Ch 16.1 - DP and direct marketing

Data protection and direct marketing

Direct marketing is one of the hardest areas of data protection law because it triggers both DP rules and other consumer-protection rules that vary by country. Under the GDPR, the usual lawful basis for marketing is the data subject's unambiguous consent or legitimate interests. Crucially, having a lawful basis to collect an email address does NOT automatically satisfy the separate ePrivacy Directive rules on actually sending the message. Only communications directed at particular individuals count as direct marketing.

Two regimes stack on top of each other. The GDPR governs the processing of personal data for marketing and applies to every channel - post, phone, fax, email, and online targeting based on browsing history. The ePrivacy Directive governs the actual sending of 'digital' messages over electronic communications networks and does not apply to postal marketing.

The classic exam trap

Having a lawful basis under the GDPR to collect someone's email address does NOT by itself satisfy the ePrivacy rules that govern sending the marketing message. These are two separate legal hurdles.

What does and does not count as 'direct marketing'
Communication	Direct marketing?	Why
Promotion sent to a named individual	Yes	Directed at a particular individual; personal data processed
Charity / political fundraising message to individuals	Yes	WP29 says scope includes charities and political organisations
Untargeted website banner ad	No	Not directed at individuals; no DP compliance needed
Mailing to companies with no contact person named	No	Not directed at an individual
Order-status / service message	No (not DM)	Purely service-related; still subject to general DP rules, just not the specific DM rules

Normal lawful bases for marketing: unambiguous consent (Art 6(1)(a)) or legitimate interests (Art 6(1)(f)).
Other duties still apply: transparency (fair processing info), security measures and written processor contracts, and no transfers outside the EEA without adequate protection.
Direct marketing is broad: it need not sell anything - a free offer or promotion of the organisation counts.

Key terms - quick answers

What is “Direct marketing”?

Any form of sales promotion directed to particular individuals - including by charities and political organisations. It need not offer something for sale.

What is “GDPR”?

General Data Protection Regulation (EU) 2016/679. Applies to all direct marketing where personal data is processed, by any channel.

What is “ePrivacy Directive”?

Directive 2002/58/EC. Adds consent/information rules for 'digital' marketing over electronic communications networks (phone, fax, email, SMS/MMS). Does NOT apply to post.

What is “Legitimate interests”?

Lawful basis under Art 6(1)(f) GDPR; Recital 47 says direct marketing may be regarded as a legitimate interest, subject to a balancing test.

← Location data and contact tracing Right to opt out of direct marketing →