Privacy And Email Marketing: Practical Recommendations For Collecting Personal Data And Using It Legally. Is Opt-out Still Enough?
To celebrate the International Day for the Protection of Personal Data, we chose to address ‘privacy and data collection for email marketing’, which closely reaches to many of our clients, considering the dilemma they face regarding, on the one hand, the trend to offer an increasingly personalized experience for users, and on the other, the need to respect their privacy and, thus, protect their personal data.
We begin by providing some tips so that readers can reconcile some of the common email marketing practices with the respect for the privacy of users and consumers.
Why are these tips important? We will see later, in the review of two cases of email marketing resolved at international level, from which we will extract the concept of ‘demonstrated responsibility’ and how to implement it in practice. Then, we will reflect on the impact that the latest regulatory updates in Argentina could bring in this regard at a local level.
Practical recommendations for collecting personal data through online forms and for using such personal data legally
Email marketing is an operation widely used by companies to offer customers their products and services on a daily basis. This practice generates a return on investment over the years and due to the evolution of new technologies, to the extent that the user experience is increasingly personalized. Therefore, it is important to understand how personal information of the recipients of said emails should be collected and processed, in order to comply with different obligations regarding the protection of their personal data to avoid sanctions such as those that will be discussed later.
Although the practice of using online forms to collect personal data is widespread and considered one of the “legal” ways to build an email marketing database, not all organizations that use these forms do it correctly.
For this reason, here we share some recommendations to align this practice with the applicable regulations to be able not only to comply with such regulations, but also to demonstrate compliance (in accordance with the renewed classification of infractions, and graduation of sanctions proposed by Resolution AAIP No. 240/2022, which will be analyzed below):
What should be reported and what precautions should be taken when collecting personal data through online forms?
a. Inform clearly and transparently the purpose (or purposes) of the collection of personal data.
- We offer an online form for downloading some informative material that will be sent by email, but we want, in addition and mainly, to use that user’s email to send advertising for a product or service related to such material, later.
- In order to use the email to send advertising, we must add to the information that we provide at the time of filling in the form, the purpose of advertising which must be accepted by the user, who in this way will be giving us their consent for said purpose.
b. Inform with which other organizations or service providers we will be sharing the personal data collected from the users and have signed contracts with those organizations or providers for the protection of users’ personal data.
If we have an email marketing service provider, or cloud storage services, we must:
- Inform users that we will share the data with these types of providers
- Ensure through contracts in accordance with our suppliers, that they will process the personal data of our prospects, users or clients, complying with the technical and organizational security and confidentiality precautions, and that they will only process them for the purposes for which we entrusted them with such treatment and for which the user provided consent.
c. Clearly indicate which form fields are mandatory and which are optional. Also indicate the consequences of providing the data, the refusal to do so or the inaccuracy thereof.
- If a certain service depends on our users being of legal age to be able to provide it, then it must be indicated that not filling in the field of age or date of birth, or filling it inaccurately, could imply that the service or the benefit would or may not be provided .
d. Provide the contact information of our organization, which must be useful for the user to contact us and exercise their rights, such as: the rights of access, rectification and deletion and the right to request the withdrawal or blocking of personal data to stop receiving more emails or contacts.
- If a user requests the withdrawal of their data from our database in order to not receive more emails (that is, if they exercise the so-called Opt-out), the organization must be able to comply with this request, and have the technical and organization mechanism for this, to avoid sanctions.
Sounds impossible? …. How do we add all this information into an online form?
Yes, we perfectly understand that it is unfeasible in practice to add all this information in an online form or that, if we do so, only a few users will complete our form because it would look suspicious for them to have a form with so many disclaimers to read. Definitely, adding all this information would end up negatively affecting the conversion rate of the form.
This online acceptance that the user makes, and that will enable us to carry out subsequent email marketing actions, must be registered correctly by the organization for each user, with the date and time receipt and the version of the Policy of Privacy that was accepted by it, in order to be able to comply with the criteria of proven responsibility, which we will talk about shortly.
It must be taken into account that if our organization hires third-party forms to obtain user consent to generate relevant databases for the purpose of carrying out email marketing actions, it will be necessary to control and/or audit both of the forms that these companies use for data collection and obtaining consent, as well as the companies themselves contracted for these purposes.
If we manage to correctly implement these practices, we will be complying with the principles of transparency and information regarding the collection and processing of personal data through online forms, to be used for various marketing practices, including email marketing. In addition, this compliance will not imply overloading our notice forms and disclaimers that lower conversion rates.
- European background
With increasing frequency, in different parts of the world, organizations are fined by privacy control authorities for not being able to demonstrate that they have the necessary legitimacy to send email marketing.
We will review below the main privacy criteria established by European control authorities when resolving two cases of violation of rights related to these issues.
- Fine of €600,000 (euros six hundred thousand) imposed by the French control authority, Commission Nationale de l’Informatique et des Libertes (“CNIL”) to the company EDF (ELECTRICITE DE FRANCE) by final decision of November 24th, 2022 .
In this case, the CNIL decided to fine the EDF company, the main electricity provider in France, after receiving numerous complaints from data subjects (individuals who received unwanted communications). The agency determined that EDF’s activity implied different breaches of the General Data Protection Regulation (GDPR), and the French Postal and Electronic Communications Code.
In particular, the company was unable to demonstrate that it had implemented sufficient measures with its data brokers to ensure that individuals had validly consented to receive subsequent communications prior to being surveyed. During the process, EDF was also unable to present evidence to the CNIL of having carried out audits on the data intermediaries, nor of the consent collection forms used.
On the other hand, the CNIL detected that EDF had breached the information duties provided for in the Regulations, considering that the commercial prospecting letter sent to users did not precisely indicate the source of the data (it only mentioned generically that the “data was collected from an organization specializing in data enrichment”).
- Fine of €4,000 (four thousand euros) imposed by the Spanish Data Protection Agency (“AEPD”) on the company MAX2PROTECT, SL Procedure No .: EXP202201667 of November 28, 2022.
In this case, a user filed a claim with the Spanish privacy authority for receiving spam emails several times a day.
Despite the previous disclaimer, the AEPD considered that the defendant could not prove the consent given by the claimant for the remittance of commercial emails and that she did not present supporting documentation to prove her statements (such as, for example, the purchase contract for the database of data containing the email address of the complaining user).
The AEPD concluded that the company infringed Spanish law by sending advertising emails without the prior consent of the interested party and applied a penalty of 4,000 euros (four thousand euros).
- The latest regulatory updates from the privacy authority in Argentina (Agencia de Acceso a la Información Pública “AAIP”)
In the fines imposed by the European authorities reviewed here, the already mentioned proven responsibility plays a preponderant role when it comes to meriting the application or not of sanctions. When we talk about demonstrated responsibility, we refer to the concept of not only complying with the regulations, but also being able to demonstrate such compliance.
In this sense, on December 5th, the Argentine privacy authority published AAIP Resolution No. 240/2022, updating the parameters that will be taken into account both in the infraction classification regime and in the graduation of sanctions.
We emphasize that one of the new aspects that are incorporated is that the AAIP will evaluate for the application of sanctions ‑in line with the European Data Protection Regulation-: “[t]he demonstrated adoption of corrective measures and mechanisms and internal procedures capable of minimizing the damage, tending to the safe and adequate treatment of the data”.
To better understand what this new aspect of “proven adoption” that incorporates the aforementioned resolution implies, we take as a reference the principle of proactive and proven responsibility defined in the latest Draft Law that updates current regulations (Law No. 25,326).
In short, this principle is associated with:
- the measures that organizations that process personal data must adopt to comply with their obligations, as well as their due diligence to prevent and mitigate adverse impacts; Y
- the burden of demonstrating that there are legal bases of treatment, for example, the consent of the recipient, before the Application Authority and that these were timely implemented.
It is evident that the proactive and demonstrated responsibility of data processing activities by organizations and companies to carry out marketing activities is a reality that is here to stay. Although including a good opt-out is a great advance for a company’s email marketing, this is no longer enough to comply with the law or to demonstrate that we are in compliance.
The methodology that implies proactive and proven responsibility is key to responsible management of the privacy of our prospects and users, in order to be able to prove the legitimacy of the processing of personal data, either before a request to exercise the rights of a user or, before requirements of the control authority.
We hope these recommendations are helpful.
If your organization needs personalized assistance regarding privacy and protection of personal data, we can help you. Write to us at [email protected]
Gabriela Szlak is a partner at Lerman & Szlak Law Firm. She is a lawyer received with honors from the University of Buenos Aires (T°79 F°516 CPACF). His areas of practice and specialization are marketing and digital business, intellectual property, and privacy and protection of personal data. He is a master’s and postgraduate level teacher in the field of regulatory framework of marketing and digital business and Protection of Personal Data (University of Buenos Aires and Di Tella University). In 2022 he obtained the International Certification in Protection of Personal Data – CIPDP-
For more information on the case, we refer to the note published by the CNIL available at: https://www.cnil.fr/fr/prospection-commerciale-et-droits-des-personnes-sanction-de-600–000- euros-lencontre-dedf
Arts. 13 and 14 of the General Data Protection Regulation (GDPR)
The complete resolution can be consulted on the official website of the Spanish Agency for Data Protection: https://www.aepd.es/es/documento/ps-00292–2022.pdf
Art. 21 of the Law on Services of the Information Society and Electronic Commerce of the Kingdom of Spain