ICQ Log - Data Protection & Information Security:

Direct Marketing and Online Advertising - The Challenges for Compliance Professionals

Last Updated: 09 December 2021

Steven Roberts FCIM CDPO, head of marketing at Griffith College Dublin and vice chairperson of the Data Protection & Information Security Working Group, discusses the data protection challenges direct marketing and online advertising can present for compliance teams. The article also provides guidance on how marketing and compliance teams can work together to ensure GDPR best practice.

Marketing departments are typically one of the largest users of personal data within a company. Having contact details and descriptive information on current and prospective customers is vital for businesses to develop profiles that effectively market to their target audiences.

Whilst the fundamentals of marketing have remained relatively unchanged, the rapid increase in digital platforms over the past two decades has created a myriad of new ways in which marketers can promote their businesses in an ever more targeted manner. Currently, it is estimated that there are more than 8,000 such platforms available to marketing professionals 1 . This brings with it the potential for increased complexity and creates difficulties when seeking to communicate in a clear and transparent manner how individuals’ data will be used for marketing purposes.

Customer Relationship Management (CRM) systems can now create highly sophisticated work-flows for electronic direct marketing. Supervisory authorities in the UK and France 2 , amongst others, have also been critical of the way in which many advertising technologies (AdTech) use personal data. In this article, we will consider some of the challenges compliance professionals face in ensuring direct marketing and online advertising activity remains GDPR compliant. We will also look at some practical steps that can be taken to create a culture of best practice.

Direct Marketing Activity

Recital 47 of the General Data Protection Regulation (GDPR) recognises marketing as a legitimate business activity. Direct marketing is an important subset. The Data Protection Commission (DPC) describes direct marketing as involving ‘a person being targeted as an individual, and the marketer attempting to promote a product or service, or attempting to get the person to request additional information about a product or service 3 .’

Direct marketing must have an appropriate legal basis and consent must meet GDPR standards. Various direct marketing channels and audiences can have subtly different compliance requirements, often based on the perceived proximity of the communication 4 . Both the GDPR and Ireland’s Data Protection Act 2018 forbid direct marketing and micro-targeting to children. Article 21 of the Regulation, meanwhile, allows individuals to object to the use of their personal data for marketing purposes.

Companies typically require the consent of an individual before they can use their personal data for marketing purposes. A business can contact existing customers with marketing material if a purchase was made within the previous 12 months, and the customer had the option to opt out of such communication at time of purchase. If consent is not withdrawn, communication can continue as long as each iteration is sent within12 months of the previous one. For customers and non-customers, it must be as easy to withdraw one’s consent as it was to provide it in the first place.

Companies with a footprint in a number of EU member countries should consider the varying interpretations regarding business-to-business communication. Jurisdictions such as Germany and the Netherlands require opt-in consent before marketing to a business contact (for example, sending to the person’s work email). In Ireland, and the UK, a somewhat more relaxed approach is taken, with the opt-out rule being generally accepted.

Electronic Direct Marketing

When using electronic channels, such as phone, text message or email, marketing and compliance professionals must ensure their activity is compliant with Ireland’s ePrivacy Regulations (SI 336/2011), which transpose the EU’s Directive 2002/58/EC (‘the ePrivacy Directive’) into Irish law. The general rule for electronic direct marketing is that it requires the affirmative consent of the recipient 5 . For example, by ensuring the individual has explicitly opted in. Each communication must include the option to unsubscribe from future correspondence, and should contain a valid address at which the sender may be contacted. The DPC is the supervisory authority and has the power to fine up to EUR5,000 per instance of a breach. This figure can quickly accumulate to a substantial sum, if the breach relates to electronic marketing sent to multiple individuals.

The Commission’s Annual Report 2020 advises that 147 new complaints were investigated last year under the ePrivacy Regulations 6 . Of these, the

majority related to SMS (text message) and email marketing activity. The Report contains a number of useful case studies outlining complaints received by the DPC. It is recommended reading for compliance and marketing teams, as the studies are highly instructive of some of the potential pitfalls that must be considered.

The ePrivacy Regulation

The EU originally intended for a new ePrivacy Regulation to be introduced alongside the GDPR, in May 2018 7 . This has been delayed, due to disagreement amongst member states and heavy lobbying by various industry sectors. It has resulted in significant variances across the EU; in particular, how to align current ePrivacy laws with the GDPR’s consent compliance requirements. One of the most substantial areas affected has been online cookies and tracking technologies. In order to provide citizens with more clarity, many member states have introduced their own legislation.

A recent example is the DPC’s April 2020 Guidance Note: Cookies and other Tracking Technologies 8 . Whilst providing welcome certainty at a national level, for multinational firms and their marketing teams it creates a patchwork of additional compliance considerations. The European Commission, Parliament and Council are currently in trilateral negotiations regarding the proposed ePrivacy Regulation. However, it is difficult to forecast when, or if, this legislation will come to pass.

Third Party Cookies and Online Advertising

Third party cookies9 are a fundamental component of the current online advertising ecosystem. They allow companies to track and profile audiences across the internet, and provide highly targeted ways to reach them. A number of website browsers, including Safari and Firefox, have already blocked third party cookies. They will be joined in 2023 by Google Chrome, the dominant browser globally, with approximately 65% market share worldwide and 53% of the market in Ireland 10 . Marketers must therefore consider alternatives. One option is to capture more first party data – information they can obtain directly. For example, from visitors to their company’s own digital platforms and websites. Marketing and compliance teams need to work together to ensure any such strategies are developed with GDPR and ePrivacy compliance requirements top of mind. The GDPR’s requirement for data protection by design and default is of prime importance, using tools such as a data protection impact assessment (DPIA) to ensure potential risks are considered and mitigated.

New Technologies

Marketing teams are increasingly adopting new technologies, such as artificial intelligence (AI). A common example is the use of automated chat-bot functions on a company’s website. Such automation will be a growing feature of marketing activity over the coming decade. As data is used in increasingly complex ways, involving multiple technologies, marketers and their compliance colleagues need to ensure they continue to meet the GDPR’s requirement for clarity and transparency.

Steps to Ensure Best Practice

Compliance professionals and Data Protection Officers (DPOs) have a range of options available to help ensure direct and online marketing within their companies is aligned with current best practice. These include:

  • Regular GDPR and ePrivacy training for marketing and communications teams;
  • Auditing privacy and data protection policies to ensure they remain accurate, transparent and up to date;
  • Ensuring compliance teams are consulted and involved from the outset in any new strategies around the use of first party data;
  • Training marketing and communications teams in the use of DPIAs as a
  • key tool to assess and mitigate risks relating to new projects;
  • Conducting regular audits of the company’s marketing ecosystem;
  • Monitoring developments around the EU’s proposed new ePrivacy Regulation;

    Working with senior marketing executives to identify data protection champions for each business unit or This is particularly important for larger companies; and

  • For companies with a footprint in multiple EU countries, ensuring that cookie policies and data strategies align with local laws, alongside broader GDPR and ePrivacy compliance.


Marketing is a fast-paced sector; one that is rapidly adopting new digital platforms and technologies to assist in communicating with current and potential customers. As a large user of personal data, it is crucial marketing teams are effectively trained in data protection and ePrivacy. Whilst many marketers are aware of GDPR and data protection, there is an ongoing need to keep this aspect to the forefront as they work to achieve challenging business targets. Compliance professionals and DPOs play a key role in keeping best practice top of mind across their organisation. This is especially pertinent at a time when marketing teams are experiencing significant staff turnover, particularly in junior and middle management roles.


  1. https://chiefmartec.com/2020/04/marketing- technology-landscape-2020-martech-5000/
  2. In 2019, France’s Commission Nationale Informatique & Libertés (CNIL) identified targeted online advertising as a top priority. https://wcnil.fr/en/online-targeted- advertisement-what-action-plan-cnil. In a recent Commissioner’s Opinion, the UK Information Commissioner’s Office (ICO) advised of the need to ‘eliminate intrusive online tracking and profiling practices’. https://ico.org.uk/about-the- ico/news-and-events/news-and-blogs/2021/11/ ico-calls-on-google-and-other-companies-to-eliminate-existing-privacy-risks-posed-by- adtech-industry/
  3. wdataprotection.ie/en/ organisations/rules-electronic-and- direct-marketing
  4. https://wdataprotection.ie/en/dpc- guidance/blogs/direct-marketing-what-you- need-know-about-direct-marketing
  5. The DPC has issued a useful FAQ on consent with regard to e-direct marketing, which can be found at: https://wdataprotection.ie/sites/default/files/uploads/2020-05/FAQ%20on%20 Consent%20for%20Electronic%2Direct%20 Marketing%20-%20April2020.pdf
  6. https://www.dataprotecie/en/news-media/ press-releases/data-protection-commission- publishes-2020-annual-report
  7. The current Directive, dating from 2002, is widely viewed as outdated given the technological progress that has taken place during the last two
  8. https://www.dataprotecie/sites/default/ files/uploads/2020-04/Guidance%20note%20 on%20cookies%20and%20other% 20tracking%20technologies.pdf
  9. A cookie is a small text file created by a website and stored on an individual’s It enables a website to keep track of a customer’s preferences.
  10. https://gs.statcounter.com/browser-market- share/all/ireland  

Authors: Steven Roberts

Head of Marketing | Board Director | Author


ICQWinter Edition 2021

This article was taken from the Compliance Institute's ICQ Winter Edition 2021