Direct Marketing under GDPR

Image of Carlo Cilento

Published on Sep 18, 2023 and edited on Dec 19, 2023 by Carlo Cilento

Lots of people are confused when it comes to marketing and EU privacy law. We don’t blame them because the rules are as complicated as it gets.

This is because direct marketing falls under different laws: the GDPR and the old ePrivacy Directive. Looking at each law in a vacuum is insufficient- you must understand how they interact.

To make things even more complicated, EU Member States implemented the Directive in different ways, particularly regarding business-to-business (B2B) communications. As a result, some rules change from country to country.

This blog can only scratch the surface: to ensure that your direct marketing is 100% compliant, you need to look at each Member State’s legislation. Just because you are compliant with Dutch law does not mean you are compliant in Italy or Croatia!

Let’s dive in!

  1. What are the laws?
  2. Which law applies?
  3. What are the rules?
  4. Business-to-consumer (B2C)
    1. Opt-in and soft opt-it
    2. The GDPR: consent and legitimate interest
  5. Business-to-business (B2B)
  6. What else do I need to know?
    1. Be careful about data analysis!
    2. Identify your company in the emails
    3. Opt-outs and consent
  7. What about the ePrivacy Regulation?
  8. Conclusions
Logo of MichelinMichelin chose Simple AnalyticsJoin them

What are the laws?

Both the GDPR and the ePrivacy Directive apply to direct marketing.

You have probably heard of the GDPR: it is a very important Regulation and the central pillar of the EU data protection framework. Because it is a Regulation, the rules are the same for all Member States.

The ePrivacy Directive is an older EU law from 2002. As a directive, it does not apply directly. Instead, each Member State implements it through its own legislation. This is why the rules are similar but not the same across the EU.

Which law applies?

The rules for direct marketing depend on the applicable law. This is where it gets tricky, because the GDPR and the Directive use different criteria.

The Directive distinguishes business-to-consumer (B2C) and business-to-business (B2B) communications. The Directive regulates B2C communications but allows some margin for Member States to regulate B2B communications. As a result, the rules for B2C are (mostly) the same across Europe, but different States have different rules in place for B2B.

On the other hand, the applicability of the GDPR depends on the distinction between personal and non-personal data. The GDPR applies to all B2C marketing and some instances of B2B marketing.

To sum it up, we have three possible scenarios:

  • B2C communications (such as emailing johndoe@emailprovider.com) fall under both the GDPR and the Directive
  • B2B communications (such as emailing purchases@business.com) fall under specific rules adopted by Member States
  • B2B communications fall under the GDPR and under Member State rules when the contact information are personal data (for instance, emailing johndoe@business.com).

What are the rules?

As we explained, the rules depend on the type of communication. Here is an overview:

Business-to-consumer:

  • is opt-in or soft-opt-in for most Member States (more on this later!)

  • when consent is not collected, legitimate interest must be correctly balanced to comply with the GDPR. If this is not possible, consent is needed anyway! Business-to-business with personal data:

  • different States have different rules. Consent may or may not be required for marketing, depending on the State and the situation.

  • when consent is not collected, legitimate interest needs to be correctly balanced to comply with the GDPR. If this is not possible, consent is needed anyway! Business-to-business without personal data:

  • different States have different rules. Consent may or may not be required for marketing, depending on the State and the situation.

  • the GDPR does not apply. Therefore, no legal basis is needed for processing the data.

Let’s break it all down!

Business-to-consumer (B2C)

Opt-in and soft opt-it

Under the ePrivacy Directive, consent is mandatory for B2C marketing. This system is typically referred to as opt-in.

There is an exception for existing customers- the so-called soft opt-in rule. Under the soft opt-in rule, you do not need consent if five cumulative conditions are satisfied:

  • you collected the consumer’s email address in the context of a sale
  • you are promoting your own product or service
  • the service is similar to the one they already bought from you
  • you provided them with the option to opt out of the marketing when you collected the email
  • each email you send includes an option to opt out.

For instance, John Doe buys a subscription to your online newspaper and gives you his email address. During the subscription process you can provide him with an option to opt out from direct marketing during the subscription process. If he does not opt out, you can later contact him at johndoe@emailprovider.com to advertise another one of your publications - but you need to include an opt-out option in every communication.

Additionally, you cannot publicize your shampoo line or a newspaper from a different publisher or your publication via phone calls or SMS messages.

Please note that this explanation is accurate for most countries but not all. The implementation of the Directive differs between Member States: for instance, some countries require extra steps for a soft opt-in to be valid, and others do not allow for soft opt-ins at all.

What constitutes a sale also changes between countries. In some jurisdictions, a product or service must have been sold, while in others, it is enough to have entered a commercial relationship in the context of a sale, even if nothing was sold in the end.

The GDPR: consent and legitimate interest

The Directive is only half the picture: you also need a legal basis under the GDPR. In practice, this can be either consent or legitimate interest.

When the Directive requires consent, things are relatively simple: the Directive “trumps” the GDPR, and you can only use consent as your legal basis for direct marketing.

When the Directive does not require consent, you can choose between consent and legitimate interest, and this is where things get tricky.

Legitimate interest can be used for direct marketing, but there are some limitations; legitimate interest requires balancing conflicting interests and rights- in this case, a consumer’s right to privacy vs. a company’s interest in promoting their product or service.

Balancing is a complex, case-by-case assessment with no catch-all answers. There may be scenarios where you can use legitimate interest and scenarios where you cannot. In those cases, you will need consent, whether the Directive requires it or not!

In other words, the consent requirement for direct marketing is tricky because it depends on both the Directive and the GDPR. If you just look at the Directive, you are missing half the picture!

Business-to-business (B2B)

Business-to-business marketing addresses companies directly; for instance, an email sent to purchases@business.com or johndoe@business.com counts as B2B marketing.

As we explained, the Directive includes no rules for B2B marketing but leaves room for Member States to regulate the communication as they see fit.

The rules are entirely up to each Member State. Some jurisdictions require consent for B2B marketing, others allow it without consent, and others yet require consent but allow for a soft opt-in in certain scenarios. Finally, some jurisdictions differentiate between first and third-party marketing.

To make things even more complicated, some B2B communications fall under the GDPR, and some do not.

In our example, communications to purchases@business.com do not fall under the GDPR because the purchases office of Business is not a person. On the other hand, communications to johndoe@business.com fall under the GDPR because the company email address refers to Business staff member John Doe. This could also be the case when you are using the email address for a one-man company.

If the GDPR applies, you will need a legal basis for data processing. And if you want to use legitimate interest, you must assess the balancing, as explained above. If legitimate interest cannot be balanced, you need consent whether the Directive requires it.

What else do I need to know?

Be careful about data analysis!

Businesses involved in direct marketing often analyze personal data such as age, address, interests, and buying history to determine who may be interested in an offer.

All of these data fall under the GDPR and require a legal basis to process. Just because the Directive soft opt-in system allows you to process contact information without consent does not mean you can also process other data without consent!

In practical terms, it helps to think of two distinct data processing operations:

  • as a first step, you analyze certain personal data about your audience to better target your marketing efforts. This step needs to comply with the GDPR.
  • as a second step, you send the marketing communications using contact information. This step needs to comply with both the GDPR and the ePrivacy Directive.

Identify your company in the emails

Whether your marketing is based on consent or not, the Directive requires your emails to identify your company as the sender.

On top of that, the GDPR requires you to provide information for transparency purposes. You need to include a lot of information, including a contact for the sender and information on the recipient's data rights (that is, things like getting the data erased). It's too much information to mention all here- you can check Article 13 GDPR for a full list.

Linking to a privacy notice can help you provide all the required information while keeping your emails tidy. Please make sure that you point to information specific to direct marketing- don’t direct users to your company’s general privacy policy or your website's privacy notice.

Opt-outs and consent

Please beware that consent can be revoked and that under the GDPR, revoking consent must be as easy as it is to give it.

To comply with the GDPR, providing a link to revoke consent in your emails is probably a good idea.

In practice, this means that all communications addressing individuals should include an option to end the communications for good- whether that is the opt-out required by the Directive, or an option to revoke consent under the GDPR.

What about the ePrivacy Regulation?

The EU is currently working on an ePrivacy Regulation. If approved, it will replace the ePrivacy Directive.

When it come to direct marketing, the latest draft of the Regulation does not differ too much from the Directive. The main difference is that the Regulation explicitly requires marketers to clearly mark marketing communications as such. This is good practice regardless of the law, but is not a requirement under the ePrivacy Directive.

It is worth noting that the proposed Regulation will leave some room for Member State law when it comes to direct marketing. In all likelihood, the laws will still differ between Countries even under the Regulation. All in all, this would be a missed opportunity for the Regulation to harmonize and clarify the rules.

Conclusions

The rules on direct marketing are confusing and fragmented. The GDPR and the ePrivacy Directive can be a starting point for understanding the rules, but at the end of the day, most cases do not really have a catch-all answer for all EU jurisdictions.

This pdf from the International Association of Privacy Professionals website offers a handy, high-level overview of the applicable rules. You can sometimes find more detailed information about specific legislation on the website of national data protection authorities.

Even with these resources, it can be complicated to understand all the rules. You may want to refer to a legal professional with specific knowledge of the jurisdictions where you conduct your business- even more so if you do marketing without consent.

Why do we care?

We believe in the ethical way of doing business. That's why we built Simple Analytics, a privacy-friendly Google Analytics alternative. Simple Analytics gives you all the insights you need without using cookies, trackers, or fingerprinting users. We do not track your visitors and do not collect a single bit of personal data!

If this sounds good to you, feel free to give us a try!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial