New EU judgment: Can you send marketing to individuals who create a free account

DIRECT MARKETING RULES

According to Article 13(1) of the ePrivacy Directive (the "spam prohibition"), the sending of direct marketing, including sending newsletters and offers by email, generally requires the recipient's prior consent. This is often referred to as the opt-in model.

However, it follows from Article 13(2) of the ePrivacy Directive and the practice of the Danish Consumer Ombudsman that traders may send direct marketing concerning their own similar products by email, etc if 1) the recipient has provided their email address in the context of the sale, 2) the recipient has been informed of this when providing the email address and 3) the recipient clearly and distinctly is given the opportunity to opt out of the marketing free of charge and in an easy manner at that point in time and subsequently. This is often referred to as the opt-out model.

Both models implement Article 13 of the ePrivacy Directive and must therefore be interpreted in compliance with the case law of the Court of Justice of the European Union.

WHEN HAS AN EMAIL ADDRESS BEEN PROVIDED "IN THE CONTEXT OF THE SALE"?

When a person provides their email address in connection with a purchase, the email address is evidently received in the context of the sale.

Until now, however, it has been unclear whether an trader may use the opt-out model if the email address is provided when creating a profile and the trader therefore does not need to receive the email address again in the context of a subsequent purchase.

In the recent judgment in case C-654/23, Inteligo Media v ANSPDCP, the Court of Justice of the European Union ruled on a situation where the email address had been provided in the context of the creation of a free customer profile, ie without a purchase being made in the traditional sense.

The judgment establishes that if an email address has been provided in the context of the creation of a free profile on an trader's platform and the objective of the creation of the profile is that the trader can promote its products/services, the email address may be deemed to have been provided in the context of the sale, regardless of whether a subsequent purchase is made.

This solves a practical problem for many businesses that will be able in future to market their own products/services directly to recipients who create a profile on the business's website regardless of whether the recipient has made a purchase.

NO LEGAL BASIS REQUIREMENT UNDER THE GDPR

The judgment also establishes that when the conditions of Article 13 of the ePrivacy Directive have been fulfilled it is not necessary to rely on a legal basis under Article 6(1) of the GDPR for the actual sending. The reason is that Article 13(2) of the ePrivacy Directive is lex specialis in respect of Article 6(1) of the GDPR. The same must be assumed to apply to the opt-in model in Article 13(1) of the ePrivacy Directive.

It means that the judgment is therefore not entirely in line with the guide on direct marketing from June 2023 (Vejledning om direkte markedsføring) of the Danish Data Protection Agency. The Danish Data Protection Agency writes in the guide that the relevant legal basis for for sending direct marketing under the opt-in model is the data subject's consent (Article 6(1)(a)) whereas reference is made to the balancing of interests rule (Article 6(1)(f)) for the opt-out model. It will therefore be interesting to see whether the Danish Data Protection Agency will publish an updated version of the guide based on the judgment.

It is important to note that a legal basis is still required under the GDPR for other processing of personal data related to direct marketing. It could be prior customer segmentation and/or profiling that provides the basis for which recipients that are to receive specific marketing material. The judgment must therefore be understood to mean that it is only in respect of the actual sending of the marketing material to the recipient that the rules of the ePrivacy Directive on spam are lex specialis in respect of the GDPR.

WHAT DOES IT MEAN IN PRACTICE?

If you want to use the opt-out model when sending marketing material, you must ensure that the relevant conditions have already been met in the context of the creation of a profile on your website.

Many traders will also have to update their privacy policies and consent texts as they do not need to describe a legal basis under the GDPR for the actual sending of marketing material under Article 13 of the ePrivacy Directive. However, the privacy policy must still include information on the relevant legal basis under the GDPR for other processing, for example customer segmentation and/or profiling.

REQUIRE ASSISTANCE?

If you need help in updating your privacy policy or if you need advice on matters relating to data protection law or consumer law, one of our specialists are ready to help you.

Read more about our services within Marketing law, consumer law and e-commerce and Data protection (GDPR).