The digital marketing industry is powered by information about individuals (“personal data”) that pulses through a supply web. As this FTC infographic shows, some industries such as retail, energy, financial services, and health care, have direct relationships with those individuals. Other industries, such as data marketing, generally are at least one step removed. In fact, the most distinguishing feature of the data marketing industry may be that it earns its revenue supplying data or inferences from sources other than the data subjects themselves.
The (changing) scope of EU data privacy law
EU data privacy law currently applies to data brokers that process the data of EU citizens if the data broker (1) has an EU establishment, or (2) processes data on equipment located in the EU. As a result, some data brokers already face compliance challenges but many others remain untouched. This will change dramatically in May when the EU General Data Protection Regulation (GDPR) takes effect. From then on, a data broker that processes the personal data of an EU resident – anywhere in the world, using any equipment – is legally within reach of EU enforcement authorities.
Personal data in the EU – Regulating Correlations
The aim of EU data privacy law is to regulate data correlation, not just data collection. To that end, EU law defines the term “personal data” broadly. It is any puzzle piece – no matter how small – that when added to other pieces creates a picture that identifies an individual. That means mobile device identifiers, IP addresses, and geolocation data are all personal data. And some information, such as data that could identify political opinions, trade-union membership, sexual orientation, genetic makeup, or biometric data (among other things) are “sensitive data” that require an elevated level of protection.
The challenge for data driven marketing: relying on the “legitimate interest” legal basis
It is already illegal in the EU to process personal data without one (or more) of six so-called “legal bases,” but most are unavailable to data brokers. Take, for example, the legal basis of consent. Data brokers lack a relationship with the data subject so they cannot obtain consent directly when the individual signs up for goods or services. At the same time, any consent that could be obtained by an organization when it collects the data is unlikely to be useful for a data broker as it will not be sufficiently specific about who might ultimately use the data for marketing.
The “legitimate interest” legal basis is considered the most attainable for a data broker. To rely on it, they must document a legitimate interest assessment (LIA). The LIA must show it is necessary to use the personal data in support of a legitimate business interest and that doing so does not override the data subject’s interests, rights, or freedoms. The GDPR drafters anticipated the use of the legitimate interest legal basis by marketers. Indeed, Recital 47 of the GDPR states: “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” By contrast, this 2014 opinion from the coalition of EU data protection authorities (the Article 29 Working Party (A29 WP)) indicates that the legitimate interest legal basis is unavailable to data brokers. There, the A29 WP pronounced the trade of individual profiles using intermediary data brokers “likely to present a significant intrusion into the privacy of the customer” that would override the data brokers’ interests.
So which is it? Can the data-driven marketing industry rely on legitimate interests or is it strictly required to obtain consent despite the absence of a relationship with the data subjects? Regulatory guidance is sorely lacking in this area, a point the Data Marketing Association (DMA) emphasized in its response to the UK’s Information Commissioner’s Office (ICO) consultation on the meaning of “consent” under the GDPR. There, the DMA urged ICO to clarify that direct marketing is a legitimate interest under the GDPR, as per Recital 47.
As the calendar marches on towards May 2018, we hope guidance will be forthcoming and practical. Stay tuned.
For GDPR-related inquiries, please contact Robert Stankey at 202.973.4214.