Top 5 practices on direct marketing under the GDPR

Direct marketing is among the areas more affected by the GDPR, but how can you get ready and gain advantage from it?

My personal experience is that marketing managers are panicking because of the potential impact of the EU Privacy Regulation (GDPR) on their direct marketing activities that have been doing for years and on which their business considerably relies. There is no doubt that a cultural change required on how to approach privacy compliance, but there are ways to minimize the negative impact of the GDPR and somehow also get the advantage of it.

I summarized my position also in the video below in Italian as part of my video blog series Diritto al Digitale, while I addressed the topic in more detail in English below

1. Are privacy consents previously obtained valid?

I discussed in detail in this article “How privacy consent changes with the GDPR?” on the requirements applicable to privacy consent under the GDPR. The Article 29 Working Party requires a higher level of detail in privacy consents, especially for profiling and direct marketing purposes. This scenario means for instance that privacy consents obtained under the previous regime, even if compliant with the previous position taken by data protection authorities, including the Italian privacy authority in its guidelines on marketing practices, might no longer be valid.

This scenario would be applicable for instance to single marketing consents obtained for direct marketing practices of the company, acting as data controller, as well as third parties, even if they are part of the same group.

2. What can you “save” of consents previously obtained?

This assessment is necessary on a case by case basis. However, for instance, you might conclude that a broad marketing consent referring to the products of the contracting party and its affiliates can be considered valid only to enable marketing activities of the contracting party. On the contrary, regarding other scenarios, new privacy consent(s) shall be obtained.

3. What to do to collect new privacy consents?

The strategy that we are currently adopting for many clients is to put in place right now a “transitional” privacy information notice and privacy consents that are compliant with both the current data protection regime and the GDPR which would lead to two significant advantages:

1. Under the previous regime where fines were lower it was possible to immediately “cure” marketing lists, also, for instance, using initiatives of gamification; and
2. On the 25th of May 2018, it was not necessary to send a new privacy information notice to thousands (if not millions) of individuals since the adopted privacy information notice is already GDPR compliant.

4. Is legitimate interest an opportunity for direct marketing?

This question is one of the hottest for many of our clients, and I discussed the topic in detail in this article “Legitimate interest, performance of contract and privacy consent under the GDPR“. The GDPR refers in its recitals to the possibility to rely on legitimate interest for direct marketing purposes.

However, data processing activities based on legitimate interest need to be the result of a “balancing test” between the interests of the data controller (i.e., the company willing to advertise its products/services) and those of individuals who will receive direct marketing communications. Therefore, subject to a more in-depth assessment of the peculiarities of each case, direct marketing, and even profiling activities can fall under the scope of legitimate interest and therefore not require a consent

1. If it is also identified the interest of customers to the performance of marketing/profiling activity, e.g., concerning limited segmentation activities that allow sending offers only to customers that might be interested in it or be in the position of actually purchase advertised products;
2. If the segmentation/profiling is not excessively invasive and marketing activities are not overly aggressive; and
3. It is given the right to individuals to object to marketing activities based on legitimate interest.

5. How long can direct marketing be performed?

As discussed in this previous article “Data retention period, an intrigued rebus under the GDPR“, marketing and profiling consents obtained as part of a contractual relationship cannot be processed for that purpose during an unlimited time. The privacy information notice shall indicate the applicable retention period(s), and this shall be implemented in the information systems to avoid further processing activities.

Once the retention period has expired, if no other contract is in place between the parties, it might be possible to ask individuals to subscribe to a newsletter service.

Do you share my recommended actions? What is your view on the above?