🔐

Data Protection Laws & Marketing

Jun 16, 2025

Overview

This lecture reviews how European data protection laws, especially GDPR and the e-Privacy Directive, apply to telemarketing, direct marketing, online advertising, and internet technologies, emphasizing compliance requirements and emerging data protection challenges.

Telemarketing & Direct Marketing

  • Telemarketing involves directly calling individuals to promote products or services and is subject to strict data protection regulation.
  • The GDPR and e-Privacy Directive require data minimization, transparency, and explicit consent for telemarketing.
  • Telemarketers must obtain freely given, specific, and informed consent before making promotional calls and allow for easy consent withdrawal.
  • Some EU countries use Telephone Preference Services (TPS), requiring telemarketers to screen call lists against opt-out registries.
  • Telemarketing activities must be recorded, including consents and call logs, to prove compliance.
  • Direct marketing includes telemarketing, email campaigns, and postal mail targeting consumers directly.
  • Direct marketing under GDPR requires a lawful basis for processing personal data, such as consent, contract, or legitimate interest.
  • Marketing communications must clearly identify the sender, describe data use, and offer opt-out options.
  • Targeted advertising in direct marketing requires data minimization and a lawful basis (usually consent or legitimate interest).

Online Behavioral Targeting & SEM

  • Behavioral targeting uses individuals' online activity data to deliver personalized ads, requiring explicit consent for sensitive data.
  • The EDPB guidelines make social media platforms and advertisers jointly responsible for data protection in targeted advertising.
  • Both platforms and advertisers must provide transparent information about targeted ad data collection and processing.
  • Search Engine Marketing (SEM) includes paid ads and SEO, involving data processing to track engagement and requires GDPR-compliant transparency and lawful processing.

Internet Technologies (Cloud, Cookies, Social Media, AI)

  • Cloud computing involves remote data storage/processing, requiring processor contracts and GDPR-compliant international data transfer safeguards.
  • Websites must obtain informed, specific, and freely given consent before placing non-essential cookies, per the e-Privacy Directive.
  • Cookie walls that block access unless users consent may violate GDPR's standard of "freely given" consent.
  • Social media platforms must avoid dark patterns and ensure transparency and consent for data sharing with third parties.
  • AI technologies, including machine learning, require informing users about automated decisions and allowing opt-outs; ethical concerns include bias and transparency.

Key Terms & Definitions

  • GDPR (General Data Protection Regulation) — EU law on data protection and privacy for individuals.
  • e-Privacy Directive — EU directive regulating privacy in electronic communications.
  • Consent — Freely given, specific, informed agreement by an individual for data processing.
  • Telephone Preference Service (TPS) — Registry for opting out of telemarketing calls.
  • Dark Patterns — Deceptive UI designs manipulating user choices.
  • Joint Controllers — Two or more entities sharing responsibility for processing data.

Action Items / Next Steps

  • Review GDPR and e-Privacy Directive consent requirements.
  • Prepare documentation templates for telemarketing and direct marketing compliance.
  • Stay updated on EDPB guidelines for targeted advertising and AI ethics in data processing.

Full transcript