For the GDPR deadline of 25 May, many organizations have sent emails asking for consent for
the future processing of personal data for direct marketing activities. The purpose of these
requests was usually to still establish consent according to the requirements of the GDPR. In
this context, it is important to know that the way in which organizations can use 'direct marketing'
is laid down in legislation other than the GDPR; namely, national legislation that derives from the
European ePrivacy directive. In the UK, for example, this is laid down in the Privacy and
Electronic Communications Regulations (PECR), and in the Netherlands, in the
Telecommunications Act (anti-spam laws).
Moreover, practice has shown that the way in which many of these emails were sent has not
been very effective, partly because the request for permission was related to too generic
information (for example, being allowed to continue sending newsletters), and did not address
the specific needs and preferences of the recipient. Many organizations have been unable to
make the relevance of their consent requests sufficiently clear. In our view, 'relevance' is the
commercial leverage of the direct marketing challenge.
Roughly speaking, you can make a distinction in direct marketing between the front office and
back office activities. In the back office you will find activities such as business analysis,
segmentation, profiling and re-targeting. The front office maintains the relationship with the
customer or prospect.
This article focuses on front office, direct marketing, meaning targeted marketing activities and
communication channels through which contact is made with both prospects and customers with
the aim of establishing and maintaining commercial relations. Examples include newsletters,
email campaigns, targeted website advertisements, telemarketing (e.g., call centers), but also
customer contact at trade fairs and customer visits.
The legal aspect of direct marketing
What has changed since 25 May 2018? The obligations regarding the recording and
demonstration of the lawfulness of processing fall within the scope of the GDPR. Most front
office, direct marketing activities also fall under the anti-spam laws. This also applies to the
statutory supervision of these activities and any resulting fines.
Front Office – ePrivacy is leading
In the front office, we first have to deal with ePrivacy legislation (anti-spam laws) when
information is sent unsolicited to individuals through digital means (e.g., newsletters, email
campaigns, offers).
Active consent (opt-in) is required to be able to send these messages. In some cases there may
be a 'soft opt-in', for example, in the case of offering or providing information about similar
products or services. There is a fine line; if messages are insufficiently related to previously
obtained products or services, then active consent is again required.
Current ePrivacy legislation refers to the GDPR for the definition of 'consent.' However,
enforcement is still covered by anti-spam laws, which means that, for the time being, the
financial risk of fines is still lower than under the GDPR. But, be aware, this is going to change.
For violation of anti-spam laws, 'GDPR-like' fines will be introduced in the future.
1