Following submissions made to the High Court by the Information Commissioner’s Office (ICO), the UK’s data protection regulator, Meta (parent company of Facebook) has agreed to stop targeting a Facebook user, Tanya O’Carroll, with advertisements.
Human rights advocate, Tanya O’Carroll, started a legal action against Meta in 2022 claiming that she was unable to exercise her right under Article 21(2) of the UK General Data Protection Regulation (UK GDPR) to object to the processing of her personal data for direct marketing and profiling on Facebook.
This blog will examine the case and tell you some of the things you need to consider if you undertake direct marketing.
Case Overview
The background to the claim was O’Carroll’s concerns about ads she started to receive in her Facebook feed when she became pregnant. There were ads about babies, pregnancy and motherhood which she deduced could only have been targeting her as a result of Facebook collecting and analysing personal data about her and detecting her pregnancy before she herself had shared the news with family and friends.
When her attempts to turn off the user profiling (which Facebook uses to sell ads) in Facebook’s settings failed because the link did not work, she issued legal proceedings requiring Meta to stop processing and profiling her data for direct marketing purposes.
What is direct marketing?
This is defined in section 122(5) of the Data Protection Act 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.”
Direct marketing falls within the scope of both UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR). However, whilst under PECR the specific consent of private individuals must be given to receipt of marketing communications by email, PECR does not currently extend to online advertising (other than relation in some respects to the use of cookies which was not relevant to this case).
Read more on legal issues in direct marketing here.
What is profiling?
Profiling is defined in Article 4 of UK GDPR as
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
Meta argued that the targeted advertising they engaged in did not fall within the definition of direct marketing (above) since the ads did not target particular individuals but rather groups of individuals of 100 or more.
In fact, the matter was not ultimately decided by the High Court since the ICO intervened to support O’Carroll at which point Meta settled the case by agreeing to stop processing her personal data for direct marketing purposes. However, Meta has not said that they will stop online targeted advertising generally and maintains its disagreement with O’Carroll’s claims. Interestingly, Meta is now exploring moving from a free service to a subscription service in the UK to offset potential revenue losses from reduced targeted advertising.
Things to consider if you do Direct Marketing
UK GDPR
The O’Carroll case highlights that under Article 21(2) of UK GDPR, data subjects have the right to object to their personal data being processed for direct marketing purposes, including online targeted advertising.
When engaging in direct marketing, businesses should remember that they need a valid reason (lawful basis) for processing personal data to send direct marketing messages. The two lawful bases which generally apply are:
- Consent: The individual has given consent for their personal data to be processed for a specific purpose.
- Legitimate interests: The processing is necessary for the legitimate interests of the data controller, provided these interests are not overridden by the individual’s rights and interests.
If relying on legitimate interests, a data controller should normally carry out what is known as a legitimate interest assessment (LIA). This requires the data controller to consider and document whether the legitimate interests outweigh the rights and interests of the data subject.
PECR
Businesses will also need to consider whether PECR applies to the direct marketing. As mentioned above, PECR does not presently apply to online advertising. But which areas does PECR cover?
PECR will apply to you if you:
- market by phone, email, text or fax;
- use cookies or a similar technology on your website
Most of the rules in PECR apply to unsolicited marketing messages and a person’s consent is needed before you send them a marketing message by email, text or fax. This rule does not apply when sending the marketing messages to corporate subscribers but does apply where the recipient is a sole trader or member of a partnership.
If you do need consent it must be knowingly and freely given, clear and specific.
The clearest way to obtain consent is to ask the customer to tick an opt-in box but it is important to remember that the customer can withdraw their consent at any time. You must make it simple for customers to withdraw consent and you should tell them how they may do so.
Different rules apply to direct marketing by telephone and the use of cookies.
If PECR does apply to your direct marketing and you have obtained consent it is usually best to also use consent as your lawful basis under the UK GDPR.
Learn more in our article on PECR here.
Conclusion
Direct marketing is important in growing your business and it is also important that customers have trust and confidence in your brand or organisation. It is therefore essential that you comply with the law relating to direct marketing. If you have any questions about direct marketing and what you need to do to comply with GDPR and PECR please contact our specialists Neil Williamson, Howard Ricklow or Colin Lambertus.
