The expectations of the Hungarian National Authority for Data Protection and Freedom of Information regarding consent to direct marketing through different channels – description of the conclusions of an authority decision
We would like to draw your attention to a recently published decision of the Hungarian National Authority for Data Protection and Freedom of Information (the “Authority” or the “NAIH”), in which it imposed a data protection fine of HUF 30 million for unlawful business acquisition (i.e. direct marketing). The decision is important because it is the first time that the Authority has addressed the question of how much consent is required when a company engages in business acquisition activities through different channels.
The key element of the decision is that the NAIH expects advertisers to provide the opportunity for the data subject to give consent separately per contact method, i.e., per communication channel (e.g., post, telephone, e-mail, Google- and Facebook-targeted online ads). According to the NAIH’s conclusion, the requirement of voluntary consent is therefore not fulfilled if the data subject cannot give consent for each direct marketing contact channel separately. This does not exclude the provision of an option to consent to all the identified purposes at the same time, but in addition, there should be an option to give separate consent for each purpose.
The NAIH has also explained that if consent is obtained “by electronic means”, such wording is too broad, and such consent is not specific as it may include any other form of contact, even future ones, in addition to the e-mail contact which the data subject cannot foresee and anticipate. Accordingly, direct contact by means other than the e-mail address provided requires specific consent. This also includes targeted advertising on Google and Facebook, for which the NAIH also requires specific consent.
Based on the decision:
- separate consents per purpose and marketing channel are required – with this in mind, controllers should review the make-up of the consent forms used, the number of boxes to check, and the wording;
- separate consents for Google- and Facebook-targeted advertising, and separate information on the use of these and similar mass automated advertising systems are required – this should also be taken into account in the wording of the consent and the content of the privacy notice;
- specific information on the nature of the direct marketing is required – the purpose of controlling contact details shall not be a vague objective such as “receiving further favourable offers”. “Direct marketing is an umbrella term, the specific implementation of which shall be indicated as an objective”, for example, sending advertisements for one’s own products on a specific channel or channels. Particular mention should be made of unusual material circumstances not reasonably foreseen by the data subjects, such as a foreign processor, according to the NAIH (and its role in the processing should be described in a clear, precise and easily understandable way);
- the privacy notice shall be provided to the data subject in a way that is adapted to the communication channel used – in the case of offline communication, it is not sufficient to refer only to the availability of the online privacy notice, as there may be many data subjects who do not have access to the internet.