Within a few months, the Italian Data Protection Authority (Garante per la protezione dei dati personali) has issued two important decisions directed to companies engaging in direct marketing activities: a general decision on consent to the processing of personal data for the purpose of marketing, and, more importantly, the new Guidelines in the matter of marketing activities and fight against spam, both published on the Official Journal of July 26, 2013.
Both decisions concern direct marketing by means of automated calling machines, e-mails, sms and mms messages etc.).
The first one essentially clarifies that consent obtained for the purpose of direct marketing by means of emails, sms messages and so on, also covers marketing carried out by more traditional methods, such as the postal service or human-assisted calls.
The Guidelines, on the other hand, are much more far-reaching, as they provide a complete framework of rules to follow in carrying out direct marketing activities. They largely summarize and consolidate the existing case law of the Garante on the subject, but also contain a couple of interesting novelties.
The first principle reaffirmed in the Guidelines is that, under Italian law, direct marketing – subject to some exceptions – requires the prior, informed consent of the person concerned (opt-in principle).
The information notice, the Garante stated, shall specify, among else, what means will be used for direct marketing (ordinary mail, automated phone calls, faxes, e-mails, sms, mms messages and so on), and all the other purposes of the processing of the concerned person’s data, beyond strictly marketing purposes (e.g., subscriber’s profiling).
As regards consent, the Garante clarified that, in accordance with the general opt-in rule, it is not sufficient to request consent or inform the recipient of the possibility to object to further communications within the first commercial communication. Furthermore, consent to the sending of commercial messages may not be presumed from the presence of a person’s contact details in publicly available records, web-sites or documents, including the recently implemented national registry of certified e-mail addresses.
Consent for marketing activities, according to the Garante, is not validly given if it is pre-set (such as when a check-box is pre-checked by default) or when it is indirectly coerced by making it a condition for obtaining a specific service (e.g., when subscribing to a web site).
Consent given to the marketing activities of a company does not allow it to disclose or transfer the data to a third party for the direct marketing of such third party’s products or services, even when the latter is a parent company or subsidiary or affiliate of the former. In these cases, not only must the company collecting the data previously inform the persons concerned of the planned disclosure and/or transfer of the data, specifying at least the market sector of the recipient, but it shall also obtain a specific and distinct consent for the third party’s marketing activities.
Finally, on the issue of consent, the DPA recalled the so-called “soft spam” exception, namely that it is allowed to send commercial messages to the e-mail address provided by a customer in the context of the sale of a product or service without obtaining his prior consent, provided that the services or products advertised are similar to those concerned by the sale and that the customer, adequately informed, does not object.
So far, the Guidelines are mostly a codification of existing rules governing direct marketing, although much needed. However, they also contain two unprecedented indications.
The first concerns the right, granted by the Garante, to obtain a single consent to personal data processing for the purposes of sending advertising material, direct sale, market research or commercial communication. Over the years, the Garante has always been rather firm in enforcing the principle that the consent to the processing of personal data can never be acquired once for different purposes; in this case, nevertheless, if felt that the above purposes were all related and to request separate consent for each of them would involve excessive bureaucratisation.
At the same time, however, the Garante remarked that it would still be necessary to obtain multiple consents from each concerned person when personal data is collected not only for marketing purposes, but also for profiling purposes, and/or for transfer or disclosure of data to third parties. In this case, in fact, there is no homogeneity of the ends justifying the acquisition of a single consent.
The other novelty in the Guidelines relates to acquirement of consent on social networks.
The Garante specified that becoming “fan” of a particular company or “follower” of a particular brand name, product or service on a social network, can in itself imply valid consent to the sending of promotional communications concerning that brand, product or company, if the consent can be inferred from the context of the subscription.
In any other case, the use of personal data taken from users’ profiles on social networks in order to send promotional messages constitutes unlawful processing of personal data, if carried out without prior consent of the persons concerned.