EU ‘direct marketing’ ruling presents opportunities and risks

The recent decision in Inteligo Media SA v ANSPDCP will mean that businesses can no longer automatically assume that free content sign-ups are exempt from consent requirements.

The ruling also offers a significant interpretation of article 13 of the ePrivacy Directive (‘the Directive’) and its interaction with the General Data Protection Regulation (GDPR), ruling that where the ePrivacy Directive addresses the same topic as GDPR, its provisions apply, not those in the GDPR. This contradicts the previously held view that a legal basis under GDPR was always required.

Under article 13(2) of the Directive, a “soft opt-in” option allows a commercial organisation to send direct marketing relating to its products or services by electronic mail to a customer, where the customer’s contact details have been obtained in the context of a sale of a similar product or service, and the customer has not opted out of marketing messages and is clearly granted the opportunity to opt-out in subsequent communications.

The court determined that where a user created a free account on a publisher’s online platform which gave the user a right to receive a daily newsletter by email and access to a certain number of articles on the platform free of charge, coupled with a further right to access additional articles on the platform for a fee, the transmission of the newsletter constituted a use of electronic mail for the purposes of direct marketing of similar products or services within the meaning of article 13(2). The court viewed the newsletter as operating to entice the user to access the paid-for content on the platform by exhausting the number of articles available free of charge.

However, the court’s interpretation of “sale” under article 13(2) introduces complexity for ‘freemium’ and content-driven models. While the soft opt-in exemption may apply where free registration is linked to paid services, purely free offerings likely fall outside its scope.

Andreas Carney said the court’s decision creates both opportunities and risks for businesses. “The court’s ruling focuses on communications based on ‘free’ accounts linked to paid services,” he said. “Organisations operating with this model now have more comfort leveraging the soft opt-in exemption. However, the court highlighted that the exemption is to be narrowly construed – the position is therefore less clear for models that appear ‘wholly’ free.”

The judgment also confirms that ePrivacy rules act as the governing law for unsolicited communications, but that GDPR still governs personal data processing. Breaches – whether a failure by organisations to implement clear consent or create opt-out mechanisms – could trigger enforcement under both regimes, significantly increasing business financial and reputational risk.

Lauro Fava said the court’s novel interpretation of this issue concluded that where the lawfulness of processing for direct marketing purposes is established under the ePrivacy Directive, a separate legal basis under article 6 GDPR is not needed. “Many have viewed these as separate requirements which needed to be satisfied separately,” he said. “The decision seems to suggest that organisations which rely on the soft opt-in exemption for direct marketing do not need to complete a legitimate interests assessment. Also, could this reasoning be applied to processing carried out by means of cookies and similar technologies, which is also governed by the ePrivacy Directive? Arguably, it should.”

Carney said businesses would need to review and potentially update their existing marketing strategies and consent frameworks in light of the ruling.