Belgian Data Protection Authority Releases Direct Marketing Recommendation
7 Minute Read
On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.
Some of the key takeaways from the Recommendation include:
- Definition. The Belgian DPA defines direct marketing as “any communication, in any form, whether solicited or not, which aims at promoting an organization, a person, services or products (whether free or not), a brand or ideas, originating from an organization or a person acting in a commercial or non-commercial context and addressed directly to one or more natural persons in a private or professional context, that involves the processing of personal data.” Importantly, the Recommendation clarifies that advertising banners, which randomly appear on the Internet, do not fall within the definition of direct marketing. Targeted online advertising, such as banners that are tailored to users’ browsing history, does qualify as direct marketing.
- Purchase, Rental and Enrichment of Personal Data. Purchasing, renting and enriching personal data—for example, via data brokers—are highlighted as activities that require specific attention. In these scenarios, it is important to (directly) provide appropriate information to data subjects or to ensure that appropriate information has been provided to them. The Belgian DPA also emphasizes that it is the data controller’s responsibility to verify, before the data processing takes place, the origin of the data and how data was collected (including on the basis of which legal ground it was collected, by which entity, for which purpose and for how long).
- Processing Purposes. Determining and specifying the purposes for which personal data will be processed is essential. Generally, the Belgian DPA considers that merely stating that personal data will be processed for direct marketing purposes is not sufficient in light of Article 13 of the General Data Protection Regulation (“GDPR”). The Belgian DPA also stresses that information around the processing of personal data must be fairly provided; it is unfair, for example, to state that personal data will be processed for product or service improvement purposes while it will actually be processed for direct marketing purposes. In addition, the data controller should provide clear information about any further processing of the data. According to the Belgian DPA, the level of detail that must be provided to data subjects will depend on the type, frequency and the content of the marketing communications that will be sent, and the complexity of the related data processing activities.
- Data Processing Activities. The Belgian DPA indicates that data processing activities, such as profiling, should be differentiated from processing purposes.
- Data Minimization and Storage Limitation. Companies must ensure that they only collect personal data that is necessary for the processing purpose(s). To that end, the Belgian DPA recommends companies limit open fields in data collection forms and review their databases on a regular basis to delete any unnecessary data. The DPA also recommends implementing a process to ensure that “Do Not Call” lists are taken into account when reviewing databases where marketing data is stored.
- Lawfulness. A valid legal basis must be relied upon for all data processing activities. Under the ePrivacy Directive, consent is required to send electronic marketing communications unless a business can rely on the so-called “existing customer” exemption, which enables companies to send electronic marketing about their own similar products and services to existing customers if certain conditions are met. Outside of the scope of the ePrivacy Directive, companies must assess which of the legal bases of Article 6 of the GDPR is the most suitable option to legitimize their processing of personal data for marketing purposes. Pursuant to Recital 47 of the GDPR, the processing of personal data for marketing purposes may be regarded as carried out for a company’s legitimate interests. In that case, a balancing test must be conducted, taking into account the necessity of the data processing, individuals’ reasonable expectations, the types of personal data collected and processed, and the means of the processing.
- Right to Object. Individuals must be offered a right to object, at any time and easily, without having to take additional steps and free of charge, to the processing of their personal data for direct marketing purposes. This includes a right to object to any profiling that is related to such direct marketing. Clear and concise information must be provided about the right to object. According to the Belgian DPA, simply including an “Unsubscribe” button in small characters at the end of a marketing email, along with a link to the data controller’s privacy policy, is not sufficient. Where technically feasible, the Belgian DPA recommends allowing individuals to granularly select the marketing activities for which they want to object (e.g., email marketing, short message service marketing (“SMS”), newsletters, etc.).
- Consent. When relying on consent for direct marketing activities, companies must ensure that the conditions for valid consent under the GDPR are met (i.e., consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the data processing). The Recommendation mentions that companies can use techniques other than tick boxes to collect consent, in order to avoid consent “fatigue.” Companies cannot condition the provision of a product or service to consent to personal data processing that is not necessary for the performance of a contract. Additionally, a consent form must also be specific with respect to the content of the marketing communication and the means used—for example, separate consent must be collected for SMS marketing and telephone marketing. Additionally, consent must be regularly updated, demonstrable and easy to withdraw.
- Cookies. In the Recommendation, the Belgian DPA also addresses the notice and consent requirements for the use of cookies. According to the Belgian DPA, functional cookies must be clearly differentiated from other types of cookies, such as analytics cookies, and specific consent must be obtained for any non-essential cookies. Additionally, companies must provide appropriate information about cookies and their respective purposes. For example, a cookie banner must include detailed information about how to consent and/or object to the use of cookies, the purposes for each cookie and the entity responsible for placing the cookies. The Belgian DPA points to the Planet49 case law in confirming that merely continuing to browse a site or an app no longer constitutes valid consent to the use of cookies.
- Individuals’ Rights. The Belgian DPA notes that when an individual withdraws their consent to the processing of their personal data, there is no longer a valid legal basis to process such data, unless personal data must be kept to comply with a legal obligation. This means that if the individual withdraws their consent and there is no alternative legal ground, the personal data should be deleted (regardless of whether the individual exercises their deletion rights). In that scenario, companies may, for example, send an automatic notification to the individual stating that their personal data will be deleted from the company’s database as a result of the consent withdrawal. The same principle applies where individuals object to the processing of their personal data on the basis of the legitimate interest ground.
Tags: Belgium, Cookies, Data Controller, Data Processor, Data Protection Authority, E-Privacy, GDPR, Internet, Opt-In Consent, Personal Data
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code