UPDATE: The EU adopted the General Data Protection regulation on 14 April 2016. It will come into force in April 2018. The article below has been updated to reflect this timetable.
Marketers will be required to get “unambiguous” consent from consumers before using their data for marketing purposes, under new laws agreed by the European Union. Penalties for breaching consumers’ data rights will also become harsher, with companies facing fines of up to 4% of turnover.
The EU has settled on the final text of its General Data Protection Regulation (GDPR) after four years’ debate, however marketers were spared some of the most stringent proposed provisions.
The requirement for “unambiguous” consent is less onerous than “explicit” consent, as previous drafts specified, but it still rests on a “clear affirmative action” by consumers. This can include ticking a box on a website but silence, pre-ticked boxes and inactivity do not constitute consent.
Brands will also need to give specific and clear information on what will be done with personal data.
Cookies that cannot be linked to a personally identifiable piece of data, such as an email address, will not be considered personal data under the new law, according to an analysis of the text by the Direct Marketing Association. Targeted online advertising may therefore escape new restrictions as long as it does not depend on personal identifiers to serve the ad.
Consumers will have the right to opt out of being profiled according to their interests and behaviour, unless they have previously consented to it or it is required in the terms of a contract with a company. If consumers object to their data being processed, it can no longer be used for marketing purposes.
The law will come into force in two years. Companies must be compliant by April 2018.
DMA group CEO Chris Combemale says: “The text is better than we thought in five key areas – specifically the definition of personal data, the definition of consent, the consumer right to object, ‘profiling’ and what is the ‘legitimate interest’ of businesses to process consumer data.
“These areas will be the concern of digital and data-driven marketers for the foreseeable future, and we are pleased that the agreed text will allow the continued development of the data-driven sector. Companies that already adhere to the DMA Code will find that they are mostly compliant already, and have a head-start with two years to go before implementation, but there will still be some work to do.”
“The principles of openness and responsible marketing underlie this new text.”
Chris Combemale, CEO, DMA
The GDPR will govern how brands process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act. Unlike the current regime, the Regulation will be imposed directly onto the countries’ legal systems, rather than leaving them free to enforce it under their own national legislation.
New requirements brought in under the law will include the need for large companies to appoint a data protection officer.
German MEP Jan Philipp Albrecht, who led the EU parliament’s efforts to draft the GDPR, says: “The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data.
“Unfortunately, member states could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram. Instead, member states will now be free to set their own limits between 13 and 16 years.”