Are you familiar with the ‘Pink Box’? It’s about those gift boxes that expectant or brand new mothers can get with a lot of handy samples of baby products, discount coupons and information sheets. Via a simple form, they can request and then enjoy these benefits. For free! But at what cost? It now turns out that there is a serious price to pay, namely the trade of the personal data of the mothers and babies. According to the Data Protection Authority (DPA), the marketing company that offers these ‘Pink Boxes’ has gone way off the beaten track, like a real ‘data broker’.
The facts point in the direction of direct marketing
Expectant and young mothers can request gift boxes through various channels. However, in exchange for the samples and offers in this “Pink Box”, the company organising it passes on the request data to its sponsors. So the company conducts a real trade in personal data with these outsiders (a “third party” in legal jargon). This way these third parties get the opportunity to do direct marketing. And this is just one of those things where there are a lot of rules, and which have been included by the DPA in its action priorities!
One of the mothers is not happy about renting or selling her personal data for direct marketing without her explicit consent. In any case, she is appalled to still receive unwanted advertising after withdrawing consent.
The DPA has its investigative body (the ‘Inspectorate’) examine the data processing activities of the company concerned from all angles. The Inspectorate concludes that the GDPR has been violated, even to the point of violating several of its foundations. And this while the trade in personal data is a real core activity of the company in question.
The findings show that the company, as a data controller, has flagrantly neglected its GDPR obligations.
One complaint, but a whole list of infringements
Following the complaint, the Inspectorate made full use of its powers. This explains why the infringements are “broader” than what the complainant could indicate as a layman.
Lack of transparency and function creep
To begin with, the principle of transparency was violated. And transparency is a cornerstone of the GDPR.
After all, the company creates a false perception towards data subjects (including the complainant in the case). More precisely, it is not clear that it is a private company and that its activity consists of trading in personal data.
Moreover, the lack of transparency has a direct impact on the validity of the consent that would be obtained: an unambiguous consent requires the knowledge of what you are consenting to. However, because of the vagueness, the people concerned do not sufficiently realise what the personal data will be used for, and by whom. A phenomenon that is also described as purpose shifting or ‘function creep‘.
No valid consent and complex revocation
Therefore, there is no specific, informed and unambiguous consent of the complainant that can be freely taken. The problem here lies at two levels.
First of all, the company does not provide enough information about what exactly happens to the personal data of the mothers and children. The company does not identify the partners to whom the personal data are transferred. Thus, it is impossible for the person concerned to have at his or her disposal all the parameters necessary for giving informed consent.
In addition, there is not really a free choice: when a young mother wants to request the Pink Box, even if only because of the informative content that is also sent, she cannot do so without also agreeing to the trading of her personal data. By not giving consent, however, it is impossible to enjoy those benefits.
Inadequate organisational measures and disproportionate storage period
Furthermore, the company has not taken appropriate technical and organisational measures to ensure that only personal data that are necessary for each specific purpose of processing are processed. For example, the company does not distinguish between the purposes of the processing and the data retention period is 18 years. This is undoubtedly disproportionate, especially since the benefits offered concern baby gear.
No legitimate interest
Insofar as there would be no question of consent, the DPA recognises that the commercial interest of the company behind the Pink Box could be invoked as a legitimate interest.
However, this justified interest is not a free pass, and must pass the purpose test, the necessity test and the balancing test. These tests are strict, and the necessity seems insufficiently demonstrated, while the reasonable expectations of the data subjects are insufficiently clear due to the lack of transparency.
No processing agreement
Finally, the company violates the GDPR because no processing agreement has been concluded with one of their partners, while this partner did engage in data processing of data subjects.
The DPA despises the fact that the provider of the “Pink Boxes” has been so negligent in its business model to focus on personal data protection. There is no excuse for this, especially since the handling of personal data is a core task of the company. As a professional, it must surely have been aware of the applicable rules, which are no longer “new” and for which, in relation to direct marketing, extensive guidelines have already been made available.
The DPA therefore does not hesitate, in addition to its task of clarification, to resolutely go for the application, and to severely punish the violation with a fine of EUR 50,000.
In June 2020, we already noted that it is high time for companies to take a close look at their marketing strategy. If your organisation needs guidance on this, you can always reach us at firstname.lastname@example.org.
Written by Larissa De Keyser, Trainee theJurists, and Kris Seyen, Partner theJurists