A Marketer’s Guide to European Union (EU) Privacy Laws

We’re all familiar with the “four Ps” of marketing: product, price, promotion, and place. Well, now we need to add a fifth P to the mix: privacy. 

Privacy compliance has become an essential part of modern-day marketing. Even though the General Data Protection Regulation (GDPR) went into effect in 2018, data collection and processing can still leave marketers feeling uncertain. In the last year alone, our data shows that the words “GDPR” and “Marketing” were mentioned together over 30,000 times on prospect calls.

Marketers also need to consider the ePrivacy Directive, which outlines rules for outbound marketing across Europe. While GDPR privacy compliance remains a top priority, the ePrivacy Directive adds complexity by limiting the manner in which marketers can launch campaigns, depending on where their audience lives. 

The GDPR and the ePrivacy Directive are often confused with one another, as they both set restrictions on how data is collected and used across Europe. Both laws were implemented to protect personal data and respect consumers’ privacy rights. It’s important to understand where they overlap, how they differ, and what this means for your business.

Note: Following the UK’s exit from the EU, provisions of the European Union (EU) GDPR have been incorporated into UK law as the UK GDPR.

What is the GDPR?

Adopted in 2016 and enacted in 2018, the GDPR was created to improve data collection, processing, and usage. It requires businesses to comply with three main components relating to collecting and processing data for marketing purposes.

  1. Lawful Basis Requirement (Article 6): The GDPR lists six lawful bases under which data may be processed, including consent and legitimate interests. At least one lawful basis must be relied upon when processing data to which the GDPR applies. 
  2. Transparency Requirement (Articles 13-14): Your business, as a data controller, must provide individuals with information including, but not limited to: Who you are, what types of data you collect and process, what you plan to do with the data, and who you may share the data with.
  3. Rights of the Individual (Articles 15-21): Individuals have the right to request access to, or correction or erasure of their personal data. Additional individual rights include the right to data portability, the right to object, and the right to restrict data processing. The GDPR requires such individual requests to be processed within 30 days of receipt.

What is the ePrivacy Directive?

The ePrivacy Directive, passed in 2002, was created to reinforce privacy by protecting the confidentiality of communications and establishing rules for tracking and monitoring data subjects. Specifically, the ePrivacy Directive covers:

  • The security of networks and services
  • The confidentiality of communications
  • Access to stored data
  • Processing of traffic and location data
  • Calling line identification
  • Public subscriber directories
  • Unsolicited commercial communications 

All countries in the EU have adopted their own version of the ePrivacy Directive, collectively referred to as “EU marketing laws,” which include requirements and restrictions for launching marketing campaigns in the EU using email, text messaging, and certain types of phone calls. 

How are the GDPR and EU Privacy Laws Related?

The GDPR focuses on data collection and processing, whereas the ePrivacy Directive focuses on how a business communicates with existing and potential customers. European marketing laws require businesses to obtain GDPR-compliant consent before contacting an individual for commercial purposes via email, text message, and certain types of phone calls. 

Protecting personal data is critical for GDPR compliance. Under the GDPR, businesses must handle data securely by implementing the appropriate technical and organizational measures. Technical measures can be two-factor authentication, and organizational measures include extensive staff training. GDPR compliance also requires businesses to establish data processing agreements with any vendors that will process data on their behalf. This binding agreement outlines the rights and obligations of each party when it comes to the protection of personal data. 

Privacy Considerations for B2B Marketing in Europe

Marketers leverage business data for almost every important decision, from audience segmentation to budget planning. In a modern revenue organization, most of the responsibility for maintaining privacy compliance falls under legal, IT, and marketing teams, making close collaboration between these departments essential. 

Once your team adopts a GDPR-compliant data collection and processing strategy, you can apply this process to any European country where you plan to launch marketing campaigns.

While there is a lot to consider when it comes to compliance for international markets, implementing a modern privacy compliance function will help your business in the long run. Make sure you carefully review the laws and seek counsel to understand all of your obligations. 

Privacy Considerations for Marketing Lists

To stay compliant with GDPR, marketers should vet all lists before using them in campaigns. Be sure to compare any list against local Do Not Call registries and any internal “do not call” lists, identifying people who have previously objected to, or opted out of, receiving marketing phone calls.

The same goes for inbound contacts you gather from webpage forms. Not everyone who fills out a form is interested in receiving future marketing communications, making it important to include an opt-in field in any form fill. Unless explicitly expressed, contacts should not be automatically included in marketing outreach. The opt-in notice should clearly outline how information collected may be used for marketing purposes so individuals can easily opt-in or opt-out depending on their preferences.

Connecting and updating these various preference settings is a challenge, as most organizations continue to struggle with siloed tech stacks that are filled with incorrect or outdated information. This data challenge has only grown, with regulations like the GDPR and EU marketing laws drastically reducing the breadth of data organizations can collect on people and how that data can be used. 

One way to address the data reliability issue is to use APIs (application programming interfaces) that automatically enrich a database with accurate and current B2B data. Another way to avoid complexities with your data management is to consolidate your tech stack.

Privacy Considerations for Direct Marketing 

Direct marketing is a tactic that’s typically deployed to encourage prospects to take the next step in their buying journey, such as setting up a demo call or purchasing a product. For direct marketing, the simplest way to ensure you abide by EU marketing laws is to secure explicit consent from anyone who might receive your direct marketing messages. 

An individual might click a box to consent to sales and marketing communications, submit a form on your website to learn more, or double opt-in through email verification and check a box to receive marketing communications. While some countries have exemptions for getting prior consent, this varies country by country so it’s important to check the local legislation.

Privacy Considerations for Email Marketing 

To send marketing emails that are compliant with EU marketing laws, informed consent must be gathered from all recipients. In particular, there are three main aspects email marketers need to focus on:

  1. Developing consumer opt-in permission rules
  2. Being able to show and store proof of consent
  3. Establishing clear methods through which data subjects can ask for their information to be removed from your database

As you expand into new regions, look into the specifics of each communication channel you plan to use and make sure that you understand how the rules vary by country.

To determine if your business activities will be compliant with local regulations, ask these four questions:

  1. Is prior consent required in order to send emails or text messages?
  2. Are you allowed to cold-call prospects in this country?
  3. Does the country have a prior relationship exception?
  4. Is there an exemption for B2B activities?

Finally, when it comes to marketing in new regions, always be sure to consult with your legal counsel to better understand the local laws and regulations. 

Please note that the above is for informational purposes only. ZoomInfo is not qualified to provide legal advice of any kind and is not an authority on the interpretation of US or international laws, rules, or regulations. To understand how the GDPR, EU marketing laws, or any other laws impact you or your business, you should seek independent advice from qualified legal counsel.