Argentina: Best privacy practices in email marketing campaigns
When it comes to conducting email marketing campaigns, companies and organisations often have doubts regarding the privacy implications of managing prospects and client's databases. Marketing agencies themselves, which provide email marketing services and solutions for customers, are often requested to ensure that their service is conducted in lawful manner and complies with international data privacy standards. Gabriela Szlak and Lucia Suyai Mendiber, from Lerman & Szlak, provide useful guidelines and describes best practices to carry out email marketing activities, in compliance of the Argentine data privacy legal framework.
The processing of Personal data in Argentina is mainly regulated by the Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act'), Decree No. 1558/2001 Regulating Law No. 25.326 ('the Decree'), and the related dispositions issued by the Argentinian data protection authority ('AAIP').
The Argentine data privacy legal framework sets forth that the primary legal base for any personal data processing is the data subject's consent. However, there are also certain alternatives to the data subject's consent which apply in specific circumstances, such as certain processing for marketing purposes, provided under Section 27 of the Act, the Decree, and Regulation 4/2009 ('the Regulation'). Subject to the aforementioned legal framework and as long as the organisation respects the recipient's will not to receive advertising, email marketing is allowed without consumers' express consent, i.e., the recipient must always be provided with the 'unsubscribe' option (the so-called 'opt-out mechanism'). Through the opt-out mechanism, data subjects are entitled to object to the processing and exercise their right to be removed from the emailing distribution database, free of charge.
Opt-in and opt-out under the Argentine data privacy regime
Section 27 of the Act allows email marketing without consumers' express consent by a confusing and non-conclusive wording that have led to academic dissents. However, there is a common understanding that if the personal data enables consumer profiling and learning about consumption habits, the data subject's express consent is mandatory, this is to say that the opt-in prevails in these cases, always combined with the possibility to opt-out from each communication.
The Decree attempts to move the debate forward and expressly states that personal data may be collected, processed, or transferred for marketing purposes without data subjects' consent if said processing is aimed to specific profiling (which is construed as a less complex treatment than the one that refers to establishing consumption habits). The profile processing referred categorises individuals by similar preferences and behaviors, and only includes the personal data strictly necessary for formulating the offer.
Furthermore, the Decree reinforces the minimum rule commonly known as 'the opt-out golden rule,' which is the obligation to always and at all times expressly inform the recipient of the unsubscribe option (the opt-out option) free of charge, so to request the data subject's right to object to the email marketing and their right to be removed from the emailing distribution database. The Regulation provides that once the data subject exercises the opt-out right the data controller shall comply in removing the personal data from the email distribution database within a maximum period of five working days – as it is foreseen by Section 16 of the Act. Also, the Regulation specifies in Section 1 that every email marketing communication shall inform data subjects about the 'opt-out mechanism offered,' and include certain mandatory legends which are provided in the Regulation. Furthermore, the Regulation requires data controllers to have sufficient operational capacity to comply in a lawful manner with data subjects' objections requests related to email marketing data processing. In light of the foregoing, it is construed that the rule is clear about users and consumers right not to be contacted for advertising purposes when they request it.
The Decree expressly sets forth that data subjects can request to be informed of who has provided its personal information to the data controller who has sent him or her unsolicited communication. As a consequence, if these activities are carried out with unqualified databases (i.e. outdated databases or databases that were formed by collecting personal data from customers in physical stores and/or without proper evidence of data subject's consent), and therefore the data controller is unable to respond to the data subjects' requests in this regard, this circumstance would be considered a breach of the Act.
Finally, the Regulation expressly regulates unsolicited email marketing communications and specifically regulates the opt-out mechanism, and also requires that unsolicited email marketing shall include the single term 'advertising' in its subject.
Conclusions and current trends
Notwithstanding the above regarding carrying out email marketing based on the opt-out rule and the possible application of exceptions to data subjects' consent to said cases, it shall be highlighted that exceptions shall be understood in a restrictive manner, with a respectful individual rights approach and considering the case particularities. In this sense, the applicable legal framework is construed in an extremely restrictive manner towards what can be done without consent and only by offering the consumer an effective opt-out mechanism. Moreover, both in cases of consented and unsolicited email marketing, the regulation requires data controllers to comply with strict requirements, including but not limited to the mandatory legends referred before.
Personal data processing related to customer profiling and consumption habits (not just profiles categorising preferences), which is the most widely used method for digital marketing activities, such as predictive marketing techniques, or all kinds of intensive treatments for marketing and advertising purposes, are not deemed to be under the scope of the opt-out rule only; on the contrary, this processing shall comply with the data subjects' consent rule (opt-in and the unsubscribe or opt-out mechanism must be also granted for those cases).
It might be interesting to point out that the current standards of the email marketing industry, as well as the regional regulatory trends, are moving towards 'opt-in and opt-out' schemes, in which data subjects' consent prevails.
Furthermore, the industry standards observe the so-called 'double opt-in' schemes as additional steps for subscriptions are foreseen. In this sense, data subjects' prior consent for sending marketing communications would seem to be a trend today, which even includes consent segmentations on the basis of preferences indicated by the consumer when submitting its subscription or registration.
Lastly, the AAIP has issued guidelines for data privacy assessments1 in which sending unsolicited email has been identified as a risk. In addition, Section 48 of the official draft of the EU-Mercosur Trade Agreement expressly regulates this issue by establishing that participating states should ensure users and consumers right not to receive unsolicited emails2. However, the text exempts from this prohibition direct marketing sent by those who have already sold to the consumer, provided that the intention is to offer products or services related to those contracted or purchased by the consumer in question.
In conclusion, direct marketing actions shall be analysed on a case-by-case basis taking into account the complexities and intensity of the processing, treatment, and origin of the data collected in order to determine the actions and considerations that shall be applicable from the perspective of the Argentine data privacy regime and/or other law or jurisdiction that might be applicable.
In short, the companies that carry out direct marketing actions should apply the opt-in and opt-out standards explained in this article, not only to comply with data privacy law but also to be aligned to industry's regulations and best practices. Consumer trust, which is one of the fundamental keys to boost conversion in these marketing campaigns, is closely related to best practices based on accountability and transparency toward customers.
1. Available, only in Spanish, at: https://www.argentina.gob.ar/noticias/argentina-y-uruguay-lanzan-la-guia-evaluacion-de-impacto-en-la-proteccion-de-datos
2. Available, only in Spanish, at: https://www.cancilleria.gob.ar/es/acuerdo-mercosur-ue/servicios-y-establecimiento