惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
A
About on SuperTechFans
IT之家
IT之家
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Blog — PlanetScale
Blog — PlanetScale
aimingoo的专栏
aimingoo的专栏
云风的 BLOG
云风的 BLOG
The GitHub Blog
The GitHub Blog
Vercel News
Vercel News
G
Google Developers Blog
J
Java Code Geeks
宝玉的分享
宝玉的分享
T
Tailwind CSS Blog
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
MyScale Blog
MyScale Blog
H
Heimdal Security Blog
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
S
Security @ Cisco Blogs
Latest news
Latest news
I
Intezer
L
Lohrmann on Cybersecurity
C
CXSECURITY Database RSS Feed - CXSecurity.com
月光博客
月光博客
T
Threatpost
博客园 - 【当耐特】
S
Schneier on Security
P
Privacy International News Feed
G
GRAHAM CLULEY
T
Tenable Blog
AWS News Blog
AWS News Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
博客园 - Franky
Engineering at Meta
Engineering at Meta
美团技术团队
S
Secure Thoughts
T
Troy Hunt's Blog
Microsoft Security Blog
Microsoft Security Blog
SecWiki News
SecWiki News
V
Visual Studio Blog
人人都是产品经理
人人都是产品经理
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cisco Talos Blog
Cisco Talos Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Martin Fowler
Martin Fowler
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
H
Hackread – Cybersecurity News, Data Breaches, AI and More

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
Direct Marketing under GDPR
Carlo Cilent · 2023-09-18 · via Blog of Simple Analytics

Lots of people are confused when it comes to marketing and EU privacy law. We don’t blame them because the rules are as complicated as it gets.

This is because direct marketing falls under different laws: the GDPR and the old ePrivacy Directive. Looking at each law in a vacuum is insufficient- you must understand how they interact.

To make things even more complicated, EU Member States implemented the Directive in different ways, particularly regarding business-to-business (B2B) communications. As a result, some rules change from country to country.

This blog can only scratch the surface: to ensure that your direct marketing is 100% compliant, you need to look at each Member State’s legislation. Just because you are compliant with Dutch law does not mean you are compliant in Italy or Croatia!

Let’s dive in!

  1. What are the laws?
  2. Which law applies?
  3. What are the rules?
  4. Business-to-consumer (B2C)
    1. Opt-in and soft opt-it
    2. The GDPR: consent and legitimate interest
  5. Business-to-business (B2B)
  6. What else do I need to know?
    1. Be careful about data analysis!
    2. Identify your company in the emails
    3. Opt-outs and consent
  7. What about the ePrivacy Regulation?
  8. Conclusions

The UK Government chose Simple AnalyticsJoin them

What are the laws?

Both the GDPR and the ePrivacy Directive apply to direct marketing.

You have probably heard of the GDPR: it is a very important Regulation and the central pillar of the EU data protection framework. Because it is a Regulation, the rules are the same for all Member States.

The ePrivacy Directive is an older EU law from 2002. As a directive, it does not apply directly. Instead, each Member State implements it through its own legislation. This is why the rules are similar but not the same across the EU.

Which law applies?

The rules for direct marketing depend on the applicable law. This is where it gets tricky, because the GDPR and the Directive use different criteria.

The Directive distinguishes business-to-consumer (B2C) and business-to-business (B2B) communications. The Directive regulates B2C communications but allows some margin for Member States to regulate B2B communications. As a result, the rules for B2C are (mostly) the same across Europe, but different States have different rules in place for B2B.

On the other hand, the applicability of the GDPR depends on the distinction between personal and non-personal data. The GDPR applies to all B2C marketing and some instances of B2B marketing.

To sum it up, we have three possible scenarios:

  • B2C communications (such as emailing johndoe@emailprovider.com) fall under both the GDPR and the Directive
  • B2B communications (such as emailing purchases@business.com) fall under specific rules adopted by Member States
  • B2B communications fall under the GDPR and under Member State rules when the contact information are personal data (for instance, emailing johndoe@business.com).

What are the rules?

As we explained, the rules depend on the type of communication. Here is an overview:

Business-to-consumer:

  • is opt-in or soft-opt-in for most Member States (more on this later!)

  • when consent is not collected, legitimate interest must be correctly balanced to comply with the GDPR. If this is not possible, consent is needed anyway! Business-to-business with personal data:

  • different States have different rules. Consent may or may not be required for marketing, depending on the State and the situation.

  • when consent is not collected, legitimate interest needs to be correctly balanced to comply with the GDPR. If this is not possible, consent is needed anyway! Business-to-business without personal data:

  • different States have different rules. Consent may or may not be required for marketing, depending on the State and the situation.

  • the GDPR does not apply. Therefore, no legal basis is needed for processing the data.

Let’s break it all down!

Business-to-consumer (B2C)

Opt-in and soft opt-it

Under the ePrivacy Directive, consent is mandatory for B2C marketing. This system is typically referred to as opt-in.

There is an exception for existing customers- the so-called soft opt-in rule. Under the soft opt-in rule, you do not need consent if five cumulative conditions are satisfied:

  • you collected the consumer’s email address in the context of a sale
  • you are promoting your own product or service
  • the service is similar to the one they already bought from you
  • you provided them with the option to opt out of the marketing when you collected the email
  • each email you send includes an option to opt out.

For instance, John Doe buys a subscription to your online newspaper and gives you his email address. During the subscription process you can provide him with an option to opt out from direct marketing during the subscription process. If he does not opt out, you can later contact him at johndoe@emailprovider.com to advertise another one of your publications - but you need to include an opt-out option in every communication.

Additionally, you cannot publicize your shampoo line or a newspaper from a different publisher or your publication via phone calls or SMS messages.

Please note that this explanation is accurate for most countries but not all. The implementation of the Directive differs between Member States: for instance, some countries require extra steps for a soft opt-in to be valid, and others do not allow for soft opt-ins at all.

What constitutes a sale also changes between countries. In some jurisdictions, a product or service must have been sold, while in others, it is enough to have entered a commercial relationship in the context of a sale, even if nothing was sold in the end.

The Directive is only half the picture: you also need a legal basis under the GDPR. In practice, this can be either consent or legitimate interest.

When the Directive requires consent, things are relatively simple: the Directive “trumps” the GDPR, and you can only use consent as your legal basis for direct marketing.

When the Directive does not require consent, you can choose between consent and legitimate interest, and this is where things get tricky.

Legitimate interest can be used for direct marketing, but there are some limitations; legitimate interest requires balancing conflicting interests and rights- in this case, a consumer’s right to privacy vs. a company’s interest in promoting their product or service.

Balancing is a complex, case-by-case assessment with no catch-all answers. There may be scenarios where you can use legitimate interest and scenarios where you cannot. In those cases, you will need consent, whether the Directive requires it or not!

In other words, the consent requirement for direct marketing is tricky because it depends on both the Directive and the GDPR. If you just look at the Directive, you are missing half the picture!

Business-to-business (B2B)

Business-to-business marketing addresses companies directly; for instance, an email sent to purchases@business.com or johndoe@business.com counts as B2B marketing.

As we explained, the Directive includes no rules for B2B marketing but leaves room for Member States to regulate the communication as they see fit.

The rules are entirely up to each Member State. Some jurisdictions require consent for B2B marketing, others allow it without consent, and others yet require consent but allow for a soft opt-in in certain scenarios. Finally, some jurisdictions differentiate between first and third-party marketing.

To make things even more complicated, some B2B communications fall under the GDPR, and some do not.

In our example, communications to purchases@business.com do not fall under the GDPR because the purchases office of Business is not a person. On the other hand, communications to johndoe@business.com fall under the GDPR because the company email address refers to Business staff member John Doe. This could also be the case when you are using the email address for a one-man company.

If the GDPR applies, you will need a legal basis for data processing. And if you want to use legitimate interest, you must assess the balancing, as explained above. If legitimate interest cannot be balanced, you need consent whether the Directive requires it.

What else do I need to know?

Be careful about data analysis!

Businesses involved in direct marketing often analyze personal data such as age, address, interests, and buying history to determine who may be interested in an offer.

All of these data fall under the GDPR and require a legal basis to process. Just because the Directive soft opt-in system allows you to process contact information without consent does not mean you can also process other data without consent!

In practical terms, it helps to think of two distinct data processing operations:

  • as a first step, you analyze certain personal data about your audience to better target your marketing efforts. This step needs to comply with the GDPR.
  • as a second step, you send the marketing communications using contact information. This step needs to comply with both the GDPR and the ePrivacy Directive.

Identify your company in the emails

Whether your marketing is based on consent or not, the Directive requires your emails to identify your company as the sender.

On top of that, the GDPR requires you to provide information for transparency purposes. You need to include a lot of information, including a contact for the sender and information on the recipient's data rights (that is, things like getting the data erased). It's too much information to mention all here- you can check Article 13 GDPR for a full list.

Linking to a privacy notice can help you provide all the required information while keeping your emails tidy. Please make sure that you point to information specific to direct marketing- don’t direct users to your company’s general privacy policy or your website's privacy notice.

Please beware that consent can be revoked and that under the GDPR, revoking consent must be as easy as it is to give it.

To comply with the GDPR, providing a link to revoke consent in your emails is probably a good idea.

In practice, this means that all communications addressing individuals should include an option to end the communications for good- whether that is the opt-out required by the Directive, or an option to revoke consent under the GDPR.

What about the ePrivacy Regulation?

The EU is currently working on an ePrivacy Regulation. If approved, it will replace the ePrivacy Directive.

When it come to direct marketing, the latest draft of the Regulation does not differ too much from the Directive. The main difference is that the Regulation explicitly requires marketers to clearly mark marketing communications as such. This is good practice regardless of the law, but is not a requirement under the ePrivacy Directive.

It is worth noting that the proposed Regulation will leave some room for Member State law when it comes to direct marketing. In all likelihood, the laws will still differ between Countries even under the Regulation. All in all, this would be a missed opportunity for the Regulation to harmonize and clarify the rules.

Conclusions

The rules on direct marketing are confusing and fragmented. The GDPR and the ePrivacy Directive can be a starting point for understanding the rules, but at the end of the day, most cases do not really have a catch-all answer for all EU jurisdictions.

This pdf from the International Association of Privacy Professionals website offers a handy, high-level overview of the applicable rules. You can sometimes find more detailed information about specific legislation on the website of national data protection authorities.

Even with these resources, it can be complicated to understand all the rules. You may want to refer to a legal professional with specific knowledge of the jurisdictions where you conduct your business- even more so if you do marketing without consent.

Why do we care?

We believe in the ethical way of doing business. That's why we built Simple Analytics, a privacy-friendly Google Analytics alternative. Simple Analytics gives you all the insights you need without using cookies, trackers, or fingerprinting users. We do not track your visitors and do not collect a single bit of personal data!

If this sounds good to you, feel free to give us a try!