The document summarizes key points from a presentation on real time and trigger based marketing under current and future European privacy law. It notes that current law requires opt-in consent for most personal data processing but defines personal data broadly. The upcoming GDPR will further strengthen consumer privacy rights by requiring explicit consent for profiling and automated decision-making. It will also grant rights to access, correct and delete personal data, which could significantly impact personalized marketing. Companies are advised to begin compliance preparations like performing risk assessments, appointing data protection officers and updating policies and vendor contracts.
3. 2016’s Marketing buzz…
“dynamic, personalized content delivered across channels.”
“dynamic personalization”
“commercial and communication activities based upon the measurement of
relevant and identifiable changes in a customer's individual needs”
“trigger or event is defined as a detectable change in an Individual’s circumstances
Real Time and Trigger Based Marketing, Session II
6 September 2016
4. Translated into Legal Speak
Measuring and defining triggers requires data
Gathering data = privacy law and cookie law
In the words of the European Commission: “data has become a currency” (cfr. Draft Directive
2015/0287 on digital content delivery contracts)
Real Time and Trigger Based Marketing, Session II
6 September 2016
5. Current Privacy Law
Based on EU Directive 95/46/EC
Transferred –differently- into national law by each member state
Set of rules dates back to nineties
Based on location of company and/or server
At the time most elaborate and progressive set of rules in the world
We discussed this in session I
Real Time and Trigger Based Marketing, Session II
6 September 2016
6. Current Privacy Law
Definition of personal data is very large
Cfr B2B vs B2C
ECJ May 2016: Even dynamic IP address
Browser history –information on social media – payment
history…
Impact on data collection for personalised action is considerable
Definition will be ever broader under new EU law (art. 4 GDPR)
Real Time and Trigger Based Marketing, Session II
6 September 2016
7. Impact on Personalisation, Real Time ad Trigger Based
All personalised, real time or trigger based action is based on data and
profiling
Data collection is core – Same discussion as “previous” hype Big data
Considerable impact of privacy law
Almost all available data is ‘personal data’
Real Time and Trigger Based Marketing, Session II
6 September 2016
8. Impact on Personalisation, Real Time and Trigger Based
Almost all available data is ‘personal data’
Classic data sources: “public data” – statistical data – private data
Fact that data is publicly available or accessible does not in itself justify collection
& treatment
Cfr: data available online remains “personal” data
Even at first sight “statistical” info (cfr heatmapping) can be “personal” data
Real Time and Trigger Based Marketing, Session II
6 September 2016
9. Impact on Personalisation, Real Time and Trigger Based
Birthday – marriage – major life event
Order history – content of basket – heatmapping on site
Payment history
Browser history
Demographic data
Info on hobbies, preferences, interests, …
if linked, even indirectly, to individual = Are all –protected- personal data
Real Time and Trigger Based Marketing, Session II
6 September 2016
10. Current Privacy Law
Actually straight and simple:
Basic rule = prior “opt-in” for all processing
Or implicite opt-in if “legitimate grounds” for processing
“Free and informed” opt-in
Transfer of data to third party = additionnal opt-in
Cfr. Analytics tools, apps, cookies, database enrichment through mailings
and actions, …: always opt-in
Cfr. also social media content
Real Time and Trigger Based Marketing, Session II
6 September 2016
11. Impact on Personalisation, Real Time ad Trigger Based
Prior opt-in is not always present
Existing client relationship vs. Prospects
“Legitimate grounds”
Law does not define “legitimate grounds” (Privacy Commission: “cfr CRM”)
Justification for profiling = compare interests of profiler and data subject
Information duty: client should know what data is being processed and why
Real Time and Trigger Based Marketing, Session II
6 September 2016
12. Current Privacy Law
Rights of data subjects
opposition – access – correction – information
Obligations of data processor
Information – opt-in – data security – (export)
Information duty: client should know what data is being processed and why
Real Time and Trigger Based Marketing, Session II
6 September 2016
13. Future Privacy Law
General Data Protection Regulation 2016/679 (GDPR/AVGB)
Regulation instead of Directive – 1 law for 28 states
Agreement reached last December 2015
Enters into force on 1 May 2018 (without grace period!)
Real Time and Trigger Based Marketing, Session II
6 September 2016
14. General Data Protection Regulation
Heavily influenced by consumer protection activists in EP
Result:
Consumer friendly, but serious restraints for direct marketing sector, e-
commerce sector and especially personalisation, real time and trigger based
marketing and (big) data processing
Applicable on ALL data processing, except personal (private) contact lists (e.g.
private Outlook account)
Real Time and Trigger Based Marketing, Session II
6 September 2016
15. Impact on Personalisation, Real Time ad Trigger Based
Lawfulness of processing (“on which grounds can I proces data?”) (art. 6 GDPR)
Prior opt-in remains the basic rule (+ proof required)
“Processing is required for the execution of a contract”
“Legitimate grounds”
DM “may be considered” legitimate, but “Personal data should be processed
only if the purpose of the processing could not reasonably be fulfilled by other
means”
If existing client relationship: OK, otherwise not so evidently OK
Real Time and Trigger Based Marketing, Session II
6 September 2016
16. Impact on Personalisation, Real Time ad Trigger Based
Processing of data belonging to minor (-13 Y/O, -16 Y/O) (art. 8 GDPR)
Always requires explicit authorisation by parents!
“Reasonable efforts” to check age and obtain authorisation
eID?, Facebook login?, credit card data?, live chat, …?
Real Time and Trigger Based Marketing, Session II
6 September 2016
17. Impact on Personalisation, Real Time ad Trigger Based
Information obligations
Obligation to notify data subject of the fact that his data is being / has been
collected without his explicit consent (art. 14 GDPR)
Within 30 days or upon first contact
= Data obtained from data brokers, partner organisations, online collection…
Real Time and Trigger Based Marketing, Session II
6 September 2016
18. Impact on Personalisation, Real Time ad Trigger Based
Information obligations
Information to be provided:
ID and contact, means, ID of third recipients, safeguards in case of data export
outside EU, duration of data retention, source of data (with ID), rights to
access, correct, delete, opose to profiling, etc…, right to file complaint, the
existence of automatical decision making + the “logic” behind this decision
making + the right to oppose, …
Real Time and Trigger Based Marketing, Session II
6 September 2016
19. Impact on Personalisation, Real Time ad Trigger Based
Information obligations (art. 14 GDPR)
Obligation to notify data subject of the fact that his data is being / has been
transfered to a third party…
Within 30 days of transfer
= Data obtained from data brokers, partner organisations, online collection…
Real Time and Trigger Based Marketing, Session II
6 September 2016
20. Impact on Personalisation, Real Time ad Trigger Based
Information obligations (art. 14 GDPR)
Obligation falls if
Data subject already knows
or
Information provision requires disproportionate effort
(= open door to creativity…)
Real Time and Trigger Based Marketing, Session II
6 September 2016
21. Impact on Personalisation, Real Time ad Trigger Based
Right not to be submitted to profiling (art. 21 GDPR)
Any form o automated processing
Personal data
For evaluation of personal aspects of a person
Examples:
To analyze and predict aspects concerning
Performance at work, economic situation, health, preferences, interests,
reliability, behavior, location or movements,…
Real Time and Trigger Based Marketing, Session II
6 September 2016
22. Impact on Personalisation, Real Time ad Trigger Based
Right not to be submitted to profiling (art. 21 GDPR)
Personalized products and services
Individualized shopping experience
Online Behavioral Advertising
Trigger-based Advertising
Online credit evaluation
Lead Generation
Geo-blocking
Price differentiation
Tracking / Fingerprinting
Real Time and Trigger Based Marketing, Session II
6 September 2016
23. Impact on Personalisation, Real Time ad Trigger Based
Right not to be submitted to profiling (art. 21 GDPR)
Right to object against
Processing/profiling based on
public interest / official authority
or
legitimate interest
Processing/profiling for direct marketing purposes
Real Time and Trigger Based Marketing, Session II
6 September 2016
24. Impact on Personalisation, Real Time ad Trigger Based
Right not to be submitted to profiling (art. 21 GDPR)
If the person has a legitimate interest to do so, he has a right to object against
Processing/profiling based on
public interest / official authority
or
legitimate interest
Processing/profiling for direct marketing purposes is always possible
Real Time and Trigger Based Marketing, Session II
6 September 2016
25. Impact on Personalisation, Real Time ad Trigger Based
Right to object to automatic decision taking (art. 22 GDPR)
Right
Not to be subject to a decision (or profiling)
Producing legal effects / significantly affects
Solely based on automated processing of data
Intended to evaluate certain personal aspects
Examples
Performance of work, creditworthiness reliability and conduct
Also applies to DM “decisions” (e.g. send offer or not)
Real Time and Trigger Based Marketing, Session II
6 September 2016
26. Impact on Personalisation, Real Time ad Trigger Based
Right to object to automatic decision taking (art. 22 GDPR)
Avoiding qualification as AP / Profiling ?
No decision taking based on algorithm
No “personal” data
No legal effects for the subject (or effects “similar to legal effects”)
(contract, liability, claims,…)
Not “significantly affecting” the subject
(accept/reject < > premium settings)
Real Time and Trigger Based Marketing, Session II
6 September 2016
27. Impact on Personalisation, Real Time ad Trigger Based
Right to object to automatic decision taking (art. 22 GDPR)
Protection not applicable to decisions
Necessary for entering into a or performance of contract
Authorized by law (e.g. investor risk assessment)
With the subject’s explicit consent
Conditions: appropriate safeguards
(at least human intervention, response and contest possibilities, mathematical
and statistical procedures, limit errors, limit discriminatory effects, secure data,
data minimization/anonymization/pseudonymization)
Real Time and Trigger Based Marketing, Session II
6 September 2016
28. Impact on Personalisation, Real Time ad Trigger Based
Right to be forgotten (art. 17)
Upon request by data subject, processor has to take all reasonable measures to
permantently delete data
+ to ensure that third parties that have copies of or links to data are warned of
the request and are asked to do the same.
Real Time and Trigger Based Marketing, Session II
6 September 2016
29. Impact on Personalisation, Real Time ad Trigger Based
Remember
Evaluate if provisions on profiling are applicable? Workaround?
Make assessment of impact on data protection
Take specific measures (information, access, ways to object, contest, respond,
human intervention)
Abide by general legal provisions (information requirements, privacy principles,
rights of subjects, obligations of controller,…)
Real Time and Trigger Based Marketing, Session II
6 September 2016
30. Impact on Personalisation, Real Time ad Trigger Based
Remember
Art. 11: “Pseudonymous data”
If data is not coupled to identity, subject has no right of access, correction, etc…
Eases e.g. analytics, but quit possibly also certain online marketing techniques
Real Time and Trigger Based Marketing, Session II
6 September 2016
31. Prepare for the new Regulation
Apart from user rights
Data breach risk analyses
Data breach emergency plan
Data protection officer
Standard clauses with subcontractors
Privacy by design
Privacy by default
…
Real Time and Trigger Based Marketing, Session II
6 September 2016
32. Prepare for the new Regulation
Sanctions
Provisions of highest importance (cfr. profiling = high risk processing)
Fines up to 20 million euro
Fines up to 4% of worldwide annual turnover (for undertakings)
Remedies for data subject
…
Real Time and Trigger Based Marketing, Session II
6 September 2016
33. Prepare for the new Regulation
Follow up on discussion (e.g. through our website www.siriuslegal.be)
Start review vendor contracts (in view of data security obligation)
Start to prepare for full update of policies, contracts, business processes
Put in place data breach notification procedure
Appoint (temporary) data security officer
Put in place impact assessment and/or risk analyses policy
Create compliance statements for annual business reports
Train staff
Sit back and wait for final text of regulation for final details…
Real Time and Trigger Based Marketing, Session II
6 September 2016
34. Sirius Legal
Media & advertisement law
IP law
Internet & e-commerce
Privacy & cookies
Gambling law
Travel & consumer protection
Commercial contracts
Corporate tax labour real estate
bart@siriuslegal.be
www.siriuslegal.be
@BartVdBrande
Linkedin.com/in/bartvdb