The intention was that a new version of the E-Privacy Directive (replacing the UK’s Privacy and Electronic Communication Regulation, more commonly known as PECR) would come into force at the same time as the GDPR. That did not happen, and the draft E-Privacy Directive is still going through the rounds in the EU (an updated version of the text was circulated on 19 October).
Despite all this, it’s worth bearing in mind that direct marketing is not as restricted as is commonly thought. The GDPR states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” This is counter-balanced by the data subject’s right to stop direct marketing by objecting, and the right to object must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
PECR then provides a further layer on top of the GDPR. Electronic marketing (mainly SMS, email, and phone) requires the individual’s prior consent if the marketing is unsolicited (such consent now to be given to the GDPR standard). However, even here there is some leeway. Where the individual is an existing customer and the directing marketing relates to similar goods and services, then direct marketing is permitted provided that the individual is given the opportunity to opt out both when his/her data is first collected and in each subsequent communication.