Part I: Untangling the GDPR and the e-Privacy Directive

This is the first post in a four part series on GDPR and email marketing.

Your email in-box has probably finally recovered from the wave of GDPR opt-in requests and notices that peaked around May 25th. But, if you’ve followed the privacy press or the statements from EU regulators, you’re probably left wondering what it was all for. Many statements made in news stories (both in the U.S. and the EU) and by commentators have claimed that the GDPR means no one can send marketing emails any more without your permission. But, other stories suggest that the opt-in emails and privacy notices were unnecessary or, even, inappropriate. Who’s right? And what email marketing is allowed now?

It’s actually two different laws.

Much of the confusion around email marketing has stemmed from conflating the GDPR and the e-Privacy Directive . The e-Privacy Directive pre-dates the GDPR, and directly regulates electronic marketing, including email, text messages, telemarketing, and cookies. The e-Privacy Directive has been implemented by legislation passed by EU member states. The UK, for example, implemented this directive through the Privacy and Electronic Communications Regulations (PECR) . The e-Privacy Directive (or more specifically, the member state implementing laws) directly regulate electronic advertising, including email marketing. These laws (generally speaking) did not change on May 25.

By contrast, the GDPR has very little to say about marketing. Importantly, the GDPR’s recitals acknowledge that direct marketing constitutes a “legitimate interest” for a data controller to pursue when processing data. And the GDPR requires that, when a person objects to the processing of their data for direct marketing purposes, their objection must be granted. But the GDPR itself did little to change the framework for electronic marketing in the EU – except for one important thing.

But, you still got emails asking for opt-in consent.

That’s because the GDPR did change the definition of “consent.” Generally, the e-Privacy Directive required that certain marketing messages could only be sent with the consent of the data subject. But the e-Privacy Directive itself didn’t define “consent.” Instead, many member states defined consent in their implementing laws by cross-referencing to the definition used in their laws implementing the EU Data Protection Directive. For example, in the UK, PECR expressly provides that any term not defined in PECR will have the meaning given by the 1998 Data Protection Act. The 1998 Data Protection Act, however, was revised and adjusted to conform to the GDPR in May 2018. As a result, according to the UK ICO, the definition of “consent” in PECR now points to the definition of “consent” in the GDPR.

Because the GDPR’s definition of consent is stricter than the definition used previously, a previously valid consent might not remain valid once the GDPR went into effect. If PECR required consent to send a message, and the original consent did not meet the GDPR’s higher standard, then a “new” consent would be required to send marketing communications. Specifically, the GDPR requires that all consent be affirmative, or “opt-in.” Pre-checked boxes or default settings no longer adequately demonstrate consent.

But not all controllers needed to get your consent.

Remember what we said above about the GDPR acknowledging that direct marketing is a “legitimate interest” of a data controller? The GDPR does not require data subjects to consent to any data processing. It only requires that a controller have a “lawful basis” for the processing. There are six different lawful bases, including both consent and legitimate interests. Accordingly, the GDPR permits marketing activities without a data subject’s consent, provided that the controller fulfills its other requirements.

Instead, the e-Privacy Directive and laws like PECR dictate when a marketing communication requires consent. And although they do generally require consent, they also sometimes permit marketing communications without it. The most important allowance is often referred to as the “soft opt-in.” Unlike consent, which must be “affirmative,” the soft opt-in allows for an electronic message to be sent when the recipient is a customer of the data controller who at the initial collection of his or her email address was offered the ability to opt-out of future communications and did not do so. To take advantage of this “soft opt-in,” the controller must continue to offer the data subject the ability to opt-out in each email. Importantly, for example, PECR does not refer to this soft opt-in as “consent.” And, as a result, the change in the GDPR’s definition of consent doesn’t change the viability of relying on the soft opt-in.

And this could all change again, soon.

The e-Privacy Directive will, however, likely change soon. Currently, the EU Parliament and EU Council are working on drafting a new e-Privacy Regulation. Although the drafts differ, the EU Parliament’s draft says that a controller may take advantage of a soft opt-in to send marketing communications for any of their products, not only those which are similar to ones the customer has purchased (as the PECR and other laws currently dictate). The EU Council’s draft, however, does not include this new ability, and says instead that member states should have the ability to set a maximum time period during which controllers can use the soft opt-in. Whether the final draft of the e-Privacy Regulation leans more towards the EU Parliament’s draft’s extension of the controller’s powers under the soft opt-in or towards the EU Council’s draft’s limit on the controller’s powers could extensively change what marketing emails are allowed.

Clearly, there still remain many issues to debate. On June 8, 2018, the EU Council’s telecommunications council will begin a new policy debate on the current draft. And future work will be needed to blend the Council and Parliament drafts. The new e-Privacy Regulation will probably not be approved until late 2019, and the Council draft anticipates a one-year implementation period before the regulation becomes effective. As a result, those marketing emails in your inbox will remain in their current state at least a while longer.