GDPR Query

fletch

So while reserving an item on www.argos.ie, I noticed they still have an opt-out marketing checkbox. I raised this with the Data Protection Commission and the below was their response. Can somebody smarter explain to me in lay terms what this means? I thought GDPR was brought in to address exactly this scenario but apparently not.



Response from DPC

I refer to your recent emails concerning Argos.

We have examined the material you submitted.

The rules which govern electronic marketing are set down in the e-Privacy
Directive which came into force in 2002. That Directive is transposed into
Irish law in a statutory instrument – SI No. 336 of 2011. Regulation 13 of
that statutory instrument is the law which applies to unsolicited marketing
communications by electronic means such as email, text message, fax message
and phone calls. The specific provision which relates to the scenario which
you described in relation to Argos is set down in Regulation 13(11). This
deals with the matter of an organisation obtaining a customer’s contact
details in the context of the sale of a product or service and the rules
which apply to subsequent electronic forms of marketing using those contact
details. This Regulation places an obligation on organisations to give
customers the opportunity to object in an easy manner to the use of their
contact details for marketing purposes at the time of collection of those
details. Argos collect email addresses and mobile phone numbers on the
reservation form that you sent us. So, in order for Argos to subsequently
use those contact details for marketing purposes, they are obliged to
comply with Regulation 13(11) by providing customers with the opportunity
to object to the use of those details for marketing purposes. In this case,
they are doing this by means of an opt out tick box.

The e-Privacy Directive particularise and complement GDPR rules on
processing of personal data. Recital 173 GDPR tells us how we are to read
the e-Privacy Regulations in light of the GDPR, as follows:

“[the GDPR] should apply to all matters concerning the protection of
fundamental rights and freedoms vis-à-vis the processing of personal data
which are not subject to specific obligations with the same objective set
out in [the e-Privacy Directive], including the obligations on the
controller and the rights of natural persons.”

So we do not apply the broad rules of the GPDR where there is a specific
rule doing the same thing under the e-Privacy Directive. So, for instance,
where the e-Privacy Regulations expressly require consent, as in Regulation
13(1), this rule takes precedence over the more general provisions on
lawful bases under Article 6 of the GDPR. Regulation 13(11), as described
above, is an exception to the requirement of consent under Regulation 13
(1). An organisation does not need consent to send electronic mail if it is
processing in a way that meets the criteria set out in Regulation 13(11).

In summary, therefore, if Argos did not provide the marketing opt out tick
box but proceeded to subsequently send electronic marketing communications
to its customers without having given them the opportunity to opt out, it
would likely fall foul of Regulation 13(11).

I hope this clarifies the situation for you.

Yours sincerely,

whippet

The answer to your query is in plain English in the response you posted

Re read the last paragraph

fletch

In summary, therefore, if Argos did not provide the marketing opt out tick
box but proceeded to subsequently send electronic marketing communications
to its customers without having given them the opportunity to opt out, it
would likely fall foul of Regulation 13(11).

I thought GDPR was brought in to stop this though. So companies would now have to have opt-in marketing checkboxes as opposed to opt-outs? Or did I get this wrong?

thejaguar

In slightly simpler terms:

The GDPR standard for consent does not need to apply where the e-Privacy regulation has a specific obligation set out for the same purpose.

In this case - the following applies:

(11) A person who, in accordance with the Data Protection Acts, obtains from a customer the customer’s contact details for electronic mail, in the context of the sale of a product or service, shall not use those details for direct marketing unless—

(a) the product or service being marketed is the person’s own product or service,

(b) the product or service being marketed is of a kind similar to that supplied to the customer in the context of the sale by the person,

(c) the customer is clearly and distinctly given the opportunity to object, in an easy manner and without charge, to the use of those details—

(i) at the time the details are collected, and

(ii) if the customer has not initially refused that use, each time the person sends a message to the customer,

and

(d) the sale of the product or service occurred not more than 12 months prior to the sending of the direct marketing communication or, where applicable, the contact details were used for the sending of electronic mail for the purposes of direct marketing within that 12 month period.

fletch

Thanks for that thejaguar

I notice the word "sale" mentioned in the regulation however in the case of argos, no sale occurs during the reservation. The sale occurs in the store when a customer pays for the product but it may not occur at all.

GM228

fletch wrote: »

Thanks for that thejaguar

I notice the word "sale" mentioned in the regulation however in the case of argos, no sale occurs during the reservation. The sale occurs in the store when a customer pays for the product but it may not occur at all.

Yes, but the provision is in the "context of the sale of a product". The word context there is important. A reservation precedes and provides a setting towards a potential sale and so is in context with the sale.

uck51js9zml2yt

Marketing should be opt in , not opt out.
There is a procedure for complaints to the DPC on dataprotection.ie

Fill in the raise a concern form and include all correspondence with Argos.

fletch

Sarai Creamy Busboy wrote: »

Marketing should be opt in , not opt out.
There is a procedure for complaints to the DPC on dataprotection.ie

Fill in the raise a concern form and include all correspondence with Argos.

I've been through all of that and the above was their response.

thejaguar

Sarai Creamy Busboy wrote: »

Marketing should be opt in , not opt out.
There is a procedure for complaints to the DPC on dataprotection.ie

Fill in the raise a concern form and include all correspondence with Argos.

He did. It's the point of the OP.

GM228

Sarai Creamy Busboy wrote: »

Marketing should be opt in , not opt out.
There is a procedure for complaints to the DPC on dataprotection.ie

Fill in the raise a concern form and include all correspondence with Argos.

No it should be opt out as per the ePrivacy Regulation as already outlined.

The customer must be "clearly and distinctly given the opportunity to object".

witchgirl26

Marketing doesn't have to be an opt in system rather than an opt out, however they cannot pre-populate the tick box to opt you in. You have to have the ability to choose yourself.

GDPR was not brought in to deal with this in particular but rather to deal with how the information a company has on you is retained - that it's maintained securely, that you can freely request it to be deleted (within reason) and that you have consented to its collection.

GM228

witchgirl26 wrote: »

Marketing doesn't have to be an opt in system rather than an opt out, however they cannot pre-populate the tick box to opt you in. You have to have the ability to choose yourself.

GDPR was not brought in to deal with this in particular but rather to deal with how the information a company has on you is retained - that it's maintained securely, that you can freely request it to be deleted (within reason) and that you have consented to its collection.

In a sense having to opt out is in essence the same as an automatic pre-populated tick box opt in by default, obviously there is no physical box but it's to the same effect, and more importantly perfectly legit.

There is no difference between having to untick one box to opt out or having to tick another to out out, as long as a clear message is given stating what it means to tick/untick then you are afforded your legal right to opt out, and you are only afforded the right of objection which can be done in either case, not the right of un-populated tick boxs.

witchgirl26

GM228 wrote: »

In a sense having to opt out is in essence the same as an automatic pre-populated tick box opt in by default, obviously there is no physical box but it's to the same effect, and more importantly perfectly legit.

There is no difference between having to untick one box to opt out or having to tick another to out out, as long as a clear message is given stating what it means to tick/untick then you are afforded your legal right to opt out, and you are only afforded the right of objection which can be done in either case, not the right of un-populated tick boxs.

I get what you're saying - and I do agree. However the way it is put is that they can't pre-populate the tick boxes for you but they can make them opt-in or opt-out.

They also have to make it clear, which I think they do in the screenshot included in the OP. Also with GDPR, you have the right to contact them straight away to get off the marketing list.

GM228

witchgirl26 wrote: »

I get what you're saying - and I do agree. However the way it is put is that they can't pre-populate the tick boxes for you but they can make them opt-in or opt-out.

They also have to make it clear, which I think they do in the screenshot included in the OP. Also with GDPR, you have the right to contact them straight away to get off the marketing list.

Where is this put though?

The Regulation simply allows you to object, you do so by removing the tick, but nothing at EU or national level says there can not be a pre ticked box once the effect of the tick is made perfectly clear to you and you can object by un-ticking it.

witchgirl26

GM228 wrote: »

Where is this put though?

The Regulation simply allows you to object, you do so by removing the tick, but nothing at EU or national level says there can not be a pre ticked box once the effect of the tick is made perfectly clear to you and you can object by un-ticking it.

GDPR legislation:

"Silence, pre-ticked boxes or inactivity should therefore not constitute consent”

This was included as a quote from the legislation from the guide book we received in work.

tricky D

What ever about the legals, Digital Marketing Best Practice is clearly opt-in only. Argos should be asking for permission via action, and not, by default, assuming permission via inaction, as they are seeking to engage with the customer beyond the transaction and secondly, it is both stupid and dangerous to send shots to people not interested (what is the point in that?) and who might end up marking you as spam. It is a classic old style marketeer quantity vs quality mistake to use Argos' method.

I am surprised as some other areas of their marketing, especially remarketing, is really well executed.

Clareman

GM228 wrote: »

Where is this put though?

The Regulation simply allows you to object, you do so by removing the tick, but nothing at EU or national level says there can not be a pre ticked box once the effect of the tick is made perfectly clear to you and you can object by un-ticking it.

The Regulation though isn't the only thing to go on, in fact all of GDPR wasn't implemented in the Irish Data Protection Act 2018.

For the Ops question it is extremely important to note that only the Argos website is up for discussion. The customer does not have to give their mobile number so that's an easy 1 to discount so only email is in question
From https://www.dataprotection.ie/docs/Guidance-Note-on-Data-Protection-in-the-Electronic-Communications-Sector/1152.htm

14a. Individual Customers

Where a data controller has obtained contact details in the context of the sale of a product or service, it may only use these details for direct marketing by electronic mail if the following conditions are met:

1. The product or service is of a kind similar to that which was sold to the customer at the time their contact details were obtained

2. When these details were collected, the customer was given the opportunity to object at that time, in an easy manner and without charge, to their use for marketing purposes

3. Each time a marketing message is sent, the customer must be given the right to object to the receipt of further messages

4. The details were collected within the previous 12 months or the subscriber has received a marketing electronic mail within the previous 12 months to which they did not unsubscribe using the cost free means provided to them by the direct marketer

A data controller can also obtain prior opt-in consent from its customers or other individuals to send electronic marketing relating specifically to its own business or services. Each marketing message sent on foot of that consent must contain a means to opt-out and it must identify the sender. Such opt-in consent expires after twelve months unless it is renewed in the interim.

The difficult piece here is "similar product or service", for example if you bought a toothbrush and they marketed toys to you it could be argued that this isn't a similar product BUT Argos could counterargue that they are marketing their service to you.

Personally, I think it is very shoddy and extremely bad practise but they aren't in breach of any legislation.

rd1izb7lvpuksx

Clareman wrote: »

The Regulation though isn't the only thing to go on, in fact all of GDPR wasn't implemented in the Irish Data Protection Act 2018.

The great thing about the GDPR is that it's a regulation, not a directive, so it doesn't have to be enacted by enabling legislation in each country - it's directly applicable and binding.

Clareman

Reuben Large Gown wrote: »

The great thing about the GDPR is that it's a regulation, not a directive, so it doesn't have to be enacted by enabling legislation in each country - it's directly applicable and binding.

Can't wait to see an Irish State Agency being fined

Vetch

witchgirl26 wrote: »

GDPR legislation:

"Silence, pre-ticked boxes or inactivity should therefore not constitute consent”

This was included as a quote from the legislation from the guide book we received in work.

Argos aren't asking for consent to market; they're availing of a concept called the 'soft opt-in'.

This is from the website of the UK's equivalent of the DPC:

'The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.'

GM228

witchgirl26 wrote: »

GDPR legislation:

"Silence, pre-ticked boxes or inactivity should therefore not constitute consent”

This was included as a quote from the legislation from the guide book we received in work.

Clareman wrote: »

Can't wait to see an Irish State Agency being fined

This seems to be the classic case of a so called "expert" guide which has simply copied and pasted parts of EU legal texts and passed them off as fact without actually considering them further or checking where they are quoting from.

What is quoted is not from the GDPR Regulation enacting terms (the Articles, which have legal force), rather it is quoted from the Premable (Recital 32) of the Regulation (which has no legal force).

What is written in the recital is not actually supported by the Articles of the Regulation (note this is actually very common with EU law).

Unless such a provision was provided in the Articles or domestic legislation (which there isn't) then it means nothing legally. The ECJ has on occasion referred to the Premable's of EU law, but has held that they have no force of law and are not legally binding on any EU state.

It is also worth noting that the terms of consent for the purposes the ePrivacy directive are based on the older Data Protection Act 1988/Data Protection Directive, and not the Data Protection Act 2018/GDPR Regulation. The 1988 Act/Directive application is heavily restricted since GDPR, but this is one area where it still applies.

Riskymove

Reuben Large Gown wrote: »

The great thing about the GDPR is that it's a regulation, not a directive, so it doesn't have to be enacted by enabling legislation in each country - it's directly applicable and binding.

yes, it has direct effect...but parts of the GDPR allow for certain things to be decided upon in each Member State

For example, the digital age of consent is set by each MS, Ireland and the UK chose different ages.

So there will be some differences among countries.

AndTheirMum

Note, the email marketing aspect of GDPR applies to sending correspondence to 'EU residents'. So, if I am German holidaying in Ireland and shopping on argos.ie, which regulation should Argos follow regarding my person: GDPR or Irish regulation 13? In other words, does regulation 13 apply to 'Irish residents' or to 'people shopping on Irish websites'?

GM228

AndTheirMum wrote: »

Note, the email marketing aspect of GDPR applies to sending correspondence to 'EU residents'. So, if I am German holidaying in Ireland and shopping on argos.ie, which regulation should Argos follow regarding my person: GDPR or Irish regulation 13? In other words, does regulation 13 apply to 'Irish residents' or to 'people shopping on Irish websites'?

Where are you getting 'EU residents' from? That's not in the regulation or any related legislation.

GDPR applies to a "data subject" and both "natural persons" (i.e any human) and "legal persons" (i.e a company) , residency has nothing to do with it, it applies to any person who is in the union irrespective of their citizenship or nationality at the time their data is processed.

AndTheirMum

GM228 wrote: »

Where are you getting 'EU residents' from? That's not in the regulation or any related legislation.

GDPR applies to a "data subject" and both "natural persons" (i.e any human) and "legal persons" (i.e a company) , residency has nothing to do with it, it applies to any person who is in the union irrespective of their citizenship or nationality at the time their data is processed.

Indeed, there is no mention of residence in the GDPR. Sorry for my ignorance! I read the regulation only once, a year ago. It didn't make much sense to me so I relied on different experts' articles, webinars, etc. Probably, I adopted the most logical (for me) view.

I assume that, similarly, Regulation 13 applies to 'data subjects being in Ireland'.

The British website of Argos is 'shoppable' from Ireland, so chances are the Irish website can be used in Germany. So, if I am an Irish tourist shopping on argos.ie from my hotel in Germany for something to be delivered to my home in Ireland, I COULD report the breach.

Right?

GM228

AndTheirMum wrote: »

Indeed, there is no mention of residence in the GDPR. Sorry for my ignorance! I read the regulation only once, a year ago. It didn't make much sense to me so I relied on different experts' articles, webinars, etc. Probably, I adopted the most logical (for me) view.

I assume that, similarly, Regulation 13 applies to 'data subjects being in Ireland'.

The British website of Argos is 'shoppable' from Ireland, so chances are the Irish website can be used in Germany. So, if I am an Irish tourist shopping on argos.ie from my hotel in Germany for something to be delivered to my home in Ireland, I COULD report the breach.

Right?

No, the ePrivacy Regulation applies to both here and where relevant the rest of the EU:-

European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 wrote:

Services to which these Regulations apply

3. (1) These Regulations apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the State and where relevant the European Union, including public communications networks supporting data collection and identification devices.

This is in accordance with the provisions of the ePrivacy Directive, all other EU states have transposed the Directive which offers the same as here, in Germany for example the measures are transposed via the Telecommunications Act 2004 (found under the German statute book as Telekommunikationsgesetz (TKG) 2004).

AndTheirMum

So, what the GDPR is for????

Riskymove

AndTheirMum wrote: »

So, what the GDPR is for????

As per the DPC in first post

“[the GDPR] should apply to all matters concerning the protection of
fundamental rights and freedoms vis-is the processing of personal data
which are not subject to specific obligations with the same objective set
out in [the e-Privacy Directive], including the obligations on the
controller and the rights of natural persons.”

If there are already "specific obligations with the same objective" they apply

If there are not already such obligations then GDPR should apply