Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Overview of the direct marketing rules in the EU - single opt-in, soft opt-in, and double opt-in mechanisms

The legal framework for direct marketing activities is regulated by two main legislations in the EU, namely the General Data Protection Regulation (GDPR) and the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the ePrivacy Directive).

The GDPR is the general data protection framework applicable to companies and natural persons established in the EU or who direct their services towards EU citizens. This is an important consideration to make in terms of direct marketing because it includes US companies that are directing services to EU customers and sending marketing emails to EU customers, and that will need to respect the GDPR rules. From a material scope of applicability, the GDPR only applies when processing personal data of natural persons that are identifiable (either directly or indirectly). This means that mailing lists that solely consist of generic professional email addresses are not subject to the strict requirements in the data protection legislation in the EU.

The ePrivacy Directive is the data protection framework applicable in the electronic communications sector. The ePrivacy Directive provides a set of specific rules on data protection in the area of electronic communications, such as on the confidentiality of electronic communications, the treatment of traffic data (including data retention), and rules on spam and cookies.

A proposal for an ePrivacy Regulation was published on January 10, 2017, as the ePrivacy Directive is no longer optimally suited to the fast-changing nature of the electronic communications sectors. However, the discussions on the proposal for an ePrivacy Regulation have been stalled at the Council for almost six years, and it is uncertain whether the proposal will be adopted in the foreseeable future. The ePrivacy Directive, therefore, remains the law of the land, complementing the GDPR. Jolien Clemens, Attorney-at-Law at Timelex, explores the ePrivacy Directive rules and the GDPR as the currently applicable legal frameworks in the context of direct marketing.

Alexander Spatari/Moment via Getty Images

The interplay between the GDPR and the ePrivacy Directive regarding direct marketing

As established above, the GDPR and the ePrivacy Directive are two coexisting and largely intertwined regulatory frameworks providing the rules that govern direct marketing in the EU.

Article 1(2) of the ePrivacy Directive states that the provisions of the ePrivacy Directive particularize and complement Directive 95/46/EC (since repealed and replaced by the GDPR) to harmonize the provisions of the Member States, ensuring an equivalent level of protection of fundamental rights and freedoms and in particular the right to privacy. In other words, if both the ePrivacy Directive and the GDPR apply to a certain data processing activity, the rules of the ePrivacy Directive will prevail as a lex specialis.

It must be clear that in the case of direct marketing activities, there is an interplay between the GDPR and the ePrivacy Directive as the processing triggers the material scope of both. Sending marketing emails to end users entails the 'processing of personal data' (i.e., email addresses), which means that, without doubt, the GDPR will be applicable. Additionally, the specific rules in Article 13 of the ePrivacy Directive, which regulate 'unsolicited direct marketing communications,' will be applicable. Both the Article 29 Working Party, the predecessor of the European Data Protection Board (EDPB), and the European Data Protection Supervisor (EDPS) have confirmed, in guidelines and an opinion respectively, that this rule in the ePrivacy Directive is not only applicable to providers of electronic communications services but to any entity that sends unsolicited communications via email.

Different opt-in mechanisms in the EU

From soft opt-ins to single opt-ins to double opt-ins

The baseline for direct marketing communications can be found in Article 13(1) of the ePrivacy Directive, which requires the prior consent of end users for the use of email for the purposes of direct marketing. The text of the ePrivacy Directive itself mentions that the notion of consent (opt-in) in the ePrivacy Directive must be interpreted in accordance with the notion of a data subject's consent in the GDPR. This essentially means that valid consent under the GDPR is needed, requiring that the consent be freely given, specific, informed, and an unambiguous indication of wishes (i.e., expressed by a statement of a clear affirmative action). In the context of direct marketing, consent is often obtained through the use of checkboxes. When ordering a product on a website, customers are usually given the option to consent to receiving newsletters and other marketing communications from that company. Note that in this case, the consent must be free and optional, i.e., the customer must be able to order the products without ticking the consent box. The fact that consent requires active behavior from the end user also explains why the use of pre-ticked boxes is not permitted.

In a direct marketing context, there is, however, one derogation to the prior consent requirement, which is referred to as 'soft opt-in.' Soft opt-in enables companies to send direct marketing emails to end users without the need for prior explicit consent under the following specific conditions:

  • the initial contact information of the end user must have been collected in the context of a sale or service, which excludes non-lucrative transactions. In addition, for certain Member States, the 'sale' itself must not necessarily have materialized itself, and pre-contractual relations can be sufficient, but this interpretation depends on national law as some countries require the completion of a transaction, and some include the pre-contractual phase. In any case, the creation of an account or the showing of interest by asking questions about a product does not satisfy this condition (in countries that admit the pre-contractual phase);
  • the company must be advertising their own similar goods or services to those that were initially purchased by the customer;
  • direct marketing can only be carried out through electronic means via email; and
  • the end user must have the option to object to the application of soft opt-in during the initial collection of their contact information and in each subsequent soft opt-in direct marketing message.

An existing customer (and, in certain Member States, a prospect who has entered into a pre-contractual relationship) does not need to provide consent for each direct marketing message but should be given the opportunity to object at the time of the initial collection of their email address and in any later marketing communication (i.e., through the provision of an option to unsubscribe in each marketing email).

At first glance, these rules seem rather straightforward. However, some Member States have more stringent rules and require double opt-in. Double opt-in means that consent needs to be obtained through a two-stage process where two separate actions are required. For example, the end user will first need to sign up to a mailing list when ordering a product by providing their email address. The customer will then receive an automated email asking them to confirm the email address by clicking on a link in that email.

Opt-out mechanisms as an important safeguard

The opt-out mechanism in a marketing context refers to a data subject's right to object to the processing of personal data for direct marketing purposes. Article 21 of the GDPR specifies that where personal data is processed for direct marketing purposes, such right to object shall apply at any time (i.e., the data subject must not demonstrate 'grounds relating to their particular situation').

The opt-out mechanism is also visible in the soft opt-in wording in Article 13(2) of the ePrivacy Directive, as it states that end users must clearly and distinctly be given the opportunity to object, free of charge, and in an easy manner, to the use of their data for direct marketing at both the initial collection of their data and in each message thereafter.

Almost all Member States have so-called 'Robinson lists' or 'do-not-call lists' which register phone numbers and/or email addresses of end users who do not want to be contacted for marketing purposes. However, it should be noted that in the context of direct marketing, the mere fact that a phone number or email address is not registered on these kinds of lists is not sufficient to send a marketing message. In most cases, explicit opt-in will be required, except for cases where a company can rely on soft opt-in.

Comparative analysis of the different frameworks in the EU

Research of the legal regimes in the different Member States revealed that none have a strict legal requirement for double opt-in. However, the mechanism is strongly encouraged as a best practice by certain data protection authorities through non-binding guidelines or decisions.

Germany was one of the first countries as the German data protection authority strongly recommended the use of double opt-in in their guidelines on direct marketing. The German authority based this reasoning on a landmark decision issued by the German Federal Court of Justice in 2011, which authenticated the double opt-in mechanism as a means to provide evidence of the obtention of consent. Since then, several German courts have ruled that double opt-in mechanisms are to be used to ensure that the provided consent belongs to the person of the specific email address.

The Austrian data protection authority has also already used similar reasoning in a case concerning direct marketing, where it recommended the use of double opt-in as a security measure on the basis of Article 32 of the GDPR to avoid sending marketing communications to the wrong recipient.

The Greek data protection authority also published guidelines on direct marketing in which it strongly recommends the use of a double opt-in procedure to obtain the valid consent of an end user.

The overall majority of the Member States, however, only require single opt-in for direct marketing. Most Member States also require a 'real sale transaction' in order to rely on soft opt-in for existing customers. There are only a few Member States where the national law allows reliance on soft opt-in in cases where there were only pre-contractual relations with a potential customer - this is the case in Austria, Croatia, and Greece.

There are a handful of Member States where the soft opt-in mechanism has not been implemented into national law. For example, in Hungary, there is no mention of soft opt-in in the Hungarian Advertising Act. However, they do have a variant on soft opt-in where companies can use the contact information of customers that was previously collected through a sale with that customer but only to send an email to ask whether the customer would like to receive direct marketing communications. In Poland, there is also no soft opt-in possibility provided in the Polish Telecommunications Law.

Conclusion

The concept of consent for direct marketing remains pivotal. While the GDPR mandates explicit, freely given consent for data processing, including direct marketing, the ePrivacy Directive introduces nuances such as soft opt-in. This mechanism permits marketing to existing customers under certain conditions, offering flexibility while maintaining individual rights through opt-out provisions.

Moreover, the debate over opt-in mechanisms reflects divergent national approaches across EU Member States. While some, like Germany and Austria, advocate for stringent double opt-in procedures to bolster consent validity and security, most countries adhere to single opt-in requirements. Variations exist even within Member States, with differing interpretations of soft opt-in provisions and requirements for prior transactions.

The absence of a uniform approach underscores the complexity of harmonizing direct marketing regulations across the EU. Nonetheless, overarching principles such as consent, transparency, and individual rights remain central.

Jolien Clemens Attorney-at-Law
[email protected]
Timelex, Hasselt