Data ProtectionPrivacy

Direct marketing data protection guidelines

The Italian Data Protection Authority issued direct marketing data protection guidelines aimed at setting out general regulations on privacy-related obligations concerning direct marketing practices and against spamming initiatives which provide very interesting insights. 

The most interesting topics covered in the guidelines are the following:

Company email address

E-mail addresses structured like the following [email protected] will be deemed to be personal email addresses i.e. data relating to individuals rather than companies for the purposes of Italian data protection laws.  The consequence of the above is the need to comply with all the obligations prescribed by Italian data protection laws for instance in relation to the privacy information notice to be provided and consent to be given and the possibility for the individual to rely on all the potential actions provided by data protection regulations. This was still an open issue for some aspects.

Opt-in for direct marketing communications

The general rule for the processing of personal data for marketing purposes is that it requires the prior express consent (opt-in) and it is not possible to merely either warn recipients of their right to object to the future delivery of marketing communications or require the consent to the delivery of marketing communications as part of a marketing communication itself.  According to the direct marketing data protection guidelines, such consent shall be recorded with reference to its date and the person giving it in order to be used as evidence of the consent.

No unique consent for products/services and privacy

It is not possible to obtain the privacy-related consent as part of a wider consent necessary to acquire a product/service and for instance two separate consents shall be required for the registration to a website and the opt-in to the delivery of marketing communications.  Likewise, the privacy consent box cannot be pre-ticked, but customers shall be able to provide a separate consent for each data processing purpose.

This is a very frequent issue for businesses that obviously try to incorporate in a single consent both the acceptance of Ts&Cs and the consent to the delivery of marketing material.

Unique marketing consent for different channels of communication

Customers may be required to provide a unique marketing consent covering the different marketing practices (e.g. marketing via SMS, email, telephone, market surveys etc.) performed through the collected data provided that such practices are outlined in the privacy policy provided to customers and the latter are informed that the objection to the delivery of marketing communications relates to all the different channels of marketing communication.

This is a major change in the approach from the Italian Data Protection Authority since up until now, they requested a separate consent per channel of communication which was extremely burdensome for businesses.

Separate consent for marketing by third parties

An additional separate consent shall be required for the transfer of collected personal data to third parties for marketing purposes i.e. if the entity collecting the data is part of a larger group and wants that its affiliate company may use the collected data for the delivery of marketing communications relating to their products, an additional consent shall be required.  

Also, such third parties shall be identified at least on the basis of their category of operation (e.g. finance, cloths or press material) and provide a privacy policy to customers before the delivery of marketing communications.

Social media spamming

Privacy regulations apply also to communications sent through social media for instance through private messages on Facebook or through Skype, WhatsApp or Messenger. On the contrary, if a person is a fan or a follower of a Facebook page or a Twitter account, it may be implied that the person consented to the delivery of marketing communications of on the page/account, but such delivery shall stop when the person unregisters from the page or ceases to follow the account.

The breach of the obligations set forth in the direct marketing data protection guidelines is subject to fines as well as criminal sanctions and therefore they cannot be underestimated. As usual, feel free to contact me, Giulio Coraggio to discuss. Also, if you want to receive my newsletter, please join my LinkedIn Group or my Facebook page. And follow me on TwitterGoogle+ and become one of my friends on LinkedIn.

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our client's success.

Related Articles

Back to top button