Many companies share personal information they gather directly from individuals with "business partners" who use the information for their own direct marketing purposes. It is the case, for example, of companies that provide services on the internet free of charge but gather and sell the data related to their users to business partners. As the Washington Post recently learned, companies with this business model may find it challenging to comply with the European requirements, especially considering the new definition of consent set out in the GDPR.

The French Data Protection Authority (the "French DPA") recently published a list of 5 basic principles to be complied with when sharing personal information with business partners:

  1. Before sharing personal information with business partners, you must ensure that the individual gave his/her consent.
  2. The data collection form must provide a way for the individuals to identify the partners. For example: by providing the full list of business partners on the data collection form or by providing a link to the full list.
  3. You must update the individuals when there is a change in the list, especially for additions of new business partners. The French DPA suggests to provide in each direct marketing message a link to an up-to-date list. In addition, each new partner must provide information on how it processes the individual's personal information when the first contact is made or at the latest within a month of such contact.
  4. The consent obtained from the individuals on behalf of business partners is only valid for such partners. It means that these partners cannot share the personal information they received with their own partners without obtaining a new informed consent from the individuals who must be told who these new partners are.
  5. When the business partners first contact the individuals they must specify from whom they obtained the individual's personal information and how the individual can exercise their GDPR rights. In particular, they must inform the individuals of their right to object at any time to the processing of their personal information for direct marketing purposes. The right to object may be exercised by the individuals by contacting either the new partner or the company that collected the information initially.

These principles are drawn from the e-Privacy Directive which was implemented in each European Union Member State legislation (in France the relevant provision is Article L. 34-5 of the Postal and Electronic Communications Code). The ePrivacy Directive should be replaced in the coming months by the ePrivacy Regulation which will apply directly in all Member States, in the same way as the GDPR, which will allow a greater harmonization of direct marketing rules in the EU.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.