Data protection law is rife with paradox. More and more often we are seeing our clients faced with the following situation: A company is building a lead list. One day, a person on that list contacts the company to revoke their consent or object to receiving marketing material. They are then slapped with a clear message like, “If I get one more ad sent to this email, I’ll take you to court! So erase my data now!”
The problem: a choice between two evils
But how does a company fulfill this request? It can only choose between two evils. The company can erase the email address. But how can it possible ensure that same email address isn’t then collected again at another point and included in lead lists used for advertising purposes (e.g. through a legal purchase of email data lists). Or the company can continue to store the email address but flag it as blocked. But then it would be storing data it is actually supposed to erase.
A solution from an unexpected source
I recently discussed the solution with a German supervisory authority and ended up receiving some interesting information. The supervisory authority was of the opinion that companies in this position were entitled to create what’s known as a blacklist – without (really!) the data subject’s consent.
Once a data subject revokes their consent or objects to receiving advertising and marketing material, companies are permitted to draft a list of email addresses of data subjects who no longer wish to receive advertising. The legal basis for this is the legitimate interest of all parties involved, i.e. preventing unwanted advertising (Article 6 Paragraph 1 Sentence 1(f) GDPR).
Is that even necessary?
You could argue that a blacklist is unnecessary. After all, if a person no longer wants to receive marketing material from a company, they will simply not make their data available to the company in future.
But this is a short-sighted view. There are perfectly legal ways to get leads without their active participation. For example, a person’s email address could be legally acquired from a list broker. The company could theoretically merge with another company that holds that person’s data.
In these cases, it would be quite useful to know that you have legally obtained the email address but are not allowed to use it.
This would also benefit data subjects themselves.
So how does a blacklist work?
Drafting a blacklist requires a bit of preparation. There are three key aspects involved:
- objection management
- technical and organizational security
These three points represent the bare minimum requirements. By way of brief explanation:
Transparency here means that if a data subject withdraws consent (or objects to advertising), the company informs them that their email address will then be added to a blacklist. The duty to inform in this case is required by Article 13 GDPR.
Objection management means data subjects must then in fact have the right to be erased from the blacklist. However, in doing so, they then run the risk of being contacted by the company again at another point in time – provided their data is later legally collected again.
Technical and organizational security here means ensuring the blacklist is separately maintained from the other lead lists and its purpose is limited to preventing newly added email addresses that have previously been blacklisted from receiving unwanted advertising. This also includes only storing the data required for this purpose.
The paradox of a company’s duty to erase and its duty to cease and desist is one that is easily remedied. Creating a secure, purpose-built blacklist is a simple solution to avoid unnecessary advertising. Companies should also consider the advantages of maintaining such a list. That way, they won’t end up investing valuable marketing resources on contacts who aren’t going to buy their products anyway.
Dr. Stephan Gärtner, Stanhope SG Datenschutz