Things are so hectic in the data privacy world at the moment that it amazes me how any lawyers or privacy professionals are able to write any commentary or articles on top of their day jobs. That’s partly why my last post on this blog was from January.
However, so many clients and other people have asked about the scope and operation of the right to object to direct marketing (“including profiling“) under Art 21(2) GDPR that I thought it worth writing a short post about it.
Art 21(2) GDPR says the following:
“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.”
The first point to note is that this is an “absolute” right and it doesn’t matter what legal basis any such direct marketing is being justified under.
This is different to the right to object under Art 21(1) which only applies to processing based on the “public interest” ground (Art 6(1)(e)) or “legitimate interests” (Art 6(1)(f)) and which is subject to the controller having the opportunity to demonstrate compelling legitimate grounds to continue processing etc. Under Art 21(2), there is no such qualification and, as per Art 21(3), when the individual objects to processing for direct marketing purposes, the processing has to stop.
It’s worth noting that, in practice generally only “consent” or “legitimate interests” under Arts 6(1)(a) or (f) respectively would be applicable as a legal basis for direct marketing – and there are various complexities and important considerations to the extent legitimate interests will be relied on for direct marketing – this is beyond the scope of this post (although see the DPN Legitimate Interests Guidance for advice on this area).
Think “processing”, not “sending”
The second point to note is an area in which I’ve seen marketers get very confused. Lots of people I’ve met recently refer to the right under Art 21(2) as a “right to opt-out of being sent direct marketing“.
This is incorrect.
The wording of Art 21(2) is that the individual has “the right to object at any time to processing of personal data concerning him or her for such marketing“. As readers of this post may know, “processing” is defined very broadly under Art 4(2) GDPR as follows:
“…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
So if we apply that definition to Art 21(2) you something like the following:
Where [any operation or set of operations is performed on personal data] for direct marketing purposes, [whether or not by automated means] [(such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction)], the data subject shall have the right to object at any time to [the performance of any of those operations] for direct marketing purposes…
The above is obviously very wordy which is why the defined term “processing” is used instead. However, what it hopefully demonstrates is that the right to object to direct marketing, is not a right to opt-out of being sent direct marketing. Rather, it is a right to opt-out of absolutely anything being done with someone’s data whatsoever to the extent done for direct marketing purposes, irrespective of whether that involves actually sending direct marketing to the individual.
It’s also worth noting that this is broadly the current position anyway – as Art 14(b) of the 1995 Data Protection Directive also refers to the right to object the “processing” of personal data for direct marketing purposes.
An example of this could be segmentation – i.e. the act of classifying someone in a particular marketing category and storing data relating to them in say a data management platform (DMP) or a CRM database managing those segments (e.g. Male, Age 35-44, supports Tottenham) – this in and of itself would constitute “processing” for direct marketing purposes and is therefore subject to the absolute right to object.
Another related and slightly complex point is the example of using first party data for “Lookalike Audiences”. Broadly speaking this is a form of targeting (offered by many platforms, in particular social media) which enables an advertiser to target advertising to people who are likely to be interested in the advertiser’s business because they’re similar to the advertiser’s existing customers. In this case, the “existing customers” aren’t actually being sent any direct marketing, but it seems highly likely that the use of their data in order to build a lookalike audience (to then target other prospective customers) would constitute the processing of the existing customers’ personal data for direct marketing purposes.
The third point that often comes up is confusion around the reference to “profiling” in Art 21(2) (my emphasis added):
“…the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.“
The definition of profiling in Art 4(4) is as follows:
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;“
If you strip away all the extra wording from the above and only look at the key elements which are most relevant for marketing, you’d get something like the following:
“any automated processing to evaluate, analyse or predict people’s personal aspects (e.g. economic situation, interests, behaviour, or location“.
The above basically means segmentation (or marketing analytics). As you’ll see from the point above regarding the definition of “processing”, this type of activity would already constitute “processing” so would already be captured by the right to object (to the extent undertaken for direct marketing purposes) irrespective of whether it refers to “profiling” or not.
The reference to profiling is therefore a bit of a red herring because “profiling” is just “processing” (note that the definition of profiling specifically includes the word processing).
Direct marketing is not just mailshots
The final point to make is that direct marketing is not just mailshots. Much like the Data Protection Directive, the GDPR doesn’t actually define “direct marketing”.
In the UK, s.11(3) of the Data Protection Act 1998 does define “direct marketing” very broadly as (my emphasis added) “the communication (by whatever means) of any advertising or marketing material”. In the various pieces of ICO guidance (e.g. paras 33-36 of the ICO Direct Marketing guidance) it’s also clear that the ICO will interpret “direct marketing” broadly.
The clearest example of the breadth of what constitutes direct marketing comes from the various proposals of the forthcoming ePrivacy Regulation. In particular the definition of “direct marketing” in the last version of the ePrivacy Regulation (at the time of writing, this is the LIBE committee draft which was published at the end of October 2017) “direct marketing” is expressly defined in Art 4(3)(f) to include any form of advertising which is, amongst other things, “sent, served or presented“.
I interpret the above as an intention to specifically include targeted display ads within the scope of direct marketing – this is consistent with the various opinions that were published on the draft Regulation as it’s made its way through the European legislative process (e.g. the WP29 Opinion and the 2016 EDPS opinion). Although the eagle eyed among you will also notice that the obligation to obtain prior consent for direct marketing under Art 16(1) of the ePrivacy Regulation only applies to the “presenting or “sending” of direct marketing (and not the broader concept of “processing”) – however that’s another story!
So in summary, as per many aspects of the GDPR, whilst the drafting may not be the most eloquent, there is much more to it than meets the eye when you dig below the surface.