Direct marketing is a type of advertising that aims to bring an action in a selected group of consumers in response of a communication by the marketer. It allows to promote the product or service directly to the target most in need and measure the results quickly. Direct marketing is a complex subject regarding its areas of requirements, it effects both the data protection and also other consumer protection regulatory requirements. Today direct marketing is not limited to postal mail or e-mail, it has been evolved to; push notifications, in-app messaging and it is collecting data from the smartphones or computers via cookies. Direct marketing is subject to the GDPR, and it does not cover all communications from a business, even those related to the marketing business. The Article 29 Working Party (WP29) has provided some guidance relating to the direct marketing and it considers the scope of it as any form of sales promotion, even including direct marketing by charities and political organizations.

The marketing as in its definition has a broad concept, it does not need to offer something for sale, it can just be about promoting the sender’s organization in some way. The communications or marketing material should be directed to particular individuals in order to be considered as “direct marketing”. Therefore an unaimed website banner advertisements or mailings send out to companies without contact persons being mentioned, will not fall in scope of direct marketing. Also messages sent to individuals to inform them about something such as the order they have placed, will again not fall in the scope of direct marketing.

Direct Marketing is addressed both on the GDPR and the ePrivacy Directive (Directive 2002/58/EC). The ePrivacy Directive is an important legal instrument for privacy in the digital age, and more specifically the confidentiality of communications and the rules regarding tracking and monitoring.”  Although for direct marketing to be in the scope of the ePrivacy Directive it has to be “digital” marketing communications such as by phone, fax, email and SMS/MMS.If the data controllers are using digital marketing, they must also comply with the specific rules laid out in the ePrivacy Directive. The rules of ePrivacy Directive as opposed to the GDPR do not have direct effect but were implemented in national laws of the EU member states. GDPR requires controllers to follow their responsibilities under the Regulation when they are processing individuals’ personal data.

These include:

  • The lawful processing requirement: ensuring there is a lawful basis for the collection and use of the data subjects’ personal data.
  • The transparency requirement: providing individuals with fair processing information explaining that their personal data will be used for marketing purposes.
  • Implementing appropriate technical and organizational measures to protect the personal data processed.
  • Not exporting personal data outside of the European Economic Area (EEA) unless adequate protection is in place.

The data controllers are also required to give data subjects the option to opt-out of direct marketing. This right is already applicable in cases where the personal data is processed on the basis of the data subject’s consent, as any consent can be withdrawn at any time. The individuals also need to be informed of their right to opt out. The data controllers need to honor opt-out requests in a timely fashion and at no cost to the individual. Following after the opt-out, personal data shall be deleted unless retention is strictly required, therefore the profiling data shall be removed as well. The data controllers should cleanse, cross-reference and update their marketing contact list against their opt-out records before starting their direct marketing communications, because if a person is opting out from direct marketing, the data controllers usually suppress their contact details rather than deleting it. By deleting their details there is a risk that they may reacquire the individuals’ details and begin marketing them again, and in this situation the opt-out request would not be honored accordingly. By suppressing the details, data controllers retain a record that those individuals who opted out would not receive marketing communications and if they change their mind and opt back in the process would be easier to manage.