The negotiations between the European Commission, Council and Parliament have closed, with news of the final agreement emerging overnight.
This agreement is significant as it sets the text that the European Data Protection Regulations will stick to. These in turn define the parameters for handling personal data, which in turn define the legal parameters for all digital marketing carried out in the EU.
So we had better pay attention.
While the text may be agreed, this is not the end of the story for this legislation. The Parliament still has to ratify the text, which is not a given, and there remain some holes that need to be decided, such as the value of fines for companies that break the rules.
Before we dive in, it's also necessary to define some terms:
Processing means manipulating data – increasingly useful for marketers.
Legitimate interest refers to legal reasons behind processing. One of the valid legal grounds for processing is when it's carried out in the legitimate interests of an organisation. This could include where a company and an individual have an existing relationship. For example if the individual is a customer of a company.
While processing for direct marketing purposes is considered a legitimate interest, if an organisation relies on legitimate interest for its processing then it needs to make a careful assessment of the relationship between it and the individual. You have been warned.
The full text is long, wide-ranging and the full implications will not be rooted-out for a while yet. So far, we have five points to explore:
1. Definition of personal data
Personal data is any information relating to an identified or identifiable person. How companies interact with personal data is the focus for the legislation.
An identifiable person is somebody who can be identified directly or indirectly, particularly by reference to a name, identification number, location data or online identifier.
Whether or not online identifiers such as cookies fall into the definition of personal data will depend on where they are placed in the online ecosystem.
For example, a cookie placed by my internet service provider will be classified as personal data as it could identify me, whereas a cookie placed by an advertiser lower down the online ecosystem and cannot be linked to my email address or anything else which could identify me, is unlikely to be considered as personal data.
This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, 'blind' data can be more widely used than identifiable personal data.
The text could refer to unambiguous consent or explicit consent, which is a stricter definition. Under this definition consent for postal and telephone marketing can still be given on an unsubscribe or opt-out basis.
Either way, marketing organisations should bear in mind that the rules on consent will tighten up. Information must be provided concisely, in a transparent and intelligible way, and be easily accessible using clear and plain language.
Days when the consent could be buried in lengthy terms and conditions are numbered.
3. Right to object (unsubscribe/opt-out)
Under the new regulation, individuals will have the right to object to any processing of their personal information, including profiling, at any time and free of charge. If individuals object, then their personal information can no longer be processed for marketing purposes.
Most marketers will use the legitimate interest grounds for processing personal information (see above) if they are using unsubscribe/opt-out methods. But the right to unsubscribe/opt-out must be brought to the attention of the individual in the first communication and be clearly and separately stated.
Again, existing unsubscribe/opt-out language will need to be revised.
Profiling has now been included under the label "automated decision making". Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them.
So, individuals can opt out of profiling.
But, individuals have no right to opt-out of profiling if they have already explicitly consented to it, or if profiling is necessary under a contract between an organisation and an individual, or if profiling is authorised by EU or Member State Law.
5. Direct marketing as a legitimate interest.
Wording in the text recognises that the processing of personal information for marketing purposes may be regarded as carried out for a legitimate interest.
James Milligan is a solicitor at DMA