Many marketing activities that are standard in the U.S. are considered dicey in Europe under GDPR, according to an analysis by Mondaq of an advisory put out by the German Data Protection Conference.
For example, it is justifiable to send non-individualized marketing material based on prior purchases and to segment consumer groups by adding criteria such as age or interests.
However, it is difficult to justify automated selection procedures to drive profiling, as this requires consent. Also questionable is the creation of a profile based on marketing material from third-party networks, Mondaq writes.
Email marketing to existing customers is justifiable if the email address was obtained within a business relationship, Mondaq adds. In addition, the customer has to have been properly informed.
But emailing customers without consent or a prior relationship is, to use a German word, verboten.
The authority continues that direct marketing is generally permissible if the processing that supports it is “fair, proportionate in relation to the marketing purpose, and transparent,” Mondaq continues.
But Mondaq warns that special categories of personal data can only be used for marketing purposes based on explicit consent.
The authority defines marketing as also including “customer satisfaction surveys as well as emails for Christmas or birthday parties,” Mondaq adds.