Share This Article
Businesses relying on broad and generalized consents for marketing activities face a significant risk following a recent ruling by the Data Protection Authority (the Garante) in Italy.
The Garante Case on the validity of the marketing related privacy consents in Italy
The Authority imposed a EUR 300,000 sanction on an energy provider found to have unlawfully processed the personal data of over a hundred individuals who received unsolicited marketing calls. According to the Garante, these calls occurred without an appropriate legal basis since the marketing related privacy consent to the communication of data to third parties was not valid as it was not free.
In particular, the Italian Data Protection Authority challenged the privacy consent as
- it was used in relation to the large and indistinct audience of personal data assignees operating in very different sectors; and
- it did not allow to select the channel of communication (e.g., email, SMS, traditional mail) through which it was sent
so that the individual who wants to receive offers relating to one or more of the product categories indicated therein or wants to receive them through only one of the indicated channels is, in fact, forced to give a unitary consent to the indiscriminate transfer of their data to all, without distinction, third parties for promotional purposes and is not in a position to easily exercise the rights recognized by current legislation.
In particular, the wording of the privacy consent was the following:
“I consent to the transfer for marketing and commercial purposes, with the use of the telephone with an operator and/or with automated systems (e.g. email, SMS) and/or sending promotional material by post, to third parties belonging to the following economic and product categories: Tourism, Leisure, High Tech, Fashion, Furniture, Consumer Goods, Food & Beverage, Finance, Banks, Insurance, Energy, Environment, Communication, Media, Entertainment, Real Estate, Pharmaceuticals, Automobiles, Clothing and Textiles, Training, Energy, Publishing, ICT, Retail, Sport, Telecommunications, and Services in general (for the complete list click here).”
The Italian Data Protection Authority held that consent must be genuinely free, specific, informed, and granular and the above mentioned formulation was not meeting such requirements.
What are the implications for businesses?
The decision of the Garante is in some ways surprising since it is in contrast with their own guidelines on marketing of 2013(12 years ago!) where the Italian Data Protection Authority held that it was fine
- not to have a consent split by channel of communication and
- merely refer in the consent wording to multiple product categories to which the third party’s assignees of the transferred personal data belonged.
Apparently, the Garante now changed its position, even though the principles underlying the GDPR are extremely similar to those previously in place. The implications for businesses are profound:
- Previous consents obtained through generalized or vague consent forms may no longer be valid, potentially necessitating extensive review and redrafting of existing consent mechanisms.
- Businesses must evaluate whether their consent practices genuinely meet GDPR standards for specificity and granularity, allowing users to clearly and separately indicate preferences regarding both the type of marketing communications they receive and the channels through which they receive them.
- Failing to adopt compliant consent mechanisms could expose businesses to significant regulatory penalties, reputational damage, and loss of customer trust, as well as the inability to use processed data for marketing purposes.
In practical terms, organizations must urgently revisit and potentially overhaul their privacy and marketing consent strategies. Consent forms must clearly identify recipients of personal data and specify the exact categories of goods or services involved, granting users explicit control over their choices.
This recent decision by the Garante Privacy is concerning: general, catch-all consent mechanisms no longer meet legal standards.
Is your organization ready to verify and, if necessary, redraft all privacy consents to ensure compliance?
On the topic, you can also read the article “Direct marketing and privacy consent, opt-in messages allowed in Italy?“.
