Article

Why a privacy-centric approach matters for direct marketing

Marc Marrero, Practice Lead
June 2024

iStock-1654900812 - low-1

Paula Chiocchi, CEO of Outward Media wrote quite an apt Forbes article titled, “Marketers Don’t Talk About Data Privacy, But They Should.” [1]. Yet a Google search of the terms marketing and data protection resulted in about 907,000,000 documents or websites on this topic. While I did not review all 907 million hits from Google, I was struck by how many of the articles and websites were, first about the EU’s General Data Protection Regulation (GDPR), followed by a distant second of websites regarding California’s Consumer Privacy Act (CCPA).

This article will therefore look more broadly at six-key data protection related laws and the implications of these on direct marketing, highlighting specific areas for marketers to both consider and look out for.

Data protection and direct marketing- a sample of laws from around the world

1.  The Privacy and Electronic Communications Regulations (PECR) and the ePrivacy Directive:

  • PECR and the ePrivacy Directive sit alongside GDPR, including in the UK;
  • PECR restricts unsolicited marketing by phone, fax, email, text, or electronic message;
  • PECR is generally stricter for marketing to individuals (B2C) than for marketing to companies (B2B);
  • Specific consent is usually needed to send unsolicited direct marketing;
  • Best Practice: Tick based opt-in boxes, with a link to the purpose(s) of processing confirming an individual is happy to receive marketing;
  • The ePrivacy Directive similarly requires opt-in consent.

2.  General Data Protection Regulation (GDPR)

  • Article 21 of the GDPR allows an individual to object at any time to the processing of personal data for marketing purposes.
  • Recital 70 of the GDPR goes slightly further. This right should be explained to the individual and presented clearly and separately to them.

3.  California’s Consumer Privacy Act (CCPA)

  • The CCPA affords the rights of opting out to the sale or sharing of personal data (including for marketing purposes).
  • Requires businesses to limit the use of personal data to the specific purposes for which it was collected.
  • Contains specific requirements and limits on data brokers.

4.  China’s Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL):

  • Chinese privacy laws limit direct electronic marketing by electronic means to individuals who have given explicit consent at data collection, or later if consenting once data collection has occurred;
  • Each organisation must identify themselves in electronic messages, and have messages clearly marked “AD” for advertisement;
  • In order to send text messages for direct marketing, specific information must be provided to the individual prior to any direct marketing activity.

5.  Jamaica’s Data Protection Act (JDPA)

  • The JDPA includes the most challenging processes around direct marketing and consent.
  • Prescribed consent requires an individual to fill in a two-page consent form, including a signature. This is known as Form 6 under Regulation 7, Section 10 of the JDPA. This form cannot be amended and must be sent to the consumer as is, and then returned by them.
  • More importantly, consent in Jamaica can only be asked for once during a person’s lifetime.

6.  South Africa’s Protection of Personal Information Act (POPIA)

  • The POPIA relies on consent, but without an explicit consent form prescribed.
  • An individual may only be approached once for consent, similar to Jamaica.

Where do these Privacy Laws from around the world leave us?

While each Privacy Law has certain unique facets, the main common factors are:

1.   There is no one size fits all for consent:

  • Marketing organisations have to be ready to collect, act on, and withdraw consent in a range of contexts- from a simple tick box, to only asking for consent once in a lifetime, to double opt-in consent within Germany for marketing.

2.   Move toward first party marketing (aka data broker restrictions):

  • A reliance on third party marketing leads to an inability to granularly control marketing processes and the privacy experience that users/ customers have now come to expect.
  • While your organisation may need third parties to help you implement aspects of the marketing plan, a reliance on third parties to fully run marketing on an organisation’s behalf is an increasingly risky proposition.

3.   Re-examining contractual or B2B marketing:

  • If you can market to individuals under a contract, the need for consent and managing consent becomes significantly easier. Organisations may wish to amend client contracts to include direct marketing through contracts where possible. Indeed, the ePrivacy Directive states that marketing emails may be sent on an opt-out basis if the recipient’s details were collected “in the context of the sale of a product or a service.”[2]
  • Similarly, B2B marketing is not subject to the same requirements of consent and consent management.

4.   The privacy-centric marketing organisation:

  • While all of the above points can help lessen the impact of marketing and consent management, retrofitting processes and systems is costly and time consuming. Forward-thinking organisations have begun embedding privacy considerations- and controls- into every marketing process and decision they make.

All of these laws and their solutions are complex and multifaceted. Perhaps cynically, an author stated (in response to the CCPA), “One takeaway is that when marketers don’t think consumers are looking, they eagerly discuss new ways to violate people’s privacy. [3] ” I disagree. There are a limited number of “bad actors” that do break the law in relation to direct marketing. Yet privacy laws and increased consumer choice in a connected society and economy mean it is only a matter of time before such bad actors are caught - be that reputationally or by a regulator.

Obtaining consent may seem onerous at times, but the general principle of giving individuals a choice, and through choice an engagement with your organisation can be fairly powerful under a privacy-centric marketing approach. It allows your organisation to target the people most likely to want to receive your specific marketing, rather than (for example) half a million people, of which 97% will delete or ignore untargeted marketing.

I hope the above helps give the lay of the privacy land in relation to direct marketing. I also hope it starts a few discussions about marketing strategies to address the four points above. As Privacy laws continue to change, Securys will continue to be here to help you organisation address its direct marketing needs in a best practices and privacy-centric manner.

 

 

[1] https://www.forbes.com/sites/forbesagencycouncil/2022/12/08/marketers-dont-talk-about-data-privacy-but-they-should/

[2] Directive 2002/58/EC, Article 13(2).

[3] https://www.latimes.com/business/lazarus/la-fi-lazarus-marketers-fight-california-privacy-law-20180821-story.html

 

 



Act now and speak to us about your privacy requirements

Start a conversation about how Privacy Made Practical® can benefit your business.

Click here to contact us.

Back to top