What good could it bring to have the best product or service if none of your potential customers can know about it? I would say, none. That is why, Marketing as a process by which a product or service is introduced and promoted to potential customers is indeed, one of the core tools for any business.
Useful? Embed this infographic on your website.
But additionally, we should evaluate What good could it bring to promote a product or service to people is not interested, or to try to reach potential customers by using no updated data or gain thousands of customers, but because of inadequate security, have them sue you? I would say, none. That is why the data protection laws, as a legal framework that requires the treat personal data with care and diligence, is in fact, another core tool for any business.
That being said, this article aims to address some situations that marketers may face when trying to get new clients while also complying with the current EU data protection laws. The idea is to provide practical insights into where to look and how to solve.
- Purpose Limitation
If you are getting people’s name and email –building your email list- by promising “free” access to products and/or services, you should keep in mind the following:
- The use of the term “free” may be misleading since you are asking for personal data in exchange to provide access to a product or service that later on, will be used it for marketing purposes. You are not giving anything deliberately (for free).
- Ensure that the personal data obtained is only processed in a manner compatible with the purpose informed at the moment of the collection -e.g., if you ask for the email address to market your products, you can use it only for that. It is not allowed to use them for another goal, such as, sell third-party products or services. This is really important to keep in mind for marketers doing affiliate marketing.
2. Solicited vs. Unsolicited Marketing
There is no legal basis required under the law to provide with marketing material to a person that has specifically requested it. Naturally, the handling of the personal data must be done following the GDPR.
On the other hand, when it comes to unsolicited marketing -marketing material that the person has not particularly requested, e.g., “cold” emails addressed to natural persons- the ePrivacy Directive applies and consent is required (freely given, specific, informed and given by a clear affirmative action).
Organisations cannot rely on implied consent -e.g., silence, pre-ticket boxes or inactivity- an active opt-in is required to guarantee the person’s free option to consent or not -e.g., clicking an icon or sending an email. Additionally, an opt-out option has to be provided to the individual at the time his or her details are collected and in each subsequent marketing e-mail.
In the given case that the individual becomes your client, direct marketing might be a legitimate interest under the terms of the GDPR; however, it’s not a sine qua non hence, if you want to use this as a legal base, you need to show that your processing passes the necessity and balancing tests.
3. Use of Social Networks: “Facebook Fan Page”
If you are using Facebook Fan Page; note that on the 5 of June 2018, the European Court of Justice judged that the companies using Facebook Fan pages are considered joint controllers, and hence liable for the processing of personal data of the visitors by Facebook.
In other words, an organisation with a Facebook Fan Page is jointly liable for the personal data processing activities of Facebook -which is not exactly the most reliable company when it comes to processing personal data- and as such, it can be, independently under its own risk, subject to regulatory and legal actions.
Thus, it would be wise to avoid the use of Fan Pages or suggesting so avidly the use of it. The same, careful assessment, should be done for other products and the use of other social networks.
This goes without saying, that I agree that social media is a powerful tool to generate more business, the advice is to evaluate the platform and assess which product gives you what you need without undermining the lawfulness and fairness in the processing of personal data.
4. ePrivacy Directive
It is true that the principal EU legal instrument on data protection is the GDPR. However, the specific rules at EU level for the processing of personal data and the protection of privacy in the electronic communication sector are regulated by the ePrivacy Directive; hence familiarise and apply this regulation is a must.
The ePrivacy Directive covers important matters as the legal basis for the collection of personal data for sending some marketing and advertising by electronic means, rules around cookies consent or other tracking technologies, caller identification, call blocking, location data, public directories, etc. This doesn’t mean that the GDPR is irrelevant, it applies to all matters concerning privacy and data protection, both legislations work together, they strengthen and complement.
Therefore, when preparing content about marketing and data protection, or deciding to attend a training or courses or presentation on the field, note that the material covers the relevant dispositions of the ePrivacy Directive and proposed amendments to turn into an EU Regulation (as it is currently the GDPR). Otherwise, there are high chances that the material is or will become irrelevant shortly.
5. Other Laws, Regulations, and Codes
When defining your marketing strategies, you should consider the national data protection acts- which has implemented the GDPR into national law. The ePrivacy Directive and proposed amendments. And other laws, regulations, and codes that may apply to your marketing and advertising activities, such as consumer protection laws, advertising standards or gaming laws. For instance, in the United Kingdom, we can mention the Consumer Protection from Unfair Trading Regulations affecting the advertising to consumers and the Direct Marketing Code of Practice published by the Direct Marketing Association (DMA) which is mandatory to all DMA members.
You don’t need to do your marketing illegal to get clients; the privacy and data protection laws have not been created to obstruct your business. On the contrary, these rules are business enablers, well used, can help you to acquire the data directly and voluntarily from the data owner which is the highest clean data that can be used, which of course, translates into higher conversions. Moreover, help with building trust with consumers, strengthen the brand, and the business growth, without risk of fines, corrective measures, bad press or lousy reputation.
Talacka & Co made available this brief for you, if you require more information or you are interested in a data protection service which analysis all your marketing strategies against all the relevant privacy and data protection laws at EU and national level; do not hesitate to contact us. We can help you to define what is the best move for you.
- Purpose Limitation: GDPR (Articles 5, 13 and 14): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
- The Judgment of the Court (Grand Chamber) of 5 June 2018 regarding Facebook Fan Pages: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62016CJ0210
- Facebook: Page Insights: https://www.facebook.com/business/products/pages
- WP29 Press Release on Facebook (11 April 2018): http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=621539
- EDPS: ePrivacy Directive: https://edps.europa.eu/data-protection/our-work/subjects/eprivacy-directive_en
- UK: Consumer Protection from Unfair Trading Regulations: https://www.gov.uk/marketing-advertising-law/regulations-that-affect-advertising
- Direct Marketing Association: Direct Marketing Code of Practice: https://www.dmcommission.com/