It often surprises Controllers when I explain that the right to object to direct marketing is not limited to the sending of marketing messages, but also includes analytics, tracking, profiling, prospecting and targeting on any platform, by any mechanism, when the purpose of doing those things is direct marketing.
Which is a bit worrying, because if they didn’t know that, then they probably haven’t thought about how to stop doing those things - or whether they even can. And they need to know how to stop, because data subjects all have the right to make them stop - in relation to their personal data specifically.
They should also be explaining this clearly to data subjects - which, oddly enough, most seem jolly reluctant* to do.
(*I’ve yet to encounter a marketer that doesn’t wince when contemplating this particular obligation)
Welcome to Articles 21.2-3 of the GDPR.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Obviously, this means ‘stop sending them direct marketing messages. But it doesn’t mean only that. It covers anything done with personal data relating to you that’s done in order to achieve any direct marketing outcome. Muahahahaha.
! Targeted advertising - whether or not you are the target*
(*not established in legal precedent so far. I’m sure the adtech industry would fight tooth and nail against this interpretation, but since algorithmic advertising makes it impossible to know exactly who is going to be targeted with what at any given time; the only way to effect an objection to use of personal data in targeted advertising is to exclude that data from profiling and targeting operations altogether.)
! Sending it to a third party to be checked, augmented, matched, updated or correlated so that marketing comms can be sent out to particular recipients (or doing those operations in-house)
! Cross-matching email addresses or phone numbers with social media profiles so that marketing messages are presented individually to people who match defined criteria
! Tracking which recipients have opened which marketing emails (address, what kind of device you were using and what software, when you looked, your location, how this action compares to your past actions, and to others’ actions, which formats/topics/contents you reacted to and which you didn’t, etc)
…to describe just a few.
Good news and bad news
The good news: your right to object outweighs the inconvenience to the Controller of having to do something about it. If they can’t because they didn’t think about having to put objections into effect when they designed/bought/spun up their systems, that’s their problem. They need to find a way to get it done.
The bad news: you will probably have to have an argument about it before your objection is complied with. You may be ignored, fobbed off, or denied by people in organisations that don’t recognise, don’t understand or don’t respect your right to object.
If you do decide to object - perhaps, like me, you feel that profiling, surveillance advertising and data entitlement are just damn rude. Perhaps you are (justifiably) concerned about the discriminatory and disempowering effects of datafication, to yourself particularly or to society in general. Maybe you’re just feeling bloody-minded (and who isn’t these days?!) - Whatever your motivation, you may find the following Q&A helpful.
A21.2-3 Objection Q&A
Will I have to show some ID?
You shouldn’t need to provide any kind of official identity document to get your objection acknowledged or actioned. That would be excessive to the point of looking suspiciously like obstruction. This isn’t a DSAR, nothing is at risk except the Controller’s marketing metrics. No-one is going around impersonating others in order to object to processing for direct marketing purposes on their behalf. You are who you say you are.
Do I need to list the data I don’t want to be processed?
You don’t need to specify which data you want suppressed. Chances are, you won’t even know the half of it - data about you may have been amassed, inferred, or attributed to you behind your back. It’s for the Controller to figure out what personal data relating to you they are processing (for direct marketing purposes), and how to suppress that data from being included in those processing operations. All they need is something to triangulate off - your name/handle or email address should be enough to hunt the rest down (unless they completely neglected to consider their data protection obligations when putting together their systems and processes).
What if I don’t remember ticking/unticking a box?
Doesn’t matter. This is not about lawful basis. It is entirely irrelevant whether the Controller has a legitimate interest in the processing, or whether they claim to have your consent; when you say ‘no’ to processing for direct marketing purposes, that supersedes everything else.
They said they can’t delete my data because <reason>
You should make it very clear that you don’t want the data to be deleted, you want it to be excluded from any processing for marketing purposes. If they delete it, they can just re-acquire it the next day and start over. Some organisations will [deliberately] misinterpret your objection as an erasure request and [maliciously] comply, leaving you under the impression they’ve stopped when all they did was reboot. Anticipate this and be explicit - you don’t want to be ‘forgotten’, you want to be remembered as someone who said “DO NOT process my personal data for direct marketing purposes”.
They said they can’t stop the processing because they need the data for <reason>
They’re imagining/manufacturing a conflict that doesn’t exist, by interpreting your objection to mean “don’t process my personal data at all for any reason”.
To suppress your personal data the Controller must still retain and make use of it - but with different processing activities for a different purpose, under a different lawful basis. Essentially you are telling them to pivot away from processing your personal data for the purposes of direct marketing (under consent or legitimate interests) and instead change to processing THAT SAME DATA for the purpose of upholding your right to object to its use for any direct marketing-related activity (basis: legal duty) No conflicts there.
Oh, and by the way - excluding your personal data from processing for direct marketing purposes does not prevent the Controller from continuing to process it for other purposes, like meeting legal obligations and general business administration. So don’t accept that as an excuse for knocking back your objection, it’s bollocks.
What if they offer to redact/obscure some of it?
De-identification (removing/redacting explicit identifiers) won’t fulfil your objection and neither will pseudonymisation (replacing explicit identifiers with codes). These are [copout] tactics that some Controllers may invoke to pretend that there is no ‘personal data’ being processed and thus evade your objection. Such sidewinding moves may genuinely based on an inaccurate understanding of ‘personal data’ as defined in law (which is a red flag all on its own). Either way - nope, not good enough.
(Let me unpack that a bit more, ‘cos it’s deep)
TL;DR - if it’s about you and points you out specifically, it’s your personal data
Single datapoints taken alone, or multiple values combined in a set, which relate to you and allow you to be singled out for recognition as a unique living individual, are your personal data - even if no name or email or picture (or other explicit identifier) is included.
Therefore, just taking out the explicit identifiers may not be enough to un-personal the data. It’s a pointless thing to do in response to an A21.2-3 objection because it’s a) [probably*] still personal data, and b) still being processed for direct marketing purposes.
Leakage of your data is not the threat that A21.2-3 offers you protection from - use of it in ways that you consider unwanted/unnecessary/rude/exploitative/dangerous/anti-social/etc is. Obscuring the data does nothing to protect you against its use for direct marketing purposes by the very people who generated/acquired it in the first place. You don’t want your personal data changed, you want it left the hell alone (as far as direct marketing goes).
*Any prospect/lead/customer data that is processed for direct marketing is likely gonna be ‘personal data’ because if it’s not individuated and attributed somehow then it isn’t much use anyway - ‘direct marketing’ is the cluestick.
What happens if I object?
In theory: within a short period of time, you receive assurance that your personal data is no longer - and will continue not be - processed for direct marketing purposes.
(Tip: ask in advance for evidence that the objection has been upheld. Ideally, you’re after screenshots of the suppression config, or a detailed description of exclusion is effected.)
If you spread your objections out, in time you may eventually notice online ads becoming less creepy and your spam folder decreasing. Hurrah and thank you for your efforts! Enjoy the benefits.
In practice: you may have to chase, escalate, argue, threaten and shame the Controller into abiding by their obligations in law. The more they push back, the more they’re revealing themselves as unworthy of the benefits they’re extracting from your data anyway.
Call me a dewy-eyed optimist*, but it’d be nice to believe that if a lot of people exercise (and insist on) this right, organisations might find themselves motivated to a) consider data subject rights earlier and more often in biz planning, and b) decide that a more cautious and less entitled attitude to tracking, profiling and surveillance advertising is worthwhile. A girl can dream.
For lolz/because I’m a nerd/as a warrior on the front line of the fight to defend human rights and freedoms in an increasingly horrifying tech-dystopia; I drafted a template objection letter which you are welcome to copy and use.
(If you do use it, and you wouldn’t mind letting me know how it went; I’d love to hear about it from you. Chatham House Rule applies)
I am not a lawyer (you don’t need one for this) This is not legal advice/representation (you don’t need it for this).
I am writing to exercise my right under Article 21.3 of the GDPR to object to any and all processing for direct marketing purposes of personal data relating to me.
This includes, but is not limited to:
Acquiring or generating personal data relating to me from any source
Associating, attributing or inferring any category, trait or demographic label with/to/from personal data relating to me from any source
Augmenting, matching, selecting, or creating any personal data relating to me from any source
Targeting me, or anyone else based on processing operations performed on personal data relating to me from any source-
-where the intent or objective of doing so is to design, create, select, designate, report on, analyse or otherwise contribute to direct marketing activities at any time; now or in future.
I require you to cease any such processing with immediate effect, and take the necessary steps to ensure the exclusion of personal data relating to me from any future processing operations for direct marketing purposes.
I look forward to your acknowledgement of this objection, and to receiving your assurances, along with corroborating evidence, that my objection has been complied with.
<insert $CAT into $_PIGEONS>, LOL