Direct Marketing: impacts of the draft e-privacy regulation

February 09, 2017

Whilst many organisations continue to grapple with the impact of the forthcoming General Data Protection Regulation ("GDPR"), another important piece of data privacy law is making its way through the European legislative process: the ePrivacy Regulation.

Whilst the ePrivacy Regulation is still in draft form, and may yet change, the current proposal contains some key impacts on organisations collecting and using personal data for direct marketing purposes:

  • It’s a Regulation, not a Directive.

This means, like the GDPR, it is directly applicable in every EU member state. In theory, it will allow for a more harmonised approach for those organisations undertaking marketing activities on a pan-European basis.

  • It has extra-territorial reach

Like the GDPR, the draft ePrivacy Regulation extends its scope beyond EU borders. It applies to entities anywhere in the world who provide publicly-available "electronic communications services" to, or gather data from the devices of, users in the EU (irrespective of where the provider is located, or where the processing takes place). For instance, it will apply to an online fashion retailer based wholly in Singapore, sending marketing emails to its European customer base.

  • It imports ‘GDPR-style’ consent requirements for email, SMS and telephone marketing

The current position (that prior opt-in consent is required for email and SMS marketing) remains the same. The draft ePrivacy Regulation also continues to allow for a soft opt-in in certain circumstances (that is, emails can be sent to existing customers to market similar products or services, subject to an opt-out being provided at the time that the data was collected, and with each subsequent email marketing message).

The proposed draft also maintains the current position that EU Member States may be able to set either an opt-in or an opt-out for live direct marketing telephone calls.

However, the big change is this: the draft ePrivacy Regulation imports a GDPR standard for consent. That is:

  • The consent must be freely given, specific, informed and unambiguous;
  • The consent must be expressed by a statement or clear affirmative action. Silence, pre-ticked boxes or inactivity should therefore not constitute consent.  
  • The consent must be as easy to withdraw as it was to provide consent in the first place.
  • The organisation must be able to demonstrate that the individual has consented
  • The consent language must be intelligible and use clear and plain language
  • The request for consent must be clearly distinguished from other matters.

This toughening up of the conditions for consent, will present a significant impact for many entities.

  • It broadens the scope of the direct marketing consent rules

The direct marketing rules would apply to communications sent using a broader range of technologies, such as instant messages services and in-app notifications, as well as the more traditional telephone calls, e-mail and SMS. 

  • Telephone marketing calls must be identifiable

Organisations making direct marketing telephone calls would be required to display calling line identification, or present a specific code/prefix indicating that the call is a marketing call.

  • It introduces mega fines and compensation for non-compliance

The draft includes much tougher penalties, bringing the sanctions regime in line with the GDPR, including administrative fines of, the higher of 10,000,000 EUR, or up to 2% of the total worldwide annual turnover for breaches of the rules on unsolicited direct marketing communications.

It also gives individuals the right to sue for compensation for ‘’material or non-material damage’ caused by an infringement of the Regulation.

What about direct marketing by mail?

The ePrivacy Regulation does not apply to direct marketing by postal mail, and that channel falls back to be considered under the GDPR. Under the GDPR, Recital 47 specifically calls out that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. If an organisation is relying on legitimate interests in order to conduct its postal direct marketing, it may not need to obtain consent to do so.

What should organisations do now?

The ePrivacy Regulation is still in draft form, and may yet change. However, those organisations for whom consumer-facing direct marketing data is major business enabler, but also a major risk factor, may already be addressing some fundamental points. For example, in the context of their overall GDPR programme, they may already be working to ensure that they have visibility in relation to their direct marketing data flows; they may be reviewing their consent language; they may be assessing the means and methods by which consent was obtained and they may be ensuring that there are controls relating to the use, access, retention and disposal of their direct marketing data. If they outsource their marketing operations to a third party provider, they may be reviewing contractual clauses and other controls such as audits. Importantly, they may also be looking at how they deal with challenge: how robust are their processes for dealing with direct marketing complaints, before those complaints turn into regulatory intervention?

Of course, the longer tale will, inevitably, relate to technology.  Many of those same organisations will be looking at their technology stack to assess whether it supports them to demonstrate consent, as well as easily and effectively allow the withdrawal of consent, as is required by the GDPR.  With the increased focus on operational adequacy and accountability under the GDPR, the role of technology to evidence compliance will be important.

Timetable

The draft sets out that it will apply from 25 May 2018 (i.e. the date that the GDPR comes into effect). However, given the length of time that it took for the GDPR to be finalised, this may well be an ambitious timetable.

This is the first in a series of blogs on the draft ePrivacy Regulation.

Polly Ralph  | PwC | Barrister & Solicitor (New Zealand Qualified) – Cyber Security and Data Protection Legal Services | PwC - UK
[email protected] | +44 (0) 207804 1611