When it arrived, GDPR shook up the habits of marketing departments by imposing new obligations on companies. However, these obligations are not all new in France, as GDPR can be considered a reinforced version of our former Data Protection Act (law no. 78-17 of January 6, 1978).
In 2018, on the eve of GDPR’s implementation, many of us received an avalanche of invitations from marketing departments to consent to receive solicitations from them. This year, four years later, the focus is back on marketing departments with the CNIL’s announcement of commercial prospecting as one of its areas of supervision for 2022.
What impact will GDPR have on marketing services? The core activity of a marketing department requires the processing of personal data of customers and potential consumers: presentation – sometimes personalized – of goods and services to stimulate the need, collection of opinions on these goods and services, monitoring and analysis of the paths of Internet users, establishment of various statistics … The use of personal data in marketing is now inevitable.
It is therefore essential for marketing departments to be able to comply with the protection of personal data held by individuals. How can companies comply with these requirements? What practices should be adopted?
When GDPR arrived, the focus on the data subject’s consent to justify any data processing may have overshadowed the other five legal bases provided for in Article 6.1(performance of a contract, legal obligation, legitimate business interest …). Although, in the context of data processing for marketing activities, the knowledge and stimulation of people’s needs often requires their consent, certain situations do not necessarily require it.
In its reference framework on the management of marketing activitiespublished in February 2022, the CNIL proposes other legal bases for certain marketing operations: the legitimate interest of the company can be used for commercial prospecting actions without the need to collect consent
The use of cookies and other tracers (tracking pixel, fingerprinting, etc.) in order to allow, for example, personalized advertising requires the collection of the Internet user’s consent.
NB: here the consent requested from the Internet user does not derive from GDPR but from Article 82 of the French Data Protection Act (from Article 5.3 of the e-Privacy directive). Therefore, as it is not a choice between six potential legal bases of GDPR but a binary choice imposed by the directive (consent or not), the legitimate interest cannot be used for a cookie to be deposited or read!
Nevertheless, there is a link between the consent to the deposit of a cookie and the consent of GDPR: the consent of Article 82 of the French Data Protection Act must meet the same characteristics as those of the consent posed by GDPR … that we will detail.
Articles 4(11) and 7 of GDPR impose new standards on consent to data processing. Consent must be given by a clear affirmative act that is “free, specific, informed and unambiguous.”Let’s detail these requirements:
ul>
Beware of minors’ consent for information society services provided directly to children(such as “information related to products or services, including marketing activities” as explained by G29). In France, the processing of personal data of a child under the age of 15 based on consent is only lawful if the consent is given or authorized by the legal guardian. G29 also explains that in the context of low-risk processing for individuals, “verification of parental responsibility by email may be sufficient.”
Once “properly” collected, the data controller must be able to provide evidence that consent has been obtained. As GDPR does not prescribe precisely how this should be done, data controllers are free in this demonstration (which refers to the principle of accountability). It is then possible, for example, to have recourse to time stamping by a click or an act of navigation to prove this collection, it can be a signature on a paper or electronic form, even if this method proves to be very unsuitable for marketing processing. The practice of double opt-in (reconfirming one’s agreement to receive solicitation emails in an initial confirmation email) is also a good practice. The EDPB (a European committee composed of national representatives of supervisory authorities, such as the CNIL in France) suggests, for example, “in the online environment, keeping information about the session in which consent was given, along with documentation of the consent workflow at the time of the session and a copy of the information provided to the data subject at the time.”
In some cases, it is also necessary to regularly renew the consent of the person concerned.
This is the case of the deposit/reading of cookies on the Internet user’s terminal. In this situation, the CNIL explains in its recommendations relating to cookies that the user’s consent may be forgotten by the latter over time. Therefore, the Commission recommends that the user’s consent be renewed at regular intervals. To this end, the CNIL considers a period of 6 months to be good practice.
GDPR does not require the renewal of consent at regular intervals. However, the ICO (British equivalent of the CNIL) recommends a renewal of the consent every 2 years within the framework of the protection of the privacy of individuals.
Finally, as a reminder, if the data had been collected before GDPR came into force (May 25, 2018), the marketing treatments are only legal if the consent has been collected under the conditions provided by GDPR and detailed above (opt-in).
Consumers or professionals can stop taking an interest in solicitations from marketing services. In addition to the annoyance of receiving unwanted solicitations (and the potential for them to become spam), which would produce the opposite effect of that sought, the regulations require that it be possible to stop these solicitations:
ul>
The e-Privacy Directive intersects here again with GDPR: in the context of commercial prospecting by electronic means, its Article 13 (transposed into article L34-5 of the French Post and Electronic Communications Code) makes it essential to propose in each electronic message a simple means of objecting to the receipt of new solicitations (for example with a link to unsubscribe at the end of the message).
The first step will be the distinction between the categories of data subjects:
ul>
The second step is to insert the opt-in mechanism if necessary and, regardless of the need for opt-in, to inform the person of the use of their data to carry out prospecting:
Point of attention, sponsorship: here, the company asks a person to fill in the details of a third party who may be interested in a commercial offer, an article or an online ad. In this situation, personal data of a sponsored person who has never given their consent are manipulated. The CNIL allows this infringement of the principle of consent under certain conditions:
The larger the database of customers and prospects, the more numerous the targets and potentially the greater the number of conversions. Nevertheless, compliance with GDPR and more generally with the protection of personal data sets limits to the collection of mass data. Moreover, it is forbidden to reuse data for another purpose than the one for which it was collected.
The challenge is therefore to go beyond the stage of constraint and turn these requirements into opportunities. The protection of personal data forces marketing to refocus on quality rather than quantity. This implies, for example, in the case of electronic commercial prospecting, a reduction in the number of people reached by the prospecting operations. The opportunity can be perceived on the image of the company, thanks to the reduction of the annoyance towards the issuing company for the people placing these solicitations immediately in their basket or unwanted. The opportunity can also be perceived from an environmental point of view, with a reduction of the pollution generated by Internet traffic.
– Nathan Brichet