The marketing industry has been given an early Christmas present by Brussels after agreement has been reached on the final text of the long-awaited data protection reforms, with many of the draconian measures – including moving to an opt-in only regime – being ditched.
Although a vote is not due to take place until tomorrow in the Civil Liberties Committee – and will not be complete until a final vote by MEPs in the European Parliament in the new year – marketers will already be able to breathe a collective sigh of relief.
Out has gone the threat of ‘explicit’ consent, with the text referring to ‘unambiguous’ consent for marketing data. Under unambiguous consent, consent for postal and telephone marketing can still be given on an unsubscribe or opt-out basis.
The text also recognises that the processing of personal information for marketing purposes may be regarded as carried out for a legitimate interest.
Most marketers will use the legitimate interest grounds for processing personal information if they are using an unsubscribe/opt-out methods. But the right to unsubscribe/opt-out must be brought to the attention of the individual in the first communication and be clearly and separately stated.
DMA Solicitor James Milligan said: “Marketing organisations should bear in mind that the rules on consent will tighten up. Information must be provided concisely, in a transparent and intelligible way, and be easily accessible using clear and plain language.”
There has also been a let-off for online marketers. A cookie placed by an internet service provider will be classified as personal data as it could identify a consumer, but a cookie placed by an advertiser cannot be linked to an email address or anything else which could identify a consumer, so is unlikely to be considered as personal data.
Milligan added: “This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, ‘blind’ data can be more widely used than identifiable personal data.”
There is still plenty to be wary of, however. The legislation could allow fines of up to 4% of global turnover and create the post of data protection officer to police companies’ use of personal data, although this role will not be mandantory for all firms. In addition, the legal minimum age to register with social networking sites could rise from 13 up to 16, depending on the discretion of particular member states.
DMA group chief executive Chris Combemale welcomed the changes. He said: “Companies that already adhere to the DMA Code will find that they are mostly compliant already, and have a head-start with two years to go before implementation, but there will still be some work to do.”
Following the vote in Parliament, member states will have two years to get the legislation into their own laws.
German MEP and the EU Parliament’s lead on the regulation, Jan Philipp Albrecht, said: “Today’s negotiations hopefully have cleared the way for a final agreement. In future, firms breaching EU data protection rules could be fined as much as 4% of annual turnover – for global internet companies in particular, this could amount to billions. In addition, companies will also have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers.”
For more details visit the DMA website >
EU data reforms already ‘out of date’
Firms left in lurch over EU reforms
Digital body rages over EU reforms
EU to thrash out data reforms at last
‘Gutted’ EU reforms bring DM cheer
New year cheer as EU laws stall again
EC digital and data chiefs get all-clear
Unknown Czech to seal industry fate
EU law ‘final nail in list broker coffin’
New EU chief slams data law critics
EU chiefs calm fears over opt-in