- Obtaining consent for using personal data for marketing;
- The disclosures that you need to provide to users if you would like to use their personal data for marketing; and
- The rights of individuals that are relevant to marketing.
How does GDPR affect marketing: obtaining consent
The first aspect of how does GDPR affect marketing is the requirement to obtain consent. In general, GDPR prohibits the collection, use or disclosure of personal data for any reason, unless an exception, also called a legal basis, applies. The legal basis for collecting and using personal data is usually consent, where the individual agrees to such processing. In this case, consent is defined as “any freely given, specific, informed and unambiguous indication of the individual’s wishes by which, he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data.”
- Your identity;
- The purpose for which you will use the personal data that you collect (e.g. email marketing);
- What data you will collect (e.g. email address);
- The fact that the individual can withdraw their consent at any time;
- Information about the use of data for automated decision-making; and
- Whether you plan to transfer data to another country outside of the European Union and where you intend to transfer that data to.
If you previously obtained consent for processing data but now want to use that data for marketing purposes, you must obtain new consent for this new purpose. It is important to note that you cannot use personal data for marketing purposes without first obtaining the consent of the individual.
- An affirmation that you will use the personal data that you collect for direct marketing purposes;
- An explanation of what direct marketing is;
- A statement that users may opt out of the use of their data for direct marketing purposes at any time; and
- Instructions on how a user may opt out.
- Your contact details;
- The contact details of your Data Protection Officer, where applicable;
- Where the processing is based on Article 6(1)(f), the legitimate interests pursued by you or a by a third party;
- The recipients or categories of recipients of the personal data, if any;
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- A list of the rights provided to individuals under GDPR;
- The right to lodge a complaint with a supervisory authority;
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences for failure to do so; and
- Whether you will use that data for automated decision-making, including profiling. If so, you must include meaningful information about the logic involved as well as information on the consequences of such processing to the individual.
How does GDPR affect marketing: the rights of individuals
The last consideration of how does GDPR affect marketing is individuals exercising their privacy rights. While there are many GDPR privacy rights, the following rights can affect marketing the most:
- Right to erasure, where individuals can ask an organization to delete all of the personal data that is held about that individual. If you delete the data, you obviously cannot use it any more, for any purpose;
- Right to withdraw consent, meaning that individuals can withdraw their consent to the processing of their personal data at any time. If an individual withdraws their consent, you cannot use that data for marketing purposes; and
- The right to rectification, where individuals have the right to ask you to correct any incorrect data that you hold about them such as their name or email address.
The above privacy rights can have a big impact on your marketing efforts and you must ensure that you follow them because failure to do so can lead to high penalties and fines.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.