Data Defender vs. Marketing Maverick: The Clash of Corporate Titans

Picture a world of marketing where data is available in abundance and every click can be monetized. Nevertheless, while the monetization occurs in tandem hefty fines can be faced - if not managed legally.? To be precise, fines up to €20 million or 4% of global turnover - whichever hurts the most.

This is today’s reality, ushered in by the General Data Protection Regulation (GDPR), a game-changing legislation enacted in May 2018 to revolutionize data protection.? GDPR is a complex Regulation and its importance has been examined in a previous article.

How does GDPR affect marketing? Whilst data collection was and still is a core marketing activity, fears prevailed that GDPR would result in the end of marketing or the end of spam. But the reality has proven to be quite different.

Did your email marketing dry up post-2018? Chances are it didn't, and you're not alone. GDPR wasn't crafted to shut down marketing businesses - contrary to popular belief. Instead, its primary focus was and is on the safeguarding of the consumer interests. GDPR mandates that every corporation must have a legitimate, legally valid reason for accessing and using someone's personal data.

Marketers still cannot do much without data. A reality as true as it was in the Don Draper advertising era. As such, the collection of data must still be done but it needs to be done in accordance with the GDPR. Article 6 of the GDPR provides six defined "lawful bases" allowing the processing (collection, storage, usage, etc.) of people’s data.

Let's dive?into the ones that are more relevant to the marketing practices.

Consent: The Cornerstone of Marketing Compliance

Marketers usually operate under the lawful bases of ‘consent’. Obtaining consent for marketing activities seems to be unquestionably necessary and it must be given based on the below parameters.

Consent must be “freely given, specific, informed and unambiguous.”?

That is, individuals are not forced to agree by any means and they know exactly what they're agreeing into. No confusion shall blur their acceptance. So, at a minimum, the consent to the privacy policy terms cannot be used by any means as a consent to marketing.

Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”?

When asking for consent, it should stand out from any other information and be easily understood. It shouldn't be buried within complicated language or mixed with unrelated topics. People on every level need to be able to understand what they are agreeing to.

Given consent may be withdrawn at any time by opting out

Consent is needed to market to the EU countries but this does not mean that consent is a forever right. Anyone can withdraw previously given consent whenever they want, and companies must honor that decision. Therefore, if someone gives permission (consent) to send them marketing messages like emails or texts, they can at any time for any reason change their mind and ask not to. No other option is available and the request must be respected and obeyed.?

A simple path that one may notice is a pop-up message on a website that may prompt users to subscribe to marketing emails, clearly outlining what they're signing up for and providing an easy way to opt-out.

Children under 13 can only give consent with permission from their parent or legal guardian

As we can see, children are defined as individuals under 13 years of age and can only consent via parental permission. But does this mean that a 14-year-old is adult enough to give consent? Or that a 90-year-old is mentally sound enough to consent…? Apparently yes, according to the GDPR..

Consent must be explicit, informed, freely given, and unambiguous, making it one of the most crucial and straightforward legal bases for marketing practices. But are there any loopholes? Let's explore further.

Legitimate Interest: a boon or a bane?

GDPR at Recital 47 provides a surprising statement whereas the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

But what does this mean in practice? Does it mean that one can argue that sending marketing content is made on the legal bases of a legitimate interest? Therefore no consent for marketing is needed? What is legitimate interest anyway?

Well, it seems that, in order to use this, one needs to be able to demonstrate that the legitimate interest is used as a legal bases according to a Legitimate Interest Assessment (LIA). This involves a purpose test to determine whether there is a legitimate interest behind the processing, a necessity test to examine the necessity of the purpose and a balancing test to ensure that the individual's interests, rights, and freedom do not override the legitimate interest.

While the GDPR does not explicitly mandate the completion of an LIA in its text, it is strongly implied and generally expected as part of demonstrating compliance with the Regulation. Usually, the LIA is recorded under the accountability obligation that can be found in Articles 5(2) and 24 in the GDPR.

So, is relying on legitimate interest as a legal basis for processing personal data less or more challenging than securing explicit consent? It certainly requires more guts.

E-Privacy directive - A hope for the marketers?

What is the ePrivacy Directive? It is another set of rules to add to the seemingly growing pile of compliance.?

The official name for it, is 'Privacy and Electronic Communications Directive'. It is an important legal instrument which regulates cookies usage, email marketing, data minimization and other important aspects of data privacy.

The ePrivacy Directive, along with the GDPR, are the main two EU legal rules that govern EU marketing. The two should be read together and both apply to data protection and privacy.

EPrivacy Directive though is a ‘directive’ meaning that it does not directly apply in the European countries. A directive lays down the results to be achieved and each country is free to decide how to pass a directive in its national laws. Unlike the GDPR which is a ‘regulation’ meaning that it becomes legally binding on a set date in all EU member states.

But a benefit that the ePrivacy directive seems to bring to the table is that, according to Article 13, in the context of a sale of a good or service, an organization, “may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner.” This seems to apply not just to email marketing but also calls, texts and any other form of electronic communication.

In other words, a preexisting relationship should exist. Some countries call this “soft opt-in”.

It applies to existing customers that have already provided their contact information and proved their interest in specific services/products in the context of a sales transaction. On this basis, a consent is not required on the provision that an easy way of “opt out” is offered as the simplest way out.

Given thought that the ePrivacy Directive currently transitions into a Regulation, will the concept of soft opt-in remain?

The end of third party cookies- a golden opportunity for marketers?

Cookies are also governed by the ePrivacy Directive, therefore their use is regulated. But what are they? Though they can not be eaten, they are highly valued by the marketers. They are small text files that websites place on a device and as browsing takes place they identify users' behaviors. Importantly to note though that they are treated as personal data.

Technically, cookies might be either first party cookies or third party cookies. First party cookies act as a website’s memory, storing preferences and past interactions of visitors. They support personalized communication and understanding the user's behavior, much like recalling past adventures with a best friend. Third party cookies are like an outsider getting to know the visitors of the website. Advertisers and analytics tools utilize them to track user activity across various websites, similar to someone annoyingly shadowing.

Marketers have used third-party cookies for many years now to track and target profiled users based on their browsing activity.

This shadowing though appears to slowly phase out with Google taking the lead.?

While at the same time this action emphasizes the importance of user privacy, marketers are now reconsidering their marketing tracking with a golden sunrise to appear. With less reliance on shadowing, marketers can embrace the change and prioritize personalized content on users' tailored interests solely with first party cookies.?

First party cookies can provide a winning marketing strategy if a data segment is built, targeted contextually and add a touch of personalization.

What about B2B marketing?

While all the above seem to apply to individuals i.e. business-to-consumer (B2C), the landscape for business-to-business (B2B) marketing is murkier. B2B rules seem to vary between European countries. National laws may further complicate matters, adding layers of complexity to cross-border marketing efforts.

An employee’s email address can constitute personal data even when it belongs to a corporate subscriber (e.g. [email protected]). In this case, the GDPR and the ePrivacy Directive would apply to the use of that email address.

Emailing corporate addresses, such as [email protected] or [email protected], blurs the line between personal and corporate data.

Does this mean that marketers can easily bombard EU corporate accounts? Treat with caution.

Outcome?

As we examine this battle between the Data Defender and the Marketing Maverick, the lines are clearly drawn between privacy and profitability.?

Businesses must navigate the ever changing landscape of data privacy laws and market expectations while lawfully and morally harnessing the power of data for creative marketing campaigns. By respecting the customers and being true to societal restraints, corporate entities can truly succeed in the digital age.