IAPP Training · Module 8 - BoK V.C
Module 8 · Direct marketing - GDPR vs ePrivacy & the absolute right to object
Direct marketing is a communication, by any advertising means, directed towards specific individuals. It is regulated by both the GDPR and the ePrivacy Directive. The GDPR applies to ALL direct marketing regardless of channel and gives an absolute right to object at any time; the ePrivacy Directive adds rules for digital channels and is implemented in national laws, so enforcement varies.
WP29 defines direct marketing as a communication, by any advertising or marketing means, directed towards specific individuals. Messages that don't process personal data, or are purely service-related, are not direct marketing. It engages consumer-protection laws too, which vary by country.
| GDPR | ePrivacy Directive | |
|---|---|---|
| Scope | ALL direct marketing, every channel | Digital channels (phone, fax, email, SMS/MMS) |
| Key right/basis | Absolute right to object at any time | Mostly prior opt-in consent (except person-to-person phone) |
| Implementation | Directly applicable regulation | Implemented in national laws - enforcement varies |
- Tell individuals of the opt-out right at first communication.
- Allow opt-out across all channels.
- Honour opt-outs promptly and free.
- Suppress (not delete) contact details to avoid re-marketing.
- Plus general GDPR duties: lawful basis, fair-processing info, security, no unsafe transfers.
Key terms - quick answers
What is “Direct marketing”?
A communication by any advertising/marketing means directed towards specific individuals; pure service messages or those not processing personal data are not direct marketing.
What is “Right to object (marketing)”?
Under the GDPR, an absolute right to object to direct marketing at any time; the controller must stop and suppress the contact details.
What is “Suppression”?
Keeping a record of opted-out contact details (rather than deleting them) so the person is not re-marketed to.