Email marketing and privacy: turning points in consent and profiling

After an overview of the reform and its first five substantial new points, we explain how the approach to these two fundamental activities has changed for those who manage data for commercial communication purposes: thanks to the new regulation, gaining consent and profiling make room for those who want to experiment and to seize attractive opportunities.

Those who do email marketing are used to considering the consent of recipients as valid if provided as an express declaration, through the use of the opt-in system, adopted in Italy in 1997.

The new European regulation is shifting its approach, becoming less formal and more substantial, with a clear trend in the direction of English-speaking countries.

But let’s let the European reform text do the talking. The following is from Recital 25 of the approved text:

Consent should be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to personal data relating to him or her being processed, such as by a written, including electronic, or oral statement. This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence, preticked boxes or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be granted for all of the processing purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. 

In fact, within certain limits, room is made for forms of consent that result from conclusive action expressed through positive behaviors by the concerned party. A classic example of conclusive action which is valid as consent is the use of cookies: when you see the information banner on the homepage and then continue to browse, you are consenting to the use of cookies.

A turning point providing new scope as opposed to the rigid barriers of the opt-in system which still formally apply.

If we reconsider the definition of consent provided by the Regulation – the data subject’s consent’ means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed –, we see how reference to the explicit nature of the consent has disappeared, which, under certain conditions, can be inferred based on active conduct by the concerned party.

As for profiling, which for many consists of simply analyzing and segmenting the database, the regulation gives very precise answers: the reform clarifies that profiling consists of a data analysis followed by an automated process that does not require human intervention.

Therefore, the regulation states that what does not fall within the definition of profiling are cases where data in a database is analyzed by IT tools and its processing is subject to prior assessment by a data controller, with the aim of adapting and verifying the data before it is used. As a result, specific consent is not required to perform the activity in these cases.

Upcoming points of focus: from the Data Privacy Officer to the right to portability

Only one thing is missing to round up the first cycle of contributions on the new regulation: with the next blog post we will lead you to discover the latest five items, from the introduction of the Data Privacy Officer to the new rights of the data subject.