One of the questions we’ve most commonly been asked in recent months is “does the GDPR mean we have to get fresh consents from our entire marketing database?” In many (indeed, perhaps most) cases, the answer is “no” – though the explanation for this is not all that straightforward, and so the confusion here is easy to understand.
This confusion stems in large part from Recital 171 of the GDPR, which reads: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation” (emphasis added).
The idea here is that, if you collected consent for data processing pre-GDPR, then you can continue to rely on that consent post-GDPR. So far, so good. But the sting in the tail is that this holds true only if the consent you obtained pre-GDPR was obtained to a GDPR standard – ie the consent was “unambiguous” and demonstrable (ie auditable) in line with the requirements of Art 7. Since these requirements didn’t apply pre-GDPR, it follows for most businesses that the consents they obtained pre-GDPR won’t be valid once the GDPR comes into effect – and so they may need to go out and get new GDPR-standard consents. That, or accept the risk of non-compliance.
At this point, you might be thinking “So all our marketing consents are invalid? Do we really have to go and get fresh marketing consents from x thousand / million customers?” Things are not quite as bleak for marketers as it may seem, however.
Marketing regulation under the GDPR
To begin with, marketing under the GDPR (whether postal, phone, email, SMS or any other form of marketing) is regulated exactly like any other data processing activity. This means that you have to show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In fact, it often won’t be. This is because the GDPR acknowledges that direct marketing will often be a “legitimate interest” of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR. Recital 47 of the GDPR actually says that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This means, for example, that if a business wishes to send postal marketing about a new product to its customer base, it can often do so in reliance on its “legitimate interests” – it generally does not need its customers’ consent to this mailing. It will, however, always need to offer them an opt-out (Art 21(2)).
Marketing regulation under the e-Privacy Directive
Marketing regulation under the GDPR is only half the story, however. Europe also has a separate law – the Privacy and Electronic Communications Directive (or e-Privacy Directive) that contains supplemental rules governing consent requirements for e-marketing, ie marketing sent over electronic communication channels (such as phone, fax, email and SMS, for example). When sending e-marketing, these supplemental consent rules apply in addition to the need for businesses to identify lawful processing grounds under the GDPR.
Put as simply as possible, these rules require opt-in consent for email and SMS marketing, unless an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time. If so, first party email and SMS marketing is possible on an opt-out basis (though third party email and SMS marketing still require opt-in). Similarly, phone direct marketing is also generally possible on the basis of opt-out provided the call list is first screened against the relevant country’s national do-not-call registry (as well as the business’s in-house opt-out list).
Consequently, much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (ie consent). In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.
Looking forward to the e-Privacy Regulation
This is not quite the end of the story, however. The e-Privacy Directive is, itself, undergoing reform presently – to be replaced by a new e-Privacy Regulation at some point in the future. The European Commission originally set an optimistic goal of achieving adoption of the e-Privacy Regulation by May 2018 – ie to see it enter into force at the same time as the GDPR – though this timeline has not been achieved. Sometime in early 2019 now looks more realistic.
Nevertheless, broadly speaking, the original draft of the e-Privacy Regulation proposed by the Commission largely retains (at Art 16) existing e-marketing rules as they apply under the current e-Privacy Directive. The European Parliament has, to date, seemed relatively accepting of at least this aspect of the Commission’s proposed reforms, making it likely that opt-out e-marketing will remain possible once the e-Privacy Regulation is finally adopted.
Still, it is worth remembering that it is only draft law at present and so e-marketing rules may evolve further as the Council of the EU and the Parliament enter their trilogue negotiations. Marketers will need to monitor developments here closely.
The law of unintended consequences?
While it will be good news for businesses that their existing lawful opt-out marketing is generally unaffected by GDPR, businesses which previously sought opt-in consent may now find themselves technically needing to refresh those consents for GDPR compliance – an ironic result for businesses that had previously looked beyond strict legal compliance and had taken a best practice, opt-in approach to marketing.
These businesses will undoubtedly also be acutely aware that, if they ask their customers to re-consent, many simply won’t bother – making their decision of whether to approach customers and ask for fresh consents under the GDPR one of choosing between the lesser of two evils: either putting at risk valuable marketing contacts or risking non-compliance.
Summary
- Much direct marketing (both snail mail marketing and e-marketing) is possible today on the basis of opt-out. Opt-in consent can be used, but is seldom legally required;
- The GDPR does not change this position and, in particular, does not make opt-in consent a mandatory requirement for direct marketing – it acknowledges that marketing can be conducted in reliance on legitimate interests; but
- The forthcoming e-Privacy Regulation seems likely to continue to allow opt-out based e-marketing in many cases, though marketing teams should monitor developments here closely.
So if you find yourself pressed by your marketing teams to advise if they need fresh consents for their continuing direct marketing activities post-GDPR, your starting point should be to look at whether they are conducting those activities lawfully today and, if so, the lawful basis on which those activities are conducted (both under the Data Protection Directive and the e-Privacy Directive).
If marketing is already lawfully conducted on an opt-out basis, the GDPR is unlikely to change this (or require new consents to be sought). If conducted on an opt-in basis, then further review and risk assessment may be needed.
Phil Lee is a partner in Fieldfisher’s Privacy, Security and Information law group, working out of the London team. He also founded Fieldfisher’s Silicon Valley office in California in 2012. Email phil.lee@fieldfisher.com. Twitter @EUPrivacyLawyer.