Marketing Program under GDPR

Our recent webinar “Marketing Under the GDPR” covered GDPR’s impact upon marketing activities. The webinar generated a lot of questions, and we are sharing five of them, along with answers prepared by TrustArc privacy experts.

This blog post is intended as a general overview of the subject and cannot be regarded as legal advice.

Consent and Marketing Under the GDPR

Can my company capture consent in exchange for content? For example, collecting an email address to download a white paper or register for a webinar?

Yes, but organizations must clearly state at the time of information collection what the specific uses of the information will be–and any non-disclosed purposes will likely not be deemed consented to if challenged.

For instance, an organization could not use email addresses obtained solely for contest entry purposes to then market to the individual or share that information with partners, unless the user also was asked and specifically and actively agreed to the organization using their personal data to do so. In this way, consent must be granular as to the intended uses.


What are the key questions that a marketer needs to ask their email service provider (ESP) to know the ESP is actually ready and can help the marketer be GDPR-ready?

Organizations should be ensuring that their email service provider is aware of their obligations under Article 28 of the GDPR. They should be asking their ESP if they are able to assist in demonstrating compliance with the GDPR (Article 28 (3-f)). A comprehensive vendor assessment as well as a data protection agreement which incorporates standard contractual clauses are also recommended.

Legitimate Interests

Will “soft opt-in” continue to exist under the GDPR?

Under existing law, consent is not required if an organization is sending marketing messages about similar products or services to current customers, as long as: (1) they have the opportunity to opt-out when the org obtains their contact information; and (2) they have the opportunity to opt-out when the org sends them any future marketing messages. This exception for existing customers is referred to as the “soft opt-in.”

As this processing is actually not based on consent but rather legitimate interests for its legal basis, it is likely that soft opt-in will still be allowed under the GDPR, but organizations should be cautioned that more guidance is needed in this area before definitive conclusions can be made.

Global Interoperability

Are there any jurisdictional or other issues with accessing EU list serve and contact databases from the U.S.?

As described in GDPR Ch. 5, companies in the U.S. and elsewhere outside the EU must have a legal transfer mechanism for receiving or accessing EU personal data. Accordingly, organizations must evaluate the methods they use for receiving/transferring/importing EU personal data and document their transfer basis.

Many U.S. companies self-certify to the EU-U.S. Privacy Shield Framework for their legal mechanism–with TRUSTe having formally verified hundreds of them. More information is available here: privacy-shield/.

Lead Generation and Business Cards

Can you provide greater clarity on attendee lists? Are they ok to use or not? Will trade show vendors need to change how they share attendee info? Right now, they typically email lists to us.

Attendee lists or delegate lists would only be okay to use if the entity collecting the data has obtained the consent of the data subject(s) as well as informed them how their data will be used and shared. Personal data is defined as any information related to a person or ‘data subject’ that can be used to directly or indirectly identify the individual. It can be anything from a name, email address, photo, or computer IP address to more detailed information on medical conditions, dietary requirements and social media posts, even photos of attendee badges displaying individual QR codes fall into the category. Event organizers need to provide details around how they will store, process and/or share any data obtained at trade shows.

To receive a copy of all frequently asked questions and answers from this webinar, contact us today!

Find more information on our GDPR solutions here.

Share This

Share this post with your friends!