Under EU privacy law, we are used to think about “opt-in consent” as the ground normally used to legitimise the processing of personal data for marketing purposes (i.e. you can market individuals only with their explicit consent to do so). “Opt-out mechanisms” (i.e. you can market individuals if you have previously given the option not to receive communications) are instead an exception allowed only (i) for using email addresses already obtained by the data controller in the context of the sale of a product/service and (ii) for direct marketing of its own similar products or services, i.e. excluding direct marketing of third party’s products (see Article 13 of Directive 2002/58/EC – “E-Privacy Directive”).
The General Data Protection Regulation (“GDPR”) apparently has strengthened this approach (although it does not formally repeal the E-Privacy Directive, the latter will be soon amended to conform with it – otherwise a dual regime would make little sense). Personal data shall be processed on the basis of the consent of the data subject or some other legitimate basis including “legitimate interest” (Recital 40).
Consent (as the rule)
The GDPR requires consent to be a clear affirmative act, freely given, specific, informed and unambiguous, whereas “silence, pre-ticked boxes or inactivity” cannot instead constitute consent (Recital 32). Moreover, Article 7 states that data subjects have the right to withdraw consent at any time and such withdrawal shall be easy as to give consent. Thus, at a first reading, it seems that the GDPR lives no more rooms for opt-out mechanisms.
New exceptions are set out although limited. Recital 32 states that affirmative acts include (i) choosing technical settings for information society services (cookie settings on a browser?); or (ii) another conduct which clearly indicates in this context the acceptance of the processing (a form of implied consent?). Additionally, Article 6 states that consent is not necessary for subsequent “compatible” processing operations. Recital 50 says that compatibility should be assessed in light of the link between the processing purposes, the reasonable expectations of the data subjects, the nature and the consequences of further processing and the existence of appropriate safeguards for the data. Further example of lawful compatible operations are processing for archiving purposes, scientific or historical research purposes, or statistical purposes (we assume mainly scientific statistics without commercial nature, i.e. no big data analysis in most cases).
On the other hand, among the other legitimate basis legitimising the processing Article 6 counts the “legitimate interest”. Interest is the stake or benefit that the controller (or a third party) has in the processing of data. Similarly to Directive 95/46/EC (see Article 7, letter f), the GDPR excludes the legitimacy of controller’s interest when it is overridden by the interests or fundamental rights of the data subject. In sum, the legitimate interest requires a true balancing test between the interest of the controller and the data subjects rights. This test shall also take into account reasonable expectations of data subjects and their particular relation with the data controller
What is new in the GDPR is Recital 47 stating that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. Does this mean that data subject’s consent is no more required for processing personal data for marketing purposes?
Some helpful indications are provided by the Working Party’s opinion on the notion legitimate interest (WP 6/2014 – the Working Party – “WP” – is the EU Privacy Advisory Body). Actually the WP already acknowledged that direct marketing and marketing research can constitute a valid legitimate interest under Directive 95/46/EC, and provided suggestions on how to conduct the balancing test. In marketing activities the object of the balancing test is about companies’ interest in knowing their customers and promoting their products against individuals’ interest not to be unduly monitored and spammed.
In general, the outcome of the test depends mainly on:
- the intrusion/impact the processing entails (e.g. in case of profiling operations and combined analysis on vast amounts of data the intrusion is significant, and thus the test probably negative); and
- the safeguards put in place by the data controller, and particularly the mechanisms to object to the processing and opt-out solutions.
The WP considered the outcome of the test in the following examples:
general marketing by post to users of a food-delivery mobile app, when: (i) data are gathered when the user used the app to place a food-order; (ii) the app included an easy-to-use tool to opt-out from marketing ; (iii) limited information collected and used for marketing, i.e. contact details only (name, postal address); (iv) the marketing is operated by post and concerns similar products to those purchased (thus meeting users’ expectations) – the data and the context are of relatively innocent nature.
targeted marketing (both online/offline) to users of a food-delivery mobile app combined with other data: same situation above, but: (i) the app uses users’ recent order history (a 3-year period), additionally combined with location data and browsing history via the mobile phone, and the data from a supermarket operated by the same company running the app; (ii) marketing is targeted based on the order history and operated both online and offline; (iii) the app lacks a user-friendly information and an easy-to-use opt-out tool – the data and the context are intrusive and there is a strong impact on users.
The WP’s opinion provides further examples that however confirm the above reasoning. In sum, it appears that in fact “soft” marketing can rely on the legitimate interest rule (substantially aligned to the opt-out exception of Article 13 of E-Privacy Directive), whereas advanced marketing (targeted emails, location based advertising, automated calling systems, etc.) always require consent.
The line between the two categories is not always clear. In those cases, relying on legitimate interest to justify marketing requires demonstration that the outcome of the test is positive (see Recital 69), due to low intrusion of that particular marketing and/or safeguards that are in place (e.g. mechanisms to access or modify personal data; or in case of free services which are in fact “paid” by allowing the use of personal data, alternative basic versions which do not require processing of data for marketing). In addition, Article 13 of the GDPR requires a clear mention of the legitimate interest pursued by the controller within the privacy notice.