How can controllers lawfully process personal data based on their legitimate interests in the context of direct marketing? The European Data Protection Board (EDPB) recently answered this question by releasing draft guidelines on processing personal data in terms of Article 6(1)(f) GDPR. The guidelines are currently open for public consultation.
We examine the main insights from the guidance on how legitimate interest can be applied to direct marketing and discuss the practical implications for businesses.
Meaning of direct marketing
Before diving deeper into the subject, it’s essential to first understand what we mean by direct marketing. At its core, direct marketing involves any commercial communication that directly and individually targets a consumer. This can take various forms, but the key element is the personalised approach to reaching the recipient.
For example, consider banner ads that appear in a user’s private email inbox, disguised as emails, within a free email service that’s funded by advertising. Even though these ads are not technically sent as emails to specific individuals, they still meet the criteria for direct marketing because they target the user directly and appear within their personal inbox.
Understanding this distinction is crucial as we analyse how direct marketing practices fit within the guidelines for processing personal data under the legitimate interest framework.
Legitimate interest and direct marketing
While the GDPR (General Data Protection Regulation) doesn’t specifically define direct marketing, Recital 47 clarifies that processing personal data for direct marketing purposes may be considered a legitimate interest. In other words, the GDPR acknowledges that organisations can rely on legitimate interest as a legal basis for processing personal data in some direct marketing activities.
However, this doesn’t mean that all direct marketing automatically qualifies as a legitimate interest, nor does it guarantee that you can always rely on Article 6(1)(f) GDPR for every type of marketing activity. Each case must be carefully assessed to determine if legitimate interest is an appropriate legal basis in that particular context.
This is why a thorough evaluation is necessary to ensure that legitimate interest applies when processing personal data for direct marketing purposes. In the following sections, we’ll explore what this assessment involves and what businesses need to keep in mind to stay compliant.
Specific legal requirements that prevent reliance on legitimate interest as a legal basis
Before relying on legitimate interest as a legal basis for processing personal data for direct marketing, data controllers must ensure they comply with relevant EU and national regulations. One of the key regulations to consider is the ePrivacy Directive, which sets strict rules for sending unsolicited communications for marketing purposes. Under this directive, direct marketing through email, SMS, MMS, or similar channels is generally only allowed with the prior consent of the recipient.
In Germany, for instance, this requirement is reinforced by Art. 7 of the UWG (Act Against Unfair Competition), which governs unsolicited commercial communications and generally requires consent for direct marketing communications via electronic means, even in the B2B sphere. This means that, even if a business considers legitimate interest as a basis for data processing, prior consent is still essential for sending direct marketing communications via electronic means as the German law requires this. Legitimate interest may not be relied on where a law specifically requires consent. It’s important to recognise the interplay between the GDPR and the UWG when personal data processing falls under both regulations.
Under Art. 7 UWG, any commercial practice that constitutes an “unacceptable nuisance” to a market participant is considered illegal. This includes most forms of direct marketing communication, such as telephone calls or electronic mail, if the recipient has not provided prior consent. Essentially, in Germany, prior consent is a legal requirement to avoid marketing communications being deemed intrusive or unlawful.
However, there is an exception that allows direct advertising without explicit prior consent in certain situations. If a company has obtained a customer’s email address during the sale of goods or services, they may use that email for marketing purposes related to their own similar products or services. This exception applies as long as the customer is clearly informed, both at the time of data collection and with every marketing communication, that they can opt-out or object to this use at any time.
It’s important to note that under Art. 25 of the TDDDG (Telecommunications Digital Services Data Protection Act), the storage of information on an end user’s device or accessing information already stored, such as through cookies, is only permitted if the user has given informed consent.
When direct marketing involves methods like cookies or other tracking technologies, which are covered by Art. 25 TDDDG, obtaining explicit consent from the user is a legal requirement. It’s important to recognise the interplay between the GDPR and the TDDDG when personal data processing falls under both regulations. Direct marketing through electronic communications that does not involve the processing of personal data (such as marketing aimed at legal entities) is governed solely by the TDDDG, rather than the GDPR.
Case-by-case assessment where there is no specific legislation that prevents legitimate interest
Even if no regulation prevents relying on legitimate interest for data processing, this doesn’t automatically mean it can be used as a legal basis for direct marketing. Data controllers must ensure that the balancing test is met and consider adopting appropriate safeguards and mitigating measures. This balancing test is crucial in determining whether the marketing interest outweighs the rights and freedoms of the data subjects involved.
When assessing the use of Article 6(1)(f) GDPR for marketing purposes, controllers should evaluate whether the marketing goals can be achieved just as effectively through other, less intrusive means. Certain marketing practices, especially those involving extensive data processing or tracking, may be viewed as intrusive from the data subject’s perspective. For instance, wide-ranging profiling or tracking such as Google’s Customer Match may be harder to justify, while sending the same marketing communication (e.g., a product catalogue) to customers who have already shown interest in similar products might be easier to defend being less intrusive.
As a best practice, controllers should always conduct a case-by-case analysis to assess the intrusiveness of their marketing activities.
The right to object to processing for direct marketing
Under Art. 21(2) GDPR, data subjects have an unconditional right to object to the processing of their personal data for direct marketing purposes. This right applies irrespective of the legal basis the data controller relies on, whether it’s legitimate interest or another ground.
What’s important here is that the data subject does not need to provide any reasoning for their objection. The purpose behind their objection is irrelevant, and once they object, the controller must stop processing their data for direct marketing without needing to balance interests or assess whether the objection is valid.
This unconditional right ensures that individuals maintain full control over how their personal data is used for marketing purposes, empowering them to opt out at any time.
Conclusion
In conclusion, while the GDPR recital suggests that direct marketing can be conducted on the basis of legitimate interest, this is not a guaranteed or automatic solution. Businesses must conduct thorough assessments to ensure compliance with both EU-wide regulations and any relevant national laws. This can be quite challenging when addressing people in different EU Member States.
A careful evaluation of the specific circumstances, such as the method of communication and the level of data processing involved, is essential to determine whether legitimate interest can be relied upon. Controllers should always consider applying appropriate safeguards to respect the rights and freedoms of the data subjects.
