It seems like each week there's new information, perspectives and guidance around what companies - specifically, marketers, in our case - need to do to ensure they comply with GDPR. As a global organization, we have a pretty large team in place that's focused on GDPR compliance - including all of the transformation activities associated with it. Since there's still some cloudiness around gaining proper consent (email opt-ins, cookie consent, data storage/processing, etc.), our legal team sent over this link to a blog post (dated November 2017) from a law firm in Europe: Re-consenting to marketing under GDPR? - Privacy, Security and Information Law Fieldfisher. Some of the information is pretty eye-opening - and if indeed accurate - paints a somewhat favorable scenario for marketers (especially for those that market to existing customers (who were given the ability to opt-out when they became customers); and those that have obtained prior consent for many of the contacts in their database). For example:
Marketing under the GDPR is regulated exactly like any other data processing activity. This means that you have to show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In fact, it often won’t be. This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR. Recital 47 of the GDPR actually says that: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (i.e. consent). In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.
The blog then goes into some detail around the ePrivacy Directive - which contains supplemental rules governing consent requirements for digital marketing - which, it too, is going through some significant reform and will be replaced by a new ePrivacy Regulation (hopefully May 25, but I've heard as late as 2019) - keep in mind this is still a draft:
The original draft of the e-Privacy Regulation proposed by the Commission largely retains (at Art 16) existing e-marketing rules as they apply under the current e-Privacy Directive. The European Parliament has, to date, seemed relatively accepting of at least this aspect of the Commission’s proposed reforms, making it likely that opt-out e-marketing will remain possible once the e-Privacy Regulation is finally adopted.
The current ePrivacy Directive - as most of you know - require opt-in consent for marketing emails. Unless - and here's the kicker:
...an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time. If so, first party e-mail and SMS marketing is possible on an opt-out basis.
Consequently, much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (i.e. consent). In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.
Again, this is specific to companies that practice lawful opt-out marketing per the above statements (and the additional detail contained within the blog post).
The blog then provides the following summary:
- Much direct marketing (both snail mail marketing and e-marketing) is possible today on the basis of opt-out. Opt-in consent can be used, but is seldom legally required;
- The GDPR does not change this position and, in particular, does not make opt-in consent a mandatory requirement for direct marketing - it acknowledges that marketing can be conducted in reliance on legitimate interests; but
- The forthcoming e-Privacy Regulation seems likely to continue to allow opt-out based e-marketing in many cases, though marketing teams should monitor developments here closely.
Interested to hear your thoughts.