The Italian Data Protection Authority’s New Guidelines on Marketing and Spam

The Need for New Guidelines on Marketing and Spam

On July 4, 2013, the Italian data protection authority, the Garante per la protezione dei dati personali (Garante)¹, issued the “Guidelines on Marketing and Against Spam”² (Guidelines), aimed at providing a formal interpretation, as well as a unified and exhaustive framework, on the limitations and rules applying to marketing initiatives through email and short message service (SMS) and other automated communications means. The Guidelines are intended as useful guidance for companies intending to set up and launch marketing campaigns, as well as an effective tool for individuals to understand how to defend themselves against “wildcat” marketing and enforce their privacy rights.

The matter of marketing initiatives performed through different communications means such as telephone, SMS and email, as well as its degeneration into the phenomenon generally known as “spam”, has been addressed in a number of orders from the Garante, notably:

• the General Order “Spamming: How to Lawfully Email Advertising Messages” dated May 29, 2003³;

• the General Order “Requirements Applying to the Processing of Personal Data for Marketing Purposes as Performed by Relying on Operator-Assisted Telephone Calls, Following the Creation of the Public Opt-Out Register” dated January 19, 2011⁴;

• the General Order “Controllers of personal data processing when reverting to agents for promotional activities” dated June 15, 2011⁵; and

• the General Order “Applicability to legal entities of the Code on Protection of Personal Data following Amendments introduced by Law Decree 201/2001” dated September 20, 2012⁶.

The above orders underline that marketing and spam are critical issues that the Garante has repeatedly considered and addressed, cognizant of the important interests at stake: on the one hand, the need for firms to make use of marketing tools in order to foster the sale of their products and services, especially in times of economic crisis; and, on the other hand, the right of individuals not to be pestered by marketing messages. Of course, the balancing of these contrasting interests has become even more difficult with the widespread use of internet- or mobile-based communities such as social networks and messaging services such as Skype and WhatsApp.

The Garante is indeed always attuned to new technology developments and applications representing a potential threat to the privacy of individuals, and to this end it has published a series of guidelines, for example, on cloud computing, smartphones, social media, etc.

In addition, there was a need for new guidelines on marketing and spam due to the number of amendments and integrations undergone by the Italian Privacy Code⁷, which has resulted in a layered set of rules that was often difficult to make coherent and consistent. Furthermore, it was also necessary to take into account new rules coming from European Union legislation, notably Directive 2002/58/EC⁸ (the so-called e-Privacy Directive) and Directive 2009/136/EC⁹ (the so-called Cookies Directive).

Legal and Regulatory Framework for Marketing

Applicable Rules and Definition of ‘Spam’

The starting point for analyzing the rules applicable to marketing initiatives is Article 130 of the Privacy Code, which reads:

1. … the use of automated calling or communications systems without human intervention for the purposes of direct marketing or sending advertising materials, or else for carrying out market surveys or interactive business communication shall only be allowed with the contracting party’s or user’s consent.

2. Paragraph 1 shall also apply to electronic communications performed by e-mail, facsimile, MMS [multimedia message service] or SMS-type messages or other means for the purposes referred to therein.

The first point to note is that the Privacy Code clearly requires consent (the opt-in approach) for marketing communications sent via automated means. According to paragraph 2, this rule also captures the use of email, fax, MMS, SMS and similar means.

It is interesting to note that, in the Guidelines, the Garante expressly states that, in order to have “spam”, namely the sending of unsolicited marketing messages through automated means, it is not necessary that the sending qualifies as massive and/or simultaneous, since these features may become relevant only at a later stage, such as when it comes to determining the amount of the sanctions. Thus, these features are not necessary to qualify a marketing activity as “spam”.

With regard to the possible use of lists to send marketing emails or SMS, the Garante calls attention to the fact that, provided data is collected and used in line with the rules contained in the Privacy Code and outlined in the Guidelines, an additional measure to be deployed is to make use of the Bcc (blind carbon copy) option. Indeed, recipients of emails and/or SMS should not see all the other recipients and their relevant contact details, since this would amount to a sharing of data with third parties, which requires compliance with specific requirements.

Paragraphs 3, 3-bis, 3-ter and 3-quater of Article 130 deal with marketing communications through regular mail and telephone. Under the current provisions, in order to call an individual to propose products or services or to send marketing material through the mail, it is necessary to check the blacklist created through the so-called Lista Bordoni, the Italian opt-out register. In this case, the lawmaker has taken an opt-out approach¹⁰.

An exception to the opt-in requirement for sending marketing communications through automated means can be found under paragraph 4 of Article 130, which allows the use of the email addresses of existing customers to offer products or services that are similar to the ones involved in previous sales, provided that the customer has been duly informed in advance and has not objected initially or upon receipt of subsequent communications. Customers must be provided with the opportunity to object through simple means and without charge when data is collected, and thereafter upon the sending of subsequent communications. This is so-called “soft spam”.

Lastly, paragraph 5 of Article 130 spells out the obligation to clearly indicate the identity of the sender of marketing communications, as well as a valid address that individuals may contact to exercise their privacy rights.

Who Are the Data Subjects?¹¹

The data subject under the Privacy Code¹² is the person whose data is processed. The definition of data subject used to also cover legal entities until 2011¹³, when a law was passed that excluded legal entities from the scope of application of the Privacy Code.

The rationale behind this significant change was to simplify the burden for companies to comply with the Privacy Code. However, it seems that, in practical terms and considering the simplification measures already in force (aimed at reducing the requirements in the case of the processing of data of legal entities), this exclusion has had severe negative effects for the possibility for companies to protect information through privacy rules. In any case, the removal of legal entities from the scope of the Privacy Code was not made taking into consideration all the provisions dealing with legal entities.

In addition, the situation became more unclear after the implementation of the EU Cookies Directive in Italian law¹⁴, in which electronic communications services refers to a “contracting party” as the data subject, thus covering not only natural persons but also legal entities that are involved in contracts with telecommunications service providers (see analysis at WDPR, September 2012, page 8).

On September 20, 2012¹⁵, the Garante therefore tackled this matter, issuing a formal interpretation on the application of the Privacy Code to legal persons, entities and associations. Since legal entities are no longer considered as “data subjects”, they cannot enforce the privacy rights afforded to natural persons by Article 7 of the Privacy Code¹⁶. However, legal entities may revert to ordinary civil remedies to defend their rights, and the Garante may decide to intervene in cases where it deems that unlawful data processing is performed.

The Garante also tackles an interesting aspect of the business email account, namely whether this should be considered data of the employer (a legal entity, and thus outside the scope of the Privacy Code) or the employee (thus falling within full application of the Privacy Code). In line with opinions issued by the EU Article 29 Data Protection Working Party¹⁷, the Garante takes the view that a business email account (such as, for example, first-name.surname@name-of-company.com) should be considered as personal information of the employee, thus falling within the application of the Privacy Code as relating to natural persons.

It is worth it noting that the Garante, referring to email service providers, has identified as necessary measures to be undertaken technical functionalities allowing for mutual authentication of their servers in order to avoid possible cases of detrimental phenomena such as “phishing”. In this regard, email service providers should deploy specific ant-spam filters; however, these measures should be able to avoid possible harm to the privacy of the data subjects (i.e., too aggressive filters may amount to disproportionate harm to the confidentiality of correspondence).

Information and Consent Rules

What Information Has to Be Provided?

A prerequisite for marketing activities is providing the data subject with the mandatory set of information listed under Article 13 of the Privacy Code¹⁸. In this context, it is necessary to specify the different means intended to be used for marketing communications. It would not be enough to generically refer to marketing activities, as it is necessary to reference the use of email, SMS, MMS, etc., in order to enable the data subject to make an informed decision.

Consent Must Be Freely Given and Specific

The Garante stresses that companies intending to send marketing communications have to obtain the prior consent of individuals. In this regard, it is made clear that a company cannot send a first promotional message and at the same time ask for consent, since the obtaining of consent must precede the sending. The same applies in cases where email addresses are gathered through publicly available sources such as registers and websites. What a company might do is contact prospects by telephone (after having checked the Lista Bordoni to make sure those individuals have not opted out) and ask for their consent to the sending of marketing communications through email, SMS, MMS, etc.

In order to be valid, consent must be: express (no implied consent is envisaged under the Privacy Code); free (the result of the free will of the data subject); specific (specific consent is necessary for each data processing purpose sought by the controller); informed (the consent must follow an information statement drafted pursuant to the Privacy Code); and documented in writing in the case of the processing of personal data (consent may also be given orally, but the details of that consent must be documented in some way)¹⁹, while consent must be given in writing in the case of the processing of sensitive data²⁰.

The Garante takes particular care regarding the requirement for freedom of consent, stressing that mechanisms such as pre-flagged consent boxes would prejudice the free will of the data subject. The same applies to making it appear that consent is a prerequisite to obtaining a data controller’s services or products.

Considering the fact that consent must be also specific, the Garante underscores the need to have specific consent for each processing purpose. In this regard, it is clarified that the umbrella of “marketing activities” captures different kinds of initiatives that are all equated on the basis of their promotional nature, such as the sending of marketing material, direct sale, market surveys and commercial communications. It follows that, for the purposes of marketing in the broad sense, it is necessary to gather only one consent. In contrast, it is necessary to have specific consent for other processing purposes, such as, for example, for sharing with third parties (including companies of the same group) personal information for marketing purposes, for profiling activities, etc.

Considering another key factor — the means deployed for the marketing activities — the Garante poses the question whether it would be necessary to have two separate consents or only one all-encompassing consent in the case of marketing activities performed through both traditional means (such as telephone and mail) and automated communications tools (such as email, SMS and MMS). The answer is that both solutions are acceptable, namely, a company may decide to ask for two different consents according to the different ways of contacting customers.

In case a company decides to ask for only one consent (which is likely to be the solution chosen by most operators), it should be made clear to customers that:

• the consent for marketing activities provided for traditional communications means also applies to automated means; and

• the right of the customer to oppose the processing for marketing activities applies to both communications channels, and that the customer may decide to opt out of receiving communications via either means (for example, opting out from receiving emails, but confirming his willingness to receive catalogues by mail).

In a recent opinion²¹ dealing with the same issue but considered from the opposite perspective, namely the possibility to extend consent obtained for contact through traditional channels (telephone and mail) to automated communications tools, the Garante anticipated the above position, further detailing that a customer, if applicable, should be given the possibility to choose his or her preferred way of being contacted.

Evidence of Consent

As highlighted in the subsection above, for the processing of personal (non-sensitive) data, consent may be provided in oral form or in another form (for example, over the internet, by checking a consent box), and there are no specific limitations on the way consent can be obtained. However, consent must be documented in some way, in that the relevant controller must be able to prove that it has obtained consent and the conditions under which consent has been collected. Specifically, there must be evidence of the date when consent was acquired and details of the data subject who provided consent.

In this regard, the Garante considers it useful to put in place adequate systems and procedures to verify the identity of data subjects, for example, by sending a specific email asking them to confirm their identity by clicking on a link. Proper procedures should also be in place to guarantee effective opt-out by data subjects.

Sharing with Third Parties for Marketing Purposes

Regarding the sharing of personal information with third parties for marketing purposes, the Garante notes that some third parties are not related to the controller that first collects personal information, while some are affiliated companies (such as controlled companies, controlling companies or otherwise affiliated) of the same group.

Sharing with Unrelated Third Parties

When data is shared with or assigned to unrelated third parties, it is necessary that the controller that first contacts the data subjects provides them with an information notice specifying, in addition to the mandatory information listed under Article 13 of the Privacy Code²², the identity of each of the third parties concerned or, alternatively, their economic or market categories (e.g., clothing, finance, etc.). The economic or market categories of unrelated third parties may be different from the category to which the controller belongs.

In addition, specific and separate consent of data subjects is required for the sharing with or assignment of data to third parties, in addition to the consent that the controller asks for its own marketing activities. If data subjects provide consent for such sharing, then third parties may perform marketing activities within the limits set forth by Article 130, paragraphs 1 and 2, without the need to obtain further consent.

In addition, if third parties are provided with the information listed under Article 13 of the Privacy Code²³, they do not have to provide another privacy notice to the data subjects, since the controller that first contacts the data subjects would have already fulfilled the information requirements for the benefit of the unrelated third parties. This is because it is not necessary to provide data subjects with information of which they are already aware²⁴.

By contrast, if the controller that first contacts the data subjects does not provide the mandatory set of information required in relation to unrelated third parties, the latter have to fulfill the information requirement by providing the data subjects with their own privacy notices before using their data for marketing purposes. The third parties must also inform data subjects of the source of the data (i.e., the data controller that first contacted them) in order to give the data subjects the opportunity to oppose the use of their data for marketing activities vis-à-vis third parties, as well as the controller that originally collected their data.

Lastly, irrespective of whether unrelated third parties provide or do not provide their own privacy notices to data subjects, they should indicate adequate contact details for data subjects to exercise their privacy rights, allowing the data subjects to revert to the same communications channel used to send marketing communications and, in any case, means that are easy to use, quick, effective and inexpensive. So, for example, if the marketing communications are sent by email, the information notice should contain an email address that data subjects can use for privacy purposes. This could, for example, be an email address that a company dedicates to privacy issues.

Sharing with Affiliated Companies

The same rules outlined above apply to the sharing of data for marketing purposes with companies that are part of the same group. Indeed, the fact that companies involved in the data sharing belong to the same group does not trigger any exemptions, since, from a privacy perspective, these companies are regarded as “third parties” and as autonomous controllers.

The Case of Data Processors

When a company that is the promoter of marketing initiatives reverts to agents or service providers to send marketing communications, it is essential to determine the privacy roles of that company and the agents/service providers.

The Garante takes the position that such agents and service providers should be considered as data processors, since their role is to provide a service to the promoter company (which ultimately is their client), and they are bound by the instructions received from the promoter company in performance of the service.

It follows that the promoter company acting as controller should appoint agents/service providers as data processors, and their personnel, as persons in charge of the processing, must be specifically authorized to access and process the data. The promoter company furthermore is bound to monitor the compliance of its appointed data processors with the instructions and guidelines that it provides and with the Privacy Code. Indeed, as the data controller, the promoter company is primarily responsible for breaches by its processors of its instructions and the Privacy Code.

Another point made by the Garante involves sub-contractors. The promoter company should verify whether its processors in turn revert to third parties to discharge the duties assigned by the promoter company. Where this is the case, the promoter company should appoint such sub-contractors as data processor, and, as data controller, it is liable for breaches committed by sub-contractors. In cases where sub-contractors act as controllers (for example, if they make use of their own databanks), the promoter company must in any case be informed of this, since, in the case of claims from data subjects, the promoter company should be in a position to address the data subjects to the sub-contractors as controllers.

Social Spam and Viral Marketing

The Garante lastly takes into account new forms of spam linked to technology developments which do not have specific rules applicable and fall into a grey area, and which may give rise to privacy concerns.

Social Spam

Social spam is regarded as spam activities conducted with messages and links through social networks.

After noting that individuals should take care regarding the use of social networks²⁵, the Garante underlines that personal information published on social networks may be misused by companies running those networks or by others, with a view to gathering details on friends/contacts of an individual.

The Garante makes it crystal clear that data mined online cannot be used to send marketing communications without having informed and obtained the prior consent of the data subjects, so that marketing communications sent in public or private through social networks are subject to the rules outlined above. The same applies to other messaging services, and the Garante cites the examples of Skype, WhatsApp, Viber, Messenger, etc. In such cases, concerns arise from the fact that these services usually have access to the contact lists and other information stored on the devices used to run the messaging services.

Two scenarios are specifically addressed. The first involves marketing communications sent in private to a user of a social network when relevant contact details are obtained through the social network. In this case, the data processing is unlawful. The second scenario involves a user of a social network who subscribes as a “fan” to the profile of a company or is a “follower” of a brand, product, service, etc. In this case, marketing communications relating to that specific company, brand, product or service may be considered legitimate, provided it is clear that the data subject has subscribed as a “fan” or a “follower” of a company, brand or product and also consents to receiving relevant marketing communications. If the data subject unsubscribes as a “fan” or a “follower” or opts out from receiving marketing communications, then further marketing activities are unlawful. In the case of “contacts” or “friends” of a social network subscriber, the general rules described above apply: It is necessary to inform them and obtain their prior consent to lawfully send marketing communications.

Viral Marketing

Viral marketing is presented in the Guidelines as a sort of evolution of the word of mouth. Basically, it plays on the ability to communicate on the internet, which is clear, fast and free of charge. Even if it may concern products or services that do not strictly relate to the internet, viral marketing is typical of the internet community.

In viral marketing, a marketing message is channeled by the promoter company through a defined number of subjects, who in turn redirect the message to a significant number of individuals. Like a virus, the marketing message is thus spread to a wide audience of possible targets. The promoter company may offer some kind of compensation (or other sort of economic advantage) to subjects who use their contacts to spread the marketing message.

When viral marketing is performed through automated means (e.g., email or SMS) for marketing purposes, it falls within the meaning of spam if the marketing promoter does not comply with the requirements outlined above, principally providing information to and obtaining the consent of the data subjects.

It should be stressed that a person who receives a marketing communication and in turn forwards it to his contacts or friends for personal purposes through automated means is not subject to the Privacy Code. The Privacy Code applies to individuals who forward or send the received marketing message to a number of recipients whose contact details are gathered over the internet or in publicly available directories.

Sanctions

Breach of the applicable rules on spam may lead the Garante to issue inhibitory or prescriptive orders, as well as administrative sanctions.

The sanctions may include a fine ranging from €6,000 (U.S.$8,008) to €36,000 (U.S.$48,048) ²⁶ for failing to provide adequate information to the data subjects, or a fine ranging from €10,000 (U.S.$13,347) to €120,000 (U.S.$160,185) for failing to obtain the consent of the data subjects²⁷. Article 164-bis provides for increasingly harsh sanctions in certain cases, for example, where the same provision or different provisions are breached several times. In such cases, the fine may be between €50,000 (U.S.$66,744) and €300,000 (U.S.$400,400). The thresholds may be increased up to four times in consideration of the economic conditions of the offender.

Criminal sanctions consisting of imprisonment for up to two years²⁸ may also apply upon the occurrence of specific circumstances.

The additional punishment of publication of the sentencing order in the national press, and the obligation to compensate for not only monetary damages, but also moral damages, suffered by the data subjects may also be considered.

Conclusions

Automated means such as email or SMS to send marketing messages are commercial tools that are increasingly used by companies because of their limited costs and the possibility to reach a very large audience. However, the pathological side of this phenomenon is spam, the automated sending of unsolicited marketing communications. The rise of social media and internet- or mobile-based communities has fostered new communications channels, such as social networks and messaging services, that, if misused, may give rise to so-called social spam and viral marketing.

The pillar for the lawful deployment of these new marketing tools is a “classical” privacy mantra: informed consent. The promoter company has the duty, first and foremost, to duly inform intended message recipients and (as applicable) to obtain their prior consent. Third parties and sub-contractors possibly involved in marketing initiatives of this sort should be carefully considered in order to properly define and accordingly perform their respective privacy roles. Lastly, another point of attention should be the sharing of contact details for marketing purposes, whether within the same group of companies or with unrelated third parties.

The Guidelines provide a useful tool for companies to navigate the sensitive area of automated marketing campaigns. If one wonders whether there may be some advantage to disregarding the privacy rules to maximize the advantages inherent in these new forms of marketing activities, the answer is provided by the Garante in clarifying the possible sanctions for non-compliance. In addition to the remedies codified by the Privacy Code, one should consider the detrimental effects of reputational damage and consequent loss of customer trust.

In conclusion, being compliant with the privacy rules may well be a competitive advantage, rather than an economic and business burden.

Francesca Gaudino is a Partner with Baker & McKenzie, Milan. She may be contacted at francesca.gaudino@bakermckenzie.com.