The GDPR: General Data Protection Regulation is a complex and highly enforced privacy law that protects the personal data of residents of the European Union. The law has very strict requirements, such as having a comprehensive Privacy Policy, processing data only when there is a legal basis to do so, and respecting the privacy rights afforded to individuals. If you send email newsletters, reach out directly to potential customers or advertise online, you may be asking how does GDPR affect marketing. Contrary to the beliefs of some marketers, GDPR does not completely prohibit marketing, it only ensures that marketing activities are responsible and respectful of privacy rights. In this article, we will discuss how does GDPR affect marketing, including:
- Obtaining consent for using personal data for marketing;
- The disclosures that you need to provide to users in your Privacy Policy if you would like to use their personal data for marketing; and
- The rights of individuals that are relevant to marketing.
How does GDPR affect marketing: obtaining consent
The first aspect of how does GDPR affect marketing is the requirement to obtain consent. In general, GDPR prohibits the collection, use or disclosure of personal data for any reason, unless an exception, also called a legal basis, applies. The legal basis for collecting and using personal data for marketing purposes is usually consent, where the individual agrees to such processing. In this case, consent is defined as “any freely given, specific, informed and unambiguous indication of the individual’s wishes by which, he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data.”
For consent to be proper, the user should have a free choice. Consent must also be affirmative, meaning that pre-checked boxes or the assumption of consent because a user is still on your website would not be appropriate. Finally, the consent must be informed, meaning that the user must understand what he or she is agreeing to. From a consent perspective, you must have a Privacy Policy that includes the following disclosures:
- Your identity;
- The purpose for which you will use the personal data that you collect (e.g. email marketing);
- What data you will collect (e.g. email address);
- The fact that the individual can withdraw their consent at any time;
- Information about the use of data for automated decision-making; and
- Whether you plan to transfer data to another country outside of the European Union and where you intend to transfer that data to.
If you previously obtained consent for processing data but now want to use that data for marketing purposes, you must obtain new consent for this new purpose. It is important to note that you cannot use personal data for marketing purposes without first obtaining the consent of the individual.
Additional disclosures that you need to make in your Privacy Policy
The second item of how does GDPR affect marketing is that your Privacy Policy must include a statement on direct marketing. This statement should include the following disclosures:
- An affirmation that you will use the personal data that you collect for direct marketing purposes;
- An explanation of what direct marketing is;
- A statement that users may opt out of the use of their data for direct marketing purposes at any time; and
- Instructions on how a user may opt out.
In addition to the disclosures discussed above, your GDPR Privacy Policy must also disclose:
- Your contact details;
- The contact details of your Data Protection Officer, where applicable;
- Where the processing is based on Article 6(1)(f), the legitimate interests pursued by you or a by a third party;
- The recipients or categories of recipients of the personal data, if any;
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- A list of the rights provided to individuals under GDPR;
- The right to lodge a complaint with a supervisory authority;
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences for failure to do so; and
- Whether you will use that data for automated decision-making, including profiling. If so, you must include meaningful information about the logic involved as well as information on the consequences of such processing to the individual.
Your Privacy Policy must disclose all of the information above and also must be easily accessible to your website’s visitors. Failure to comply could not only negate the consent of the individual but also put you at risk for privacy-related fines.
How does GDPR affect marketing: the rights of individuals
The last consideration of how does GDPR affect marketing is individuals exercising their privacy rights. While there are many GDPR privacy rights, the following rights can affect marketing the most:
- Right to erasure, where individuals can ask an organization to delete all of the personal data that is held about that individual. If you delete the data, you obviously cannot use it any more, for any purpose;
- Right to withdraw consent, meaning that individuals can withdraw their consent to the processing of their personal data at any time. If an individual withdraws their consent, you cannot use that data for marketing purposes; and
- The right to rectification, where individuals have the right to ask you to correct any incorrect data that you hold about them such as their name or email address.
The above privacy rights can have a big impact on your marketing efforts and you must ensure that you follow them because failure to do so can lead to high penalties and fines.
As you can see, there are quite a few answers to how does GDPR affect marketing – you must properly obtain consent, provide specific disclosures to individuals, and respect the privacy rights afforded by GDPR. In terms of providing the right disclosures in your Privacy Policy, use Termageddon’s Privacy Policy generator to help avoid privacy-related fines.
