marketing campaigns.NO CONSENT needed if you don't use personalised marketing based on profiling.Click To Tweet
• If your marketing plan uses profiling, segmentation and dynamic content for re-marketing purposes, then you can still get away with legitimate interests as your lawful basis for processing data under GDPR, provided you have clearly set the expectation during the sign-up process and provide a link to multi-layered privacy notice.
Additionally, you will need consent to serve these cookie and ad analytical tools to be compliant under PECR/ e-Privacy Regulation.
While e-Privacy Regulation is still a draft and scheduled to be ready by 2019, we will have to abide by the rules of PECR which will sit alongside GDPR till then.
We have articulated only about existing clients and marketing under GDPR and ePrivacy Regulation. Our next article will exclusively guide you on how to gain consent from prospective and inactive clients.
Share this Image On Your Site
Disclaimer: While we have checked our sources, it is important for you to seek legal advice related to GDPR compliance. This article does not constitute legal advice.