Direct marketing – Is in-app marketing subject to users’ prior consent rule?


Basic RGB
Authors: Vlad Giurgiu, Iurie Cojocaru

Online marketing represents a fact of today’s life and businesses direct considerable financial resources toward improving their online presence, in an attempt to find, gain, and retain clients.

As technology evolved, consumers’ habits started to change, too. The digital revolution meant that mobile applications started to become part of consumers’ everyday routine. Promoting one’s brand by means of such apps quickly turned into a must amongst business community, as in-app advertisement campaigns take advantage of the increased attention the users pay when using such apps. Thus, marketing strategies had to adapt in order to benefit from the opportunities that were created.

For ensuring that online marketing campaigns deliver the envisaged results, relevant stakeholders must make sure that the business and the legal aspects are being taken into consideration, both during the development process and during the execution stage of such campaign. As regards the legal side related to the execution of marketing campaigns, an increased focus must be on ensuring compliance with the provisions of Directive 2002/58/EC (“ePrivacy Directive”), which sets out certain requirements that businesses have to comply with when sending communications for direct marketing purposes. Amongst such requirements, the most restricting one relates to obtaining users’ prior consent for sending marketing messages by means of automated calling and communication systems without human intervention (automatic calling machines), fax or electronic mail.

Considering that enterprises started to shift their focus toward in-app marketing, in an attempt to promote their brand amongst new generation of users, one question arises: does the consent rule established by the ePrivacy Directive also apply to in-app marketing communications?

For answering the above question, we must first exclude from the scope of this analysis the communications sent by automatic calling machines or by fax and focus on the third means of communications expressly mentioned by the ePrivacy Directive in this context: the electronic mail. One may argue that only electronic mail marketing carried out by e-mail or SMS is dependent upon obtaining prior consent, as the legal definition of electronic mail seems to exclude the advertisement messages sent by using new communication technologies such as social media platforms or instant messaging applications. This apparent omission is due to the fact that such technologies were not yet available when the ePrivacy Directive was drafted.

Nevertheless, the rules provided under the ePrivacy Directive must be read in conjunction with the recitals thereof, while also having regard to the CJEU’s jurisprudence, especially the reasoning of the court in the T-Online Case (C-102/20). In the context of that case, the European top court held that the objective of the ePrivacy Directive, i.e., ensuring an equal level of protection of privacy for users, must be ensured regardless of the technologies used, thus concluding that requirements which aim to safeguard users’ privacy must be interpreted in a broad manner in order to cover the new means of communications brought by technological advancements. However, the court did not elaborate on this matter, as the case referred to one particular type of communications. Thus, the court left open the debate on whether all existing (and future) means of contacting a person by electronic means are covered or whether there are certain technologies that may be excluded from the scope of the Directive.

In addition, it is important to point out that the rules on direct marketing are included in a Directive, which only provides a minimum standard that all the EU member states have to establish in their respective jurisdictions. As a consequence, national legislators had some margin of maneuver in the sense that a stricter regime could have been implemented. Moreover, Art. 13 (3) of the ePrivacy Directive sets up the obligation of the Member States to ensure that users are protected from commercial communications sent by using other methods than those expressly prescribed by the ePrivacy Directive.

In Romania, the transposing legislation (i.e., Law No. 506/2004) extended the scope of the direct marketing provision to cover not only commercial communications sent by automatic calling machines, fax and electronic mail, but also the commercial communications sent by any other methods using electronic communications services. While this extension did not have major implications until the second quarter of 2022, it began having an impact as of entry into force of the Law No. 198/2022, which implements the European Electronic Communications Code (the “EECC”) into Romanian legislation. From a privacy perspective, the key element of the EECC was the introduction of the so-called interpersonal communications services amongst those previously covered by the notion of electronic communications services. As a result, the requirements related to direct marketing provided by the Law No. 506/2004 also started to become applicable to interpersonal communication services, such as instant messaging applications.

Thus, sending direct messages to users located in Romania, for marketing purposes, by using apps that may be qualified as interpersonal communications services would require, as a rule, users’ prior consent. This is why stakeholders should carefully assess the apps by which their marketing campaigns would be executed, in order to determine whether such apps meet the criteria for being qualified as interpersonal communications services, in which case prior consent of users should be obtained.

Furthermore, businesses that wish to grow their market share in Romania by promoting their products or services via in-app marketing should not only assess and comply with the requirements provided under the Law No. 506/2004, but also take note of the previously mentioned CJEU’s ruling in the T-Online Case.  This integrated approach would help companies to accurately determine the situations in which obtaining prior consent of users is necessary, as the consent rule may still be applicable in Romania even if the marketing campaign is not carried out by means of an interpersonal communications application. For instance, even a customer satisfaction survey or an in-app ad banner that are not transmitted by interpersonal communications services may require users’ prior consent, depending on their specific characteristics.

While obtaining prior consent of users for promoting one’s brand represents an additional burden for the business community, failing to do so when the law requires it would likely result in a fine and in the publication of the company’s violation of privacy-related regulations on the Romanian DPA’s website, if such is found following the investigation.

It is noteworthy that customers are more eager to file complaints when receiving unsolicited marketing communications and, according to the official statements of the Romanian DPA, over 80% of the investigations carried out so far this year were opened following complaints received by the Romanian DPA.

Thus, a detailed assessment of the relevant characteristics of businesses’ ads and the apps by which such are intended to be conveyed to users might come in handy. Stakeholders could also get in touch with their privacy advisors in order to identify the criteria that in-app ads should meet in order to be able to display them without needing to obtain users’ prior consent.