Become an email & SMS marketing pro

Subscribe to get news, tips and updates delivered to your inbox.

Notify me on Messenger
10 min

Our journey to discover the new General Regulation on the Protection of Personal Data continues with a focus on two email marketing pillars: consent and profiling.

After an overview of the reform and its first five substantial new points, we explain how the approach to these two fundamental activities has changed for those who manage data for commercial communication purposes: thanks to the new regulation, gaining consent and profiling make room for those who want to experiment and to seize attractive opportunities.

Consent can now be inferred

Those who do email marketing are used to considering the consent of recipients as valid if provided as an express declaration, through the use of the opt-in system, adopted in Italy in 1997.

The new European regulation is shifting its approach, becoming less formal and more substantial, with a clear trend in the direction of English-speaking countries.

But let’s let the European reform text do the talking. The following is from Recital 25 of the approved text:

Consent should be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to personal data relating¬†to him or her being processed, such as by a written, including electronic, or oral statement.¬†This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates¬†in this context the data subject’s acceptance of the proposed processing of their personal data.¬†Silence, preticked boxes or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the¬†processing has multiple purposes, consent should be granted for all of the processing purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for¬†which it is provided.¬†

In fact, within certain limits, room is made for forms of consent that result from conclusive action expressed through positive behaviors by the concerned party. A classic example of conclusive action which is valid as consent is the use of cookies: when you see the information banner on the homepage and then continue to browse, you are consenting to the use of cookies.

A turning point providing new scope as opposed to the rigid barriers of the opt-in system which still formally apply.

If we reconsider the definition of consent provided by the Regulation ‚Ästthe data subject’s consent’ means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed¬†‚Äď, we see how reference to the explicit nature of the consent has disappeared, which, under certain conditions, can be inferred based on active conduct by the concerned party.

New profiling criteria

As for profiling, which for many consists of simply analyzing and segmenting the database, the regulation gives very precise answers: the reform clarifies that profiling consists of a data analysis followed by an automated process that does not require human intervention.

Therefore, the regulation states that what does not fall within the definition of profiling are cases where data in a database is analyzed by IT tools and its processing is subject to prior assessment by a data controller, with the aim of adapting and verifying the data before it is used. As a result, specific consent is not required to perform the activity in these cases.

Upcoming points of focus: from the Data Privacy Officer to the right to portability

Only one thing is missing to round up the first cycle of contributions on the new regulation: with the next blog post we will lead you to discover the latest five items, from the introduction of the Data Privacy Officer to the new rights of the data subject.

Liked this article? We have plenty more in store for you.

Subscribe to get news, tips and updates delivered to your inbox.

Read also

How to use cookies in compliance with data protection regulations

Cookies and collecting personal data Cookies are essential tools for website to operate, allowing you to manage certain basic functions (for example, recognising a user ...

Read more

Email marketing and privacy: from the Data Privacy Officer to the new sanctions

We have reached the final act of our journey through the new General Data Protection Regulation, being published in the EU Official Journal. Let us together ...

Read more

Email marketing and privacy: the new regulation in 10 points

  Approval of the European reform is rapidly approaching, and will significantly rewrite the rules for the use of personal data. While with the first blog post ...

Read more

New regulation for the protection of personal data

Email marketing is constantly evolving in terms of strategies and supporting technology. But the laws that govern activities and processes also change. Therefore, considering the forthcoming entry ...

Read more