The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients.
Question: Are Companies Always Required To Get Opt-In Consent Before Doing Direct Marketing?
Answer: No. GDPR does not necessarily require that a company obtain the express consent, or “opt-in,” of a person before using their data for direct marketing. Specifically, the GDPR expressly states that companies may have a legitimate interest in the processing of personal data for direct marketing purposes.1 If this legitimate interest is not overridden by the individual’s interests or fundamental rights and freedoms, it can serve as a legal basis for the data processing even if the company has not obtained consent.
This should not be interpreted as a carte blanche for sending direct marketing to individuals without their prior consent, however. There are other European Union laws direct marketers need to observe. The GDPR expressly refers to Directive 2002/58/EC (ePrivacy Directive), which provides specific obligations related to direct marketing by phone, fax, e-mail and other electronic means. Also, the European Commission presented a proposal for a new ePrivacy Regulation, which is currently going through the legislative process. The ePrivacy Regulation is set to replace the current ePrivacy Directive and to align this regime with the GDPR.