The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR, and concerning related data privacy laws in the European Union.

Question: Are companies required under European Laws (other than the GDPR) to get opt-in consent before direct marketing?

Answer: The GDPR expressly states that companies may have a legitimate interest in the processing of personal data for direct marketing purposes.¹ If this legitimate interest is not overridden by the individual’s interests or fundamental rights and freedoms, it can serve as a legal basis for the data processing even if the company has not obtained consent. This should not be interpreted as a carte blanche for sending direct marketing to individuals without their prior consent, however.

Directive 2002/58/EC (ePrivacy Directive) provides specific obligations related to direct marketing that is sent using phone, fax, e-mail and other electronic means.  Among other things it generally prohibits the use of “automated . . . communication systems without human intervention” – including automated systems that send electronic mail – unless an individual has provided their “prior consent” to receive such communications.²

Prior consent, however, does not always mean “opt-in” consent.  Specifically, the ePrivacy Directive permits a company to infer, or assume, consent with regard to information obtained from certain clients or business partners.³  This presumption is often referred to as the “soft opt-in.”

In order to rely upon a soft opt-in to send a marketing communication the following criteria must be met:

(1)  the company must have obtained the contact information of an individual in the context of a sale of a product or service to that individual,

(2) when the company collected the contact information the individual was presented with the option not to receive marketing materials (e.g., to opt-out of marketing),

(3) the marketing sent relates to the company’s own products or services (i.e., the marketing does not relate to a third party’s products or services),

(4) the marketing sent relates to products or services that are similar to those products or services that were already purchased by the individual (i.e., the advertisement relates to the same business line or industry as the client already equates with the company),

(5) each marketing communication provides the recipient an option not to receive future marketing materials (e.g., an unsubscribe link).⁴

Individual member states have also enacted their own legislation which, in some situations, provide additional restrictions on whether consent must be obtained, and in what situations consent can, or cannot, be inferred.

1. GDPR, Recital 47.

2. ePrivacy Directive Article 13(1).

3. ePrivacy Directive Article 13(2).

4. ePrivacy Directive Article 13(2).

[View source.]