October 2020 – The Czech Data Protection Authority (the “DPA”) has imposed a fine totaling 6,000,000 CZK (approximately 250,000 EUR) to a car dealership for its repeated distribution of unsolicited commercial communications to almost 500,000 thousand recipients in violation of Section 7 of Act No. 480/2004, Coll., on Certain Information Society Services, as amended.
The DPA performed an on-site investigation at the site of the breaching company. Instead of focusing solely on a number of specific complaints lodged by the respective recipients, the DPA then proceeded to evaluate the firm's entire marketing campaign and the legal grounds for its distribution of marketing communications to end users. The company was required to present evidence of valid and specific consents being granted by users. The DPA rejected as insufficient the company's evidence on the means of acquiring contact details and method of requesting consents for marketing campaigns. Specifically, the DPA requested any consents granted by specific customers for a sample 1 percent of the recipients of its marketing emails. As a result of the investigation, the DPA found systematic failures in relation to contact detail collection and consent methodologies, resulting in a fine being levied against the company.
The DPA also assessed the distribution of marketing communications to existing customers, subject to an exception from the opt-in consent requirement under Section 7(3) of the Act on Certain Information Society Services.
In its decision, the DPA expressed its interpretation of the term “customer” within the meaning of Section 7 (3) of the Act on Certain Information Society Services. This stipulates an exception from the requirement to obtain a consent to the distribution of customer marketing communications in connection with the sale of products or services. The DPA noted that this exception can only be applied in a later stage of the contract conclusion process – when a potential customer may have a legitimate expectation that such a contract will be concluded and that they will thus become a customer. According to the DPA's decision, the term “customer” cannot include individuals who have solely expressed a non-binding interest in the respective goods and services without any further contractual negotiations or steps leading to the conclusion of a contract.
The interpretation of the term “customer” by the DPA plays an important role as it can be considered as market practice to rely on the exception in Section 7 (3) when distributing marketing emails to customers who have expressed a past interest in goods or services. In our experience, companies often process personal data and send commercial messages to potential customers who are merely perusing their websites, or who have only registered for an unrelated activity - which is a breach of the law.
In light of the above, it is advisable to consider the following when distributing marketing communications:
- Maintain records of valid opt in consents, as the DPA will require these in case of an investigation; such as by requesting a second confirmation as a follow-up to a granted consent for marketing communications (e.g. by sending a link to the respective email address to re-confirm that consent has been granted);
- Avoid using pre-ticked boxes when requesting opt in consents, and instead request proactive affirmation on the part of the user;
- When relying on an exception from an opt-in consent requirement for existing customers, maintain records, which attest to the respective individuals indeed being potential customers (and who thus may have a reasonable expectation of becoming customers);
- For individual potential customers who have simply expressed a non-binding interest in goods or services, avoid relying on exceptions from opt-in consent requirements used for existing customers;
- Be transparent and provide information on the identities of the entities sending communications and always mark the respective emails or other communication as commercial communication; and
- Offer simple and clear means for users to opt out from receiving marketing communications, and always provide a valid contact address to which users can write to decline receiving future marketing communications.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.