EU Regulation
GDPR applies to most electronic marketing as it typically involves the processing of personal data (e.g., email address containing the recipient’s name). The most likely legal grounds for electronic marketing are consent or the legitimate interest of the data controller (explicitly referenced in recital 47). If relying on consent, the strict requirements of GDPR regarding consent must be observed. Marketing consent forms must always include a clear opt-in mechanism (e.g., an unchecked consent box that the user must tick or a signed consent statement – simply accepting terms of use or consent based on behavior, such as visiting a website, is not sufficient).
Data subjects have an absolute right to object to (and thus prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).
Specific rules for electronic marketing (including situations where consent is mandatory) are found in Directive 2002/58/EC (ePrivacy Directive), which has been implemented in the national legislation of each member state. The ePrivacy Directive is expected to be replaced by a regulation, but its timeline is uncertain as the European Commission rejected the draft ePrivacy Regulation due to disagreements among member states. Until then, Article 94 of GDPR states that references to the repealed Directive 95/46/EC shall be replaced by references to GDPR. Therefore, the consent requirements of the ePrivacy Directive are aligned with the consent requirements of GDPR.
Finnish Regulation
Electronic direct marketing in Finland is regulated by the Act on Electronic Communications Services. The Data Protection Ombudsman also oversees compliance with this law’s provisions on direct marketing.
Direct marketing to natural persons is allowed only through automatic calling systems, fax devices, email, text messages, voice, image, or voice messages, and only if the person has given prior consent. Other forms of direct marketing are allowed unless the person has specifically objected. If a service provider obtains a customer’s email address, phone number, or other contact details during the sale of a product or service, the service provider can generally use this contact information to market its own products or similar products or services. A natural person must always have the opportunity to easily and free of charge opt out of direct marketing, and the service provider must clearly inform them of this option.
Service providers may conduct direct marketing to legal entities (businesses) unless they have specifically opted out. Just like natural persons, legal entities have the right to easily and free of charge opt out of direct marketing, and the service provider must clearly inform them of this option. Additionally, telecommunications operators and business or community subscribers have the right to block the receipt of direct marketing messages upon the user’s request.
The Data Protection Ombudsman and the Finnish Direct Marketing Association have provided their interpretations on B2B direct marketing when using general contact information of a legal entity, such as email addresses. If B2B direct marketing targets a company employee’s personal work email (e.g., firstname.lastname@npe.fi), the person’s consent is required, unless the marketed product or service is closely related to that person’s work duties.
Direct marketing sent by email, text message, voice, image, or voice message must be clearly identified as direct marketing. It is prohibited to send direct marketing messages that:
- Conceal or obscure the identity of the sender on behalf of whom the message is sent.
- Do not contain a valid address to which the recipient can send a request to stop communications.
- Encourage recipients to visit websites that violate the provisions of the Consumer Protection Act (20.1.1978/38).
If personal data is processed in electronic direct marketing, applicable data protection legislation, such as the Finnish Data Protection Act and GDPR, also applies.