GDPR Tightens Key Consent and Profiling Rules for Advertisers

Traps abound for marketers responsible for EU-related activities as the May 2018 EU General Data Protection Regulation (GDPR) compliance deadline approaches. Recent EU guidance about consent for personal data collection and use and guidance on using data for profiling purposes reinforce the belief that EU regulators will be prone to broadly apply GDPR to marketing activities.

Consent Guidance

The Article 29 Working Party (an advisory body made up of EU data protection regulators) recently released guidance for organizations on how to obtain consent from individuals to collect, use, and disclose their personal data in compliance with the GDPR. The guidance will be persuasive to courts in EU jurisdictions, and it signals that consent will be heavily scrutinized as a basis for processing personal data. This guidance likely has significant implications for marketers and advertisers. Of particular interest is the Article 29 Working Party’s statement that companies will likely need consent for “most online marketing messages or marketing calls, and online tracking methods including by the use of cookies or apps or other software.” Therefore, companies engaging in these practices should be familiar and ready to comply with the heightened consent requirements of the GDPR.  

As discussed more fully in an ANA/Reed Smith paper, the guidelines describe a number of requirements that must be met to obtain valid consent, including that consent be freely given, specific, informed, and unambiguous. The guidelines require granular opt-in consent, which may disrupt certain common marketing and online advertising practices. The Article 29 Working Party interprets the GDPR to not permit opt-out consent methods or implied consent, for example, from the use of a service that relies exclusively on terms and conditions to explain the data processing. For this reason, the Article 29 WP explained, consent obtained prior to the enforcement of the GDPR in May remains valid only if such consent was obtained using a process that meets the requirements of the GDPR. If organizations obtained consent from individuals that does not comply with the GDPR, the Article 29 WP recommends that organizations obtain fresh GDPR-compliant consent. The fact that the GDPR does not grandfather in rights associated with previously-collected data makes GDPR compliance more difficult.

The guidance describes several methods for consumers to give valid, unambiguous consent, including active motions or declarations such as swiping on a screen, turning a smartphone in a circle, adjusting browser settings, or other acts signifying agreement to a specific request. For the “explicit” consent required before processing sensitive data, certain automated decision-making, and for transferring personal data outside of the EU without appropriate safeguards, the guidance requires an express statement of consent such as a written statement, filling in an electronic form, sending an email, uploading a scanned document carrying the individual’s signature, or using an electronic signature.
 
Profiling and Automated Decision-Making Guidance

The Article 29 Working Party also recently released guidance on “automated decision-making” and “profiling” (which may include creating advertising segments), which can be useful practices for personalization, marketing and advertising. As explained in an ANA/Reed Smith joint paper on this “profiling” guidance, the GDPR generally prohibits "automated decision-making” and heavily regulates "profiling." The new guidance makes clear that "profiling" can include many marketing-related activities, notably the collection of personal data, automated analysis of such data, and application or use of such data for marketing purposes. Conducting any one of these activities may bring a marketer within the reach of the GDPR if the personal data relates to EU data subjects and may require obtaining consent from them. Consent may also be the legal basis supporting its use of profiling, and so the consent guidance is also important to consider.

ANA Can Help

The guidance comes at a critical time as organizations must move quickly to respond and prepare for the enforcement of the GDPR beginning in May 2018.  ANA has collaborated with our General Counsel’s law firm Reed Smith to publish papers to help explain key considerations for marketers as they work through critical GDPR terms and concepts like "automated decision-making," "profiling," "consent," and "legitimate interests." Understanding how organizations and those providing advertising and marketing services to them comply with these new EU data protection requirements and what types of campaigns and activities may be prohibited or restricted will become increasingly important. Just as the Fair Credit Reporting Act radically changed the landscape for financial institutions marketing, limitations on consent and profiling and how and when it may be obtained and used under GDPR (with fines as great as 4% of worldwide turnover) presents yet another trap for the unwary.
 
ANA continues to closely monitor EU data protection developments. At our upcoming Advertising Law & Public Policy Conference on March 15 and 16, the ANA will present exclusive programming to help members understand the latest EU changes and how to respond and prepare for them.