The document discusses the impact of current and future European privacy laws on personalization, real-time advertising, and trigger-based marketing. It notes that current laws require opt-in consent for most data processing and profiling. The upcoming General Data Protection Regulation will further restrict personalization by giving people rights to object to profiling and processing for direct marketing. It will require consent for collecting children's data and impose hefty fines for non-compliance. Marketers must prepare by reviewing contracts, policies, and staff training to comply with the new laws.
4. 2016’s Marketing buzz…
“dynamic, personalized content delivered across channels.”
“dynamic personalization”
“commercial and communication activities based upon the measurement of
relevant and identifiable changes in a customer's individual needs”
“trigger or event is defined as a detectable change in an Individual’s circumstances
Data and personalisation
Breakfastsessions.be 9 June 2016
5. Translated into Legal Speak
Measuring and defining triggers requires data
Gathering data = privacy law and cookie law
Data and personalisation
Breakfastsessions.be 9 June 2016
6. Current Privacy Law
Based on EU Directive 95/46/EC
Transferred –differently- into national law by each member state
Set of rules dates back to nineties
Based on location of company and/or server
At the time most elaborate and progressive set of rules in the world
Data and personalisation
Breakfastsessions.be 9 June 2016
7. Current Privacy Law
Definition of personal data is very large
Cfr B2B vs B2C
ECJ May 2016: Even dynamic IP address
Browser history –information on social media – payment
history…
Impact on data collection for personalised action is considerable
Data and personalisation
Breakfastsessions.be 9 June 2016
8. Impact on Personalisation, Real Time ad Trigger Based
All personalised, real time or trigger based action is based on data and
profiling
Data collection is core – Same discussion as “previous” hype Big data
Considerable impact of privacy law
Almost all available data is ‘personal data’
Data and personalisation
Breakfastsessions.be 9 June 2016
9. Impact on Personalisation, Real Time and Trigger Based
Almost all available data is ‘personal data’
Classic data sources: “public data” – statistical data – private data
Fact that data is publicly available or accessible does not in itself justify collection
& treatment
Cfr: data available online remains “personal” data
Even at first sight “statistical” info (cfr heatmapping) can be “personal” data
Data and personalisation
Breakfastsessions.be 9 June 2016
10. Impact on Personalisation, Real Time and Trigger Based
Birthday – marriage – major life event
Order history – content of basket – heatmapping on site
Payment history
Browser history
Demographic data
Info on hobbies, preferences, interests, …
if linked, even indirectly, to individual = Are all –protected- personal data
Data and personalisation
Breakfastsessions.be 9 June 2016
11. Current Privacy Law
Actually straight and simple:
Basic rule = prior “opt-in” for all processing
Or implicite opt-in if “legitimate grounds” for processing
“Free and informed” opt-in
Transfer of data to third party = additionnal opt-in
Cfr. Analytics tools, apps, cookies, database enrichment through mailings
and actions, …: always opt-in
Cfr. also social media content
Data and personalisation
Breakfastsessions.be 9 June 2016
12. Impact on Personalisation, Real Time ad Trigger Based
Prior opt-in is not always present
Existing client relationship vs. Prospects
“Legitimate grounds”
Law does not define “legitimate grounds” (Privacy Commission: “cfr CRM”)
Justification for profiling = compare interests of profiler and data subject
Information duty: client should know what data is being processed and why
Data and personalisation
Breakfastsessions.be 9 June 2016
13. Current Privacy Law
Rights of data subjects
opposition – access – correction – information
Obligations of data processor
Information – opt-in – data security – (export)
Information duty: client should know what data is being processed and why
Data and personalisation
Breakfastsessions.be 9 June 2016
14. Future Privacy Law
2016 – 2017
Regulation instead of Directive – 1 law for 28 states
Work in progress since 2012
Agreement reached in December 2015
Signature in April 2016
Into force May 2018
Data and personalisation
Breakfastsessions.be 9 June 2016
15. Future Privacy Law
Heavily influenced by consumer protection activists in EP
Result:
Consumer friendly, but serious restraints for direct marketing sector, e-
commerce sector and especially personalisation, real time and trigger based
marketing and (big) data processing
Full trainings by Sirius Legal to follow this fall
Data and personalisation
Breakfastsessions.be 9 June 2016
16. For all services offered in EU (even free services)
Direct marketing can be a legitimate interest
Information obligation (icons)
Right not to be submitted to profiling
Right to object to processing for DM purpose
Warning obligations in case of data breach
Right to be forgotten
Consent for children
“Data protection by design”
“Data protection officer”
Sanctions: up to 4% of yearly turnover or 20 million euro
Future Privacy Law
Data and personalisation
Breakfastsessions.be 9 June 2016
17. Impact on Personalisation, Real Time ad Trigger Based
Right not to be submitted to profiling
“right not to be subject to a decision based solely on automated processing,
including profiling, which produces legal or other significant effects concerning
him or her.”
Data and personalisation
Breakfastsessions.be 9 June 2016
18. Impact on Personalisation, Real Time ad Trigger Based
Right to object to further processing
“Where personal data are processed for direct marketing purposes, the data
subject shall have the right to object at any time to the processing of personal
data concerning him or her for such marketing, which includes profiling to the
extent that it is related to such direct marketing.
Where the data subject objects to the processing for direct marketing
purposes, the personal data shall no longer be processed for such
purposes.”
Data and personalisation
Breakfastsessions.be 9 June 2016
19. Impact on Personalisation Real Time ad Trigger Based
Consent for children
The regulation requires parental consent for individuals of less
than 16 years.
Member States are allowed to foresee other limits between the
age of 13 and 16.
Data and personalisation
Breakfastsessions.be 9 June 2016
20. Prepare for the new Regulation
Follow up on discussion (eg through our website www.siriuslegal.be)
Start review vendor contracts (in view of data security obligation)
Start to prepare for full update of policies, contracts, business processes
Put in place data breach notification procedure
Appoint (temporary) data security officer
Put in place impact assessment and/or risk analyses policy
Create compliance statements for annual business reports
Train staff
Sit back and wait for final text of regulation for final details…
Data and personalisation
Breakfastsessions.be 9 June 2016
21. Sirius Legal
Media & advertisement law
IP law
Internet & e-commerce
Privacy & cookies
Gambling law
Travel & consumer protection
Commercial contracts
Corporate tax labour real estate
bart@siriuslegal.be
www.siriuslegal.be
@BartVdBrande
Linkedin.com/in/bartvdb