We all love bargains and offers, especially when the product or service is just what you need. Or when you are personally addressed. So for organizations, knowing their customers is valuable - it increases the likelihood of a purchase. ING recently announced that it wants to use its customers' payment data to send personalized offers - financial products that fit the customer's needs.
The Personal Data Authority (AP) has indicated via Twitter that it is investigating this further and Parliamentary questions have been posed to the Minister of Finance. High time to take a close look at the rules on sending personal advertising. Because personal advertising based on payment behavior, is that allowed?
The rules about offering advertising (also known as "direct marketing") are in the AVG. There are also specific obligations about direct marketing, which are currently in the Telecommunications Act. This will eventually (probably in 2021) be replaced by the ePrivacy Regulation.
In the Netherlands, the starting point for sending direct marketing via email, text message or app to consumers is that prior 'opt-in' permission must be sought. If customers are approached who have already made a purchase, consent is not required under the Telecommunications Act, provided that this involves offering their own similar products or services: these messages must therefore come from the same entity where a purchase was made. Moreover, the customer must have been informed in advance about the receipt of such emails and given the opportunity to oppose them ("opt-out"). In all cases, the recipient of a message must always be able to easily unsubscribe from subsequent marketing messages. This is also why newsletters include an unsubscribe button.
If direct marketing messages are sent to new customers / prospects and/or the above requirements are not met, consent must therefore be sought. That consent must meet the requirements set by the AVG: the recipient must have given consent through an active action, be properly informed and only give consent with respect to specific purposes. In addition, when giving consent, the recipient must be 'free', meaning that he or she must also have the option of not giving consent. It must also be possible to prove that consent has actually been given.
In addition to these special rules on direct marketing, the processing of personal data to send marketing emails is also always involved. Therefore, the AVG must also be complied with. Among other things, this means that a basis must be present for sending direct marketing emails. Generally, it can be assumed that an organization has a legitimate interest for marketing activities. This is such a basis from the AVG where there must be a balance between the interest of the one processing personal data and the data subject, in this case the recipient of the e-mail. This balancing act can go both ways. Factors that play a role in balancing interests include, for example, the fact that a company builds individual profiles on a large scale and/or uses more sensitive personal data in the process. In such a case, the balancing of interests is more likely to favor the data subject.
ING wants to start approaching customers without first asking permission. It is opting out. It is not yet entirely clear how ING will approach its customers, presumably by e-mail. In addition to the Telecommunications Act, the AVG also applies: after all, ING will be using personal data of its customers for this purpose. Therefore, ING must have a basis for processing personal data. ING has indicated that it bases approaching customers on the 'legitimate interest' basis.
As described above, in the case of a "legitimate interest," the processing of personal data must be necessary for the ING's interest. ING's marketing interest must be weighed against the customer's privacy interest. There are then several factors to consider: for example, the fact that ING is entitled to the freedom to conduct business, approaches existing customers with its own products and services and does not share them with third parties. On the other hand, financial data is particularly sensitive data and was obtained for the purpose of purchasing ING's payment services. Should a customer then expect to also receive commercial messages in response to this intimate data and is this really necessary for ING? The ING thought so, but the AP is going to investigate ING's balancing of interests. That will show whether the AP also thinks the balancing of interests is in ING's favor.
All in all, an interesting issue. Incidentally, ING came under scrutiny in 2014 for wanting to use payment data commercially and then share it with third parties. Those plans were then called off. Another interesting question is whether the use of this data is compatible with the purpose for which it was collected. Perhaps the AP will comment on that.
This article can also be found in the AVG and e-Privacy dossier
More from SOLV Lawyers
