Here’s an a question I’ve been pondering which I’m sure #DataProtection professionals will have a view on…
When the new ePrivacy Regulations come into force at some time next year, will ‘profiling advertising’, in which marketing organisations use the freely given demographic information of data subjects to create ‘lookalike’ cohorts which they put marketing messages in front of, be deemed to require consent? Here is the relevant bit of the draft text from 19th October 2018:
In this Regulation, direct marketing communications refers to any form of advertising by which a natural or legal person sends or presents direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services. The provisions on direct marketing communications do not apply to any other form of marketing, e.g. displaying advertising to the general public on a website which is not directed to any specific identified or identifiable end-user and do not require any contact details about the end-user. An identified or identifiable end-user is the user that has logged in with a private account or personal log-in. In addition to the offering of products and services for commercial purposes, Member States may decide that direct marketing communications also may include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same applies to messages sent by other non-profit organisations to support the purposes of the organisation.
So, the organisation doing the marketing (let’s call them Charity A) doesn’t know specifically which individuals they are marketing to, but those individuals are logged in and are therefore indentifiable – but not identifiable by Charity A.
Data subjects are able to control the marketing messages they receive in a number of ways; by paying for a premium service to avoid marketing in some channels, or to set their account permissions up to aid targeting or reduce volume. They can also refuse to hand over demographic information and decide not to engage with information-hungry apps on the sites. And they can also stay off platforms which are ‘free’ to them and which the ‘cost’ to them is receiving marketing.
Data subjects can then choose whether or not to engage with marketing which comes their way while they are using social channels, so you can argue they have a reasonable amount of control over who they give their data too, beyond Facebook, Twitter et al.
So, is profiling only ok with consent, and if so, what does this look like and what does this mean for the business model of the big platforms?
Or is profiling still ok, because you don’t have the data subject’s details, unless and until they choose to provide it?
I think it should still be the latter, but I’m not sure what the authors of the draft text have in mind – I’d be interested in what others, who are expert in this area think?