The Italian Data Protection Authority issued some guidelines aimed at setting out general regulations on privacy-related obligations concerning direct marketing practices and against spamming initiatives which provide very interesting insights.
The most interesting topics covered in the guidelines are the following:
Company email address
E-mail addresses structured like the following firstname.lastname@example.org will be deemed to be personal email addresses i.e. data relating to individuals rather than companies for the purposes of Italian data protection law with the consequential need to comply with all the obligations prescribed by Italian data protection law and the possibility for the individual to rely on all the potential actions provided by data protection regulations. This was still an open issue for some aspects.
Opt-in for marketing communications
The general rule for the processing of personal data for marketing purposes is that it requires the prior express consent (opt-in) and it is not possible to merely either warn recipients of their right to object to the future delivery of marketing communications or require the consent to the delivery of marketing communications as part of a marketing communication itself. Such consent shall be recorded with reference to its date and the person giving it in order to be used as evidence of the consent.
No unique consent for products/services and privacy
It is not possible to obtain the privacy-related consent as part of a wider consent necessary to acquire a product/service and for instance two separate consents shall be required for the registration to a website and the opt-in to the delivery of marketing communications. Likewise, the privacy consent box cannot be pre-ticked, but customers shall be able to provide a separate consent for each data processing purpose.
This is a very frequent issue for businesses that obviously try to incorporate in a single consent both the acceptance of Ts&Cs and the consent to the delivery of marketing material.
Unique marketing consent for different channels of communication
This is a major change in the approach from the Italian Data Protection Authority since up until now, they requested a separate consent per channel of communication which was extremely burdensome for businesses.
Separate consent for marketing by third parties
An additional separate consent shall be required for the transfer of collected personal data to third parties for marketing purposes i.e. if the entity collecting the data is part of a larger group and wants that its affiliate company may use the collected data for the delivery of marketing communications relating to their products, an additional consent shall be required.
Privacy regulations apply also to communications sent for instance through private messages on Facebook or through Skype, WhatsApp or Messenger. On the contrary, if a person is a fan or a follower of a Facebook page or a Twitter account, it may be implied that the person consented to the delivery of marketing communications of on the page/account, but such delivery shall stop when the person unregisters from the page or ceases to follow the account.
The breach of the above mentioned obligations is subject to fines as well as criminal sanctions and therefore they cannot be underestimated.