FAQ on Consent for Electronic Direct Marketing

Version Last Updated: April 2020

What rules apply to electronic direct marketing?

The ‘General Data Protection Regulation’ (GDPR) applies directly in Ireland to most kinds

of data processing and is read in conjunction with the Data Protection Act 2018;

however, in addition to these general rules, there are rules which specifically apply to

electronic direct marketing (marketing conducted by phone, fax, text message, and

email), which are set out in the ‘ePrivacy Regulations’ (SI 336 of 2011).

The ePrivacy Regulations are an extra set of rules which are applicable to certain types

of data processing, including electronic direct marketing, and are read together with

the rules found in the Data Protection Act 2018 and the GDPR. Recital 173 and Article 95

of the GDPR clarify that the ePrivacy Directive continues to apply in tandem with the

GDPR.

How does the GDPR impact consent requirements for electronic

direct marketing?

It is important for retailers to note that any ‘consent’ required under the ePrivacy

Regulations must be consistent with the definition of consent found in the GDPR,

namely;

any freely given, specific, informed and unambiguous indication of the data subject's

wishes by which he or she, by a statement or by a clear affirmative action, signifies

agreement to the processing of personal data relating to him or her.

The concept of consent under ePrivacy is based on that found in the GDPR, and this

position has been confirmed by the Article 29 Working Party (now replaced by the

European Data Protection Board’ or ‘EDPB’) in its ‘Guidelines on Consent under

Regulation 2016/679’ (at page 4).

In addition to the characteristics of consent under the GDPR, as set out above, further

conditions for valid consent are specified in Article 7 GDPR, including the

requirement that a request for consent must be clearly distinguishable from other

The ePrivacy Regulations transpose the EU Directive 2002/58/EC on Privacy and Electronic

Communications, otherwise known as the ‘ePrivacy Directive’, into Irish law.

See Article 4(11) GDPR

FAQ on Consent for

Electronic Direct Marketing

Version Last Updated: April 2020

matters, and that a data subject is entitled to withdraw their consent at any time, and

should be able to do so as easily as they gave it.

Recital 32 GDPR makes clear that silence, pre-ticked boxes, or inactivity on the part

of a data subject will not constitute consent under the GDPR, and therefore will not

be sufficient to demonstrate consent for the purposes of electronic direct marketing,

where required under the ePrivacy Regulations.

Is consent explicitly required for all cases of electronic direct

marketing?

The general rule for electronic direct marketing is that it requires the clear,

affirmative consent of the recipient (such as by specifically opting-in) under Regulation

13 of the ePrivacy Regulations.

Nevertheless, consent is not specifically required in respect of every instance of

electronic direct marketing, and there is an exception to the general requirement for

consent, but only in cases involving existing customers, where certain other conditions

are also met.

Under Regulation 13(11) of the ePrivacy Regulations, where an organisation lawfully

obtains electronic mail contact details ‘from a customer … in the context of the sale of a

product or service’ (i.e. this only applies to existing customers), consent to electronic

direct marketing is not required as long as the following further conditions are met in

relation to the electronic direct marketing communication:

a) the product or service being marketed is the organisation’s own product or

service,

b) the product or service being marketed is of a kind similar to that supplied to

the customer in the context of the original sale,

c) the customer must be clearly and distinctly given the opportunity to object

to the use of their details at the time those details are collected, as well as each

time the organisation sends an electronic marketing message to the customer,

and

d) the initial direct marketing communication must be sent within 12 months of

the date of the original sale to the customer.

This means that an organisation must not send direct electronic marketing to a

prospective customer who does not complete a purchase, for example where they

browse online for products but do not complete the checkout process.

Version Last Updated: April 2020

Regulation 13(11) further requires that the customer’s electronic mail contact details

must have been lawfully obtained in accordance with the Data Protection Act 2018.

This means the initial reason for obtaining the contact details must have been

compliant with the principles of data protection and have had a valid legal basis, as

appropriate for the context in which the electronic mail contact details were originally

obtained.

In what kinds of cases might consent not be specifically

required for electronic direct marketing?

As mentioned above, in cases that fulfil the preconditions of Regulation 13(11) (i.e. cases

of marketing to existing customers), retailers may be able to engage in direct marketing

without the need for specific consent to such marketing. The examples below illustrate

how this might work, and what steps might be required in practice:

Case A

Customer X books and pays for a hotel room with Hotel Y. For the purpose of confirming the

sale and issuing a receipt, Hotel Y requires Customer X’s email contact details at the point of

sale. Customer X is given an opportunity at the point of sale to object to the use of their

details for electronic direct marketing, by ticking a box, but does not do so.

Within 12 months of that sale, Hotel Y wants to send an electronic direct marketing email to

Customer X to advertise the fact that they are having a half-price deal on their rooms for a

limited time. They plan to include a link at the bottom of the email allowing Customer X to

opt-out of any further direct marketing emails.

Hotel Y may use the email contact details of Customer X in this case for electronic direct

marketing, given that;

 the email contact details were initially obtained validly, with an valid legal basis, at the

point of sale;

 the product or service being marketed is Hotel Y’s own;

 the product or service being marketed is similar to that which the customer

purchased in the original sale;

 the customer was given the opportunity to opt-out of electronic direct marketing at

the point of sale;

 the customer was given the opportunity to opt-out of electronic direct marketing in

each subsequent message; and

 the sending of the first direct marketing email occurred within 12 months of the

original sale.

Version Last Updated: April 2020

The further examples below illustrate how the exception in Regulation 13(11) cannot be

relied on by retailers, or those engaging in electronic direct marketing, where just one

of the conditions of Regulation 13(11) is not met:

In practice, the rule in the case of electronic direct marketing, is that an opt-out or pre-

ticked box for the gathering of permission for direct marketing is unlikely to be

sufficient to meet the requirements where consent is required, because in general opt-

outs, silence, pre-ticked boxes, etc., won’t satisfy the requirements for consent as

defined under the GDPR.

However, consent is not specifically required in cases of electronic direct marketing to

existing customers who are given an opportunity to object, where the marketing relates

to the organisation’s own similar products or services and where the first marketing

communication is sent within 12 months of the original sale.

Case C

The same details as in Case A, but this time Hotel Y wants to send Customer X a direct

marketing email regarding a deal which another hotel chain (which is not connected or

affiliated with Hotel Y; they just want to do this as a favour) is having.

Hotel Y may not use the email contact details of Customer X in this case for electronic direct

marketing, given that;

 the product or service being marketed is not Hotel Y’s own

 the product or service being marketed is not Hotel Y’s own.

Case B

In a case with similar details as in Case A, this time regarding the sale of a room to Customer

Z, where there was no option on the booking form at the point of sale for Customer Z to opt-

out of electronic direct marketing, or any indication that their email contact details might be

used for direct marketing.

Hotel Y may not use the email contact details of Customer Z in this case for electronic direct

marketing, given that;

 the customer was not given the opportunity to opt-out of electronic direct marketing

at the point of sale.

Version Last Updated: April 2020

Can customers object to electronic direct marketing?

The ePrivacy Regulations provide that individuals have the right to object to receiving

electronic direct marketing and that a facility to opt-out must be included with each

marketing communication.

Where a person is purchasing a product or service, they must be given the right to

object to the use of their details for direct marketing at the time those details are

collected. A valid means of opting out must be included in every message subsequently

sent to them. In practice, many organisations implement this by means of an

unsubscribe link in an email, or a text short code which will automatically opt the

person out of direct marketing when they send a stop request to a dedicated number.

It is a criminal offence to send direct electronic marketing to a person who objects to

receiving such communications.

Separately, Article 21 of the GDPR gives individuals the right to object at any time to

processing of their personal data for the purposes of direct marketing, which includes

profiling to the extent that it is related to direct marketing. Where an individual objects

to processing for direct marketing purposes, their personal data must no longer be

processed for those purposes.

Additionally, as noted above, if consent is relied on to send the marketing texts or

emails then the individual has the right to withdraw their consent at any time, and it

must be as easy to withdraw consent as it was to give it.

Where can I find further information on electronic direct

marketing?

Further information on the rules for electronic direct marketing can be found on the

DPC website, including the DPC’s guidance on the issuing of e-receipts.