Thinking through the recent penalties relating to directing marketing: The HelloFresh fine by the ICO and Groupe Canal’s by CNIL, their common shortcoming are: Lack of Transparency, invalid Consent and not respecting the Rights of customers. Direct Marketing is one of the most complex areas of Data Protection Law. Essentially, marketers do not only need to comply with the Data Protection Laws but also competition laws and consumer right laws.
The main focus in this review, is on the GDPR and the ePrivacy Directive – UK Privacy and Electronic Communications Regulation (PECR) and French Post and Electronic Communications Code (PECC).
To keep it simple, under the GDPR:
• Customers have the ‘Right to be Informed’. Marketers should be transparent about the use of data for marketing. Where did they get the customers contact information? Have the customers’ data been shared with any third-party? What Lawful Basis are they relying on (Consent or Legitimate)? What are the customer’s Rights? etc.
• If the marketer is relying on ‘Consent’, then customers have the right to withdraw their consent. Very importantly the consent should be demonstrable and the method in place to withdraw customers’ consent, should be just as easy as it was to obtain the consent.
• If the marketer is relying on Legitimate Interest, then customers have the absolute Right to Object. The marketers must inform customers of how they may opt-out of marketing or change their preference.
In regard to the eCommerce Directive Direct Marketing (UK PECR and PECC) rules, Opt-in is a requirement for SMS and email marketing, unless where opt-out rules may apply.