Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

There is a comprehensive set of rules governing direct marketing, resulting from the combined application of the EU General Data Protection Regulation (GDPR) (2016/679), the Personal Data Protection Code (specifically, the parts transposing the EU Directive on Privacy and Electronic Communications (2002/58/EC)) and the Data Protection Authority’s Guidelines on Marketing and Against Spam of 4 July 2013.

As a rule, data controllers may contact users for direct marketing purposes with the user’s prior consent. This rule applies to communications performed by means of automated calling or communications systems without human intervention or by email, fax or text message. Consent – provided that it satisfies the validity requirements of Articles 4(11) and 7 of the GDPR – needs to be given only once to enable marketing activities using different means of communication, provided that the data subject can opt out at any time from one or more of the data controller’s means of communication.

Further, when the personal data is drawn from publicly available papers or electronic directories, data controllers may contact users only by telephone or mail, provided that users have not exercised their right to object (the opt-out mechanism by means of an online platform maintained by the Fondazione Borboni, which is the Italian version of the so-called ‘Robinson list’).

Finally, where a data controller uses, for direct marketing of its own products or services, electronic contact details for emails supplied by a data subject in the context of the sale of a product or service, it need not request the data subject’s consent, provided that the services are similar to those that were the subject of the sale and the data subject, after being adequately informed, does not object to the use either initially or in connection with subsequent communications (the so-called ‘soft spam’ exception).

Further, where personal data is processed for direct marketing purposes, the data subject must have the right to object at any time to processing of his or her personal data for such marketing, including profiling to the extent that it is related to direct marketing.


Are there rules governing the use of cookies?

As a rule, the Personal Data Protection Code (specifically, the parts transposing the EU Directive on Privacy and Electronic Communications) permits the use of cookies, the storing of information and the accessing of information that is already stored on a user’s device, provided that the user has given their prior informed consent.

So-called ‘technical cookies’ are exempt from this requirement. Technical cookies are used only to transmit a communication over an electronic communications network or in order for a service provider to deliver a service that has been explicitly requested by the subscriber or user. Under the Data Protection Code, technical cookies may be used without the user’s consent, provided that the user is informed as required.

The Data Protection Authority has issued a general provision setting out a simplified procedure for obtaining consent for the use of cookies. The provision stipulates that a suitably sized banner must be displayed on the screen immediately when a user accesses the home page or any other page on the website, and that if the user continues browsing the website by accessing any other section or selecting any item (eg, clicking a picture or link), this signifies his or her consent to the use of cookies.

A revision of the current rules governing the use of cookies is under discussion at the EU level. The new EU e-Privacy Regulation to replace the existing e-Privacy Directive (the EU Directive on Privacy and Electronic Communications, as amended in 2009) is expected to come into force in 2019.

Click here to view the full article.