As previously discussed, the General Data Policy Regulations (GDPR) created heightened consent standards for companies processing and sharing personal data of EU data subjects. When processing personal data under the GDPR, consent must be freely given, specific, informed, and unambiguous. Further, the GDPR requires affirmative action by the user, forcing them to manually “check/click” opt-in boxes. This removes the potential for “implied consent” under past acceptable practice, where the consent box was already “checked/clicked” for users; under that practice the user gave “implied consent” unless the box was manually “unchecked” (withdrawing their consent).
While the GDPR governs the processing and sharing of personal data, a second set of regulations has already been regulating electronic direct marketing (EDM). The Privacy and Electronic Communications Regulations (PECR) sets rules that organizations must follow when sending EDM. As a result, when organizations process personal data for use in EDM campaigns, there must be compliance with both the GDPR and PECR.
The key element to direct marketing is that the material is directed to a particular individual. Any form of indiscriminate blanket advertising (e.g. leaflets, advertisements shown to every viewer of a website, etc.) will not fall within the definition of direct marketing and will not be subject to these regulations. The PECR regulates:
- Direct marketing by electronic means (e.g. phone calls, texts, emails, fax);
- Security of public electronic communications services; and
- Privacy of customers using communications networks or services regarding traffic and location data, itemized billing, line identification services, and directory listings.
In general, the PECR will apply the new GDPR standard of consent. As mentioned above, consent requires affirmative action, removing the ability of organizations to pre-check their consent communications. Further, consent under the new GDPR requires a “granular” approach. This requires consent statements to articulate the distinct processing operations, asking for users to agree to each individual operation. This granular approach also requires consent to be separate from other terms and conditions, and cannot be included as a precondition of signing up for a particular service. Organizations must also provide users with names of third party controllers who will rely on the consent contained in the EDM. Lastly, with every EDM communication, users must be given the ability to withdraw their consent, and provided with an easy means to do so.
When managing consent, especially under the context of EDM, recordkeeping of when and how consent is obtained is critical. It is also important to record exactly what was said to the user when consent was obtained. Refreshing valid consent is also necessary given the duration of consent is unclear in a number of circumstances. Managing consent under the GDPR and PECR is difficult, but the ICO’s checklist is helpful to keep organizations’ consent procedures fresh:
- Regularly review consents to check that the relationship, the processing, and the purposes have not changed.
- Have processes in place to refresh consent at appropriate intervals, including any parental consents.
- Consider using privacy dashboards or other preference-management tools as a matter of good practice.
- Make it easy for individuals to withdraw their consent at any time, and publicize how to do so.
- Act on withdrawals of consent as soon as possible.
- Don’t penalize individuals who wish to withdraw consent.
Consent is the cornerstone of the GDPR and PECR. While each govern different aspects and transmissions of data, both sets of regulations apply to certain situations. It is important for organizations to stay alert to these laws and the changes made to them. The PECR will be undergoing changes to fall in line with the new GDPR.
The new EU ePrivacy Regulation (ePR) will be revealed and implemented in 2019. With limited discussion surrounding the specifics of the new ePR, it is unclear what changes will be made and how such changes will tie into the GDPR. For now, the PECR is still the applicable law.