There are some cases where consent of the end-user is mandatory: this is the case for direct marketing, a category of advertising covering various techniques.
As of now, the ePrivacy Directive required consent in relation to “the use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing”. This included various electronic communication methods using the end-user’s contact details, whether automated (automatic calling machines, etc.) or not (fax, e-mail, SMS, etc.) as long as it was used for direct marketing.
The Directive did not define direct marketing but it was obvious that it applied to “messages” (§ 41 and 43 of the preamble). The French Electronic Communications Code – when transposing this rule – specified that “direct marketing constitutes in the sending of any message meant to promote directly or indirectly the goods, service or image of a person selling goods or providing services”. Interpretation of this notion by the French CNIL therefore focused on techniques which did imply the sending of a message, up until 2016 with its decision n°2016-264.
⚠ Updated October 2020 : Didomi recently published an article on the new recommendations of the CNIL. Discover our article on the subject here. Or, contact us to organise a free demo and ensure compliance.
Presentation of online advertising
In the UK, on the other hand, the ICO made clear that direct marketing – defined as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals” – could extend to “online marketing, social networking or other emerging channels of communication”, provided the material is indeed directed at particular individuals.
Want to find out more about UK data protection regulation? Check out our blog post on the subject here.
In the various versions of the ePrivacy regulation proposal, consent is required in relation to the “use of electronic communications services for the purposes of sending or presenting direct marketing communications”. Furthermore, direct marketing is defined as “any form of advertising, whether written or oral, sent or presented to one or more identified or identifiable end-users of electronic communications services“.
These elements explicitly confirm the fact that the requirement for consent extends to any advertising directed to a group of specific end-users. This includes advertising through social media websites or display banners when a custom audience is concerned, because persons belonging to this audience will necessarily be “identifiable” in a way or another.
Which techniques will escape this requirement for consent? Only indiscriminate blanket marketing such as magazine inserts, or adverts shown to every person who views a website, to the exclusion of any tailored advertising based for example on the end-user’s profile.
Responsibility for obtaining consent
Which entity will be in charge of obtaining and evidencing this consent? In the situation where the advertiser directly addresses the end-user, the answer is quite straightforward. What – on the other hand – should be the rule when the advertiser addresses the end-user through one or more service provider(s) which analyses and determines the audience within its own database (a data broker), collects the data from the audience and serves the advertising (a publisher), or both (a social media service)?
Although this is not clearly stated in the directive or in the regulation proposal, it makes sense to consider that the person “transmitting the communication or on behalf of whom the communication is transmitted” (the advertiser) will in any case be required to demonstrate such consent as it is the beneficiary as well as the person determining the purpose of the direct marketing operation. In many occasions though, services providers will be likely to bear the same responsibility, especially in the situation where they also determine the purpose of the marketing operations by providing standard services or have an exclusive control over the audience database.
Is this the end of custom audiences made of lookalikes of customers? Or is it just the beginning of more consent requests?
Want to ensure data compliance for your company whilst continuing to optimize monetization? Contact us!