Marketing under the GDPR - 7 things marketers must know

Soumya Patnaik

Data protection consultant

No matter what sector your business is in, how large or small an organisation you are, or whether your products and services are B2C or B2B, today, with increasing consumption occurring online, it is imperative that your online marketing strategy is relevant, up-to-date and effective. 

At the same time, with the enforcement of the GDPR, there is evidence of increasing awareness of data protection rights combined with a simultaneous loss of trust in online spaces. Hence, marketers must tread cautiously. In this blogpost about marketing under the GDPR, we discuss 7 common questions marketers must know about.  

1.    What laws should I bear in mind while processing personal data for online marketing purposes in the EU?

Personal data in the online marketing sphere in the EU is regulated by two laws; one being the general law on data protection, i.e., the GDPR, and the other is the ePrivacy Directive. The ePrivacy Directive supplements the GDPR and is generally considered lex specialis for the subject matters that it covers, i.e., electronic communication services. Electronic communication includes communication using internet (such as emails, applications, etc.), telephonic communication, instant messaging services and so on. 

2.    What kind of personal data processing activities are generally part of an organisation’s online marketing strategy? 

A few of the specific purposes for which personal data of users is processed in order to assist and develop online marketing strategies are as follows:

  1. Using personal data to measure and improve the effectiveness of website design; 
  2. Using personal data to measure and improve the effectiveness of online advertisements and marketing campaigns; 
  3. Using traffic and other location data to target tailored advertising content to users;
  4. Using personal data for automated decision-making/ profiling and behavioural advertising; and 
  5. Using personal data to facilitate direct online communication, such as emails, SMSs, automated telephonic messages. 

3.    What is the legal ground for processing personal information for online marketing purposes? 

All processing of personal data must comply with one of the lawful grounds of processing mentioned under Article 6 of the GDPR.  Furthermore, each processing activity/set of processing activities must have a specific purpose, and the lawful ground must be aligned with such purpose. As stated in 1 above, where the personal data processing is in the context of electronic communication services, care must be taken to examine if the context of processing is covered within the ePrivacy Directive or not. 

In 2 above, we have identified five specific purposes for which personal data may be processed in the context of online marketing. From these five purposes, three specific processing contexts emerge: (a) Marketing analytics; (b) Targeted content marketing; and (c) Direct online communication. 

  • Marketing Analytics – This generally involves the use of tracking technologies for tracking user data in order to measure effectiveness of websites, marketing campaigns, advertisements etc. These could be in the form of cookies, web beacons, tracking pixels, and similar technology that stores and tracks personal data on the terminal equipment of users. This is specifically covered under Article 5(3) read with Recitals 24 and 25 of the ePrivacy Directive and requires ‘prior consent’ of the user. Please see our blogpost on Cookies for further information. 
  • Targeted Content Marketing – This can be either more or less privacy intrusive depending on the categories of personal data processed and the nature of targeted content. For instance, if traffic data is tracked in order to direct the user to a location specific website or advertisement, then prior consent of the user is required as per Article 6 (3) read with Recital 26 of the ePrivacy Directive. Location data other than traffic data must be processed with the prior consent of users, and only to the extent and for the duration necessary, or in anonymised form, as per Article 9(1) of the ePrivacy Directive. However, there may be more intrusive forms of tracking that drive behavioural advertising based on profiling/automated decision making that would require higher standards of consent.  Please see point 5 below for more details.  
  • Direct Online Communication – Article 13 (1) of the ePrivacy Directive requires prior consent to be obtained from data subjects for direct marketing through email, SMS, fax, automatic calling machines, etc. Recital 40 of the ePrivacy Directive states that it is justified that the consent is explicit, Article 13(1) only mentions regular consent. We would advise that you refer to your local ePrivacy legislation to determine the standard of consent required for sending direct marketing communication. 
     

4.    Can I rely on legitimate interest for online marketing? 

Recital 47 of the GDPR states that direct marketing may be based on ‘legitimate interests’ of the controller. However, that does not mean that you can rely upon it by default. At the very first instance, you must check the applicability of the grounds mentioned in point 3 above. If they are applicable, prior consent must be obtained in any case.   

Reliance on ‘legitimate interests’ is based on a balancing exercise between the benefits/interests and the effect on the rights and interests of the data subjects. As long as the rights of the data subjects do not override the interests of the controller (or a third party), these interests being sufficiently definite, it may be possible to rely on this ground. 

Some factors to be considered while determining the legitimacy of this ground are: 

  1. The reasonable expectations of data subjects based on their relationship with you as the controller, and whether they would expect the personal information to be used for the purposes and manner in which they are used for marketing by you; and
  2. The potential nuisance factor of unwanted communication. 

The ePrivacy Directive provides specific circumstances where it is in the legitimate interest of the controller to pursue certain marketing activities. This is specific to existing customers. Article 13 (2) read with Recital 41 of the ePrivacy Directive states that in case contact details have been obtained from customers in the context of sale of a product/service, the same contact details may be used for direct online marketing of similar products or services, provided that a clear, distinct and free of cost opt-out mechanism is provided to the customers, on the instance of each message. This is sometimes referred to as a “soft opt-in”. Please note that this does not extend to a third party’s products/services. 

An example would be when visitors to your website have expressed interest in your products or services by signing up or filling an enquiry form.  You can rely on legitimate interests to send them communication about similar services that you offer. However, even in these cases, you must comply with additional conditions (refer to point 5 below). 

5.    If I rely on legitimate interest, what other conditions must I comply with? 

While using legitimate interest as a processing ground, make sure that an express right to object or opt-out is provided to data subjects and that they are clearly informed of this right, along with the manner in which they may exercise it. Please ensure that the opt-out mechanism is user friendly. For instance, while sending promotional material to customers, via email, you could provide an “unsubscribe” link that simply requires users to click on it without any further action. From a practical perspective it is relevant to review how the ‘opt-outs’ are managed across the organisation, taking care that they don’t escape notice, and are implemented without undue delay. 

The central principles of transparency and accountability of the GDPR must always be complied with. Therefore, simply because you are relying on legitimate interest, does not absolve you of your responsibility to ensure data subjects’ right to information. 

6.    What is explicit consent, and when is it needed? 

There are certain standard requirements for consent under the GDPR, i.e. consent must be informed, freely-given and specific. Explicit consent however, holds the data controller to higher standards of accountability, meaning that not only must the consent comply with the standard requirements, but that it must be obtained in such a manner that it leaves no doubt for misinterpretation on the part of the data subjects. 

In the context of marketing, instances where reliance is placed on profiling/ automated decision-making, explicit consent must be obtained from data subjects. This is inferred from Article 22 of the GDPR, which recognizes that automated decision-making and profiling can have significant and serious consequences for individuals. In case of advertising this could be exclusion or discrimination of individuals, decisions affecting free choice of individuals, etc. The criteria that Article 29 Working Party recommends that you rely upon while determine the necessity of explicit consent includes:

  1. The intrusiveness of the profiling process, including tracking across different websites, services, equipment; 
  2. The expectations of individuals concerned; 
  3. The way the advertisement is delivered; and 
  4. Using knowledge of data subject vulnerabilities. 

7.    What should I be aware of while running campaigns on other websites/platforms?  

If you are running advertisements on third party websites, please be aware that these websites may be collecting personal data from users who click on your advertisements. You may think that this does not implicate you since the users are on another website whose privacy policy and terms and conditions are applicable. However, do note that in many cases, the information that is collected when users click on your advertisements are subject to a different privacy policy or a specific data processing agreement between you and the website. In many cases, this agreement will explicitly state that personal data is processed by the website on your behalf, making you, in turn, the controller under GDPR. Oftentimes, it includes prohibitions on transferring personal data to them. However, practically, the fact is that you are bound by their terms and have no actual control over the data that they process. 

So, make sure that you review the terms and conditions while signing up for advertising space with any third-party website. Make sure you involve your legal department and ask questions to the website’s privacy officer if you need to. If not anything else, at least make sure that the personal data processing is limited and the purposes/uses clearly identified. 

In many cases, these campaigns are tied to tracking/conversion pixels that are placed on your website. Make sure you know how the technology works and what information is actually collected by these cookies before you place them to your website. Read more about cookies here.