The agency's legal responsibility to its client.
Riestra Abogados.Is the agency aware of all the legal implications of the actions it proposes to its client? The client expects it to be so.From the very conception of the idea, the legal implications must be clear.A legal error in the campaign, in addition to losing the account, means assuming responsibility for the imposed fine, facing lawsuits, or assuming the expense of withdrawing the campaign.Do you use your client's databases?If so, according to Article 12 of the Organic Law on Data Protection (LOPD), it is mandatory to have a signed personal data processing contract.But the most important thing for an agency is if we also subcontract the campaign to third-party providers, we need our client's prior authorization, and must sign another data processing contract with that provider. Remember that according to the LOPD, transferring data without consent can result in a fine of between €40,000 and €300,000. Do you use stock images?The client must be informed of the scope of the license for the images used, including the territorial scope, duration, and intended uses. Otherwise, the agency could assume liability and have to pay the necessary amounts to cover the license, which can be significant sums. To avoid this, understand the terms of the licenses being acquired and communicate them to the client in writing.Do you contract audiovisual production services with third parties?As in the previous paragraph, the scope of the production must be defined with the client and reflected in an audiovisual production and intellectual property rights transfer contract. If actors are hired, the same applies to the transfer of their image rights.Do you commission software development?In this section, it is very important to clearly state who owns the source code. Without it, the software being custom-developed is useless. But it's just as important to include this in the contract as the practical way in which it's delivered to you, because it's of little use to me if the supplier is, for example, in Argentina or India.Are you developing a website for your client?There are two important points worth highlighting:(i) If you use OPEN SOURCE in your programming, read the terms of use carefully, as they often limit it to commercial use (as was the case with our client's website). This contract is often governed by US law, and there, compensation of $50,000 is being paid for each open source page used without the corresponding license, i.e., multiplying the website pages by $50,000.(ii) The client is responsible for providing the legal texts of their data protection policy on the website. If the client requests this from the agency, the agency must seek legal advice; the consequences of copying and pasting can be disastrous.Forms of Advertising and Data Protection.Riestra Abogados. Regulation (EU) 2016/679Definitions.Basic regulations.Commercial communications and data protection.Relevant aspects of telephone advertising.Relevant aspects of electronic advertising.Viral marketing.Anonymity on the Internet.Cookies.Online advertising. New online advertising methods, personalized and based on user identification, have led to the updating of data protection regulations, such as the new European Data Protection Regulation 2016/679, which in its Article 7 establishes the conditions for consent as follows:Where processing is based on the data subject's consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data.Where the data subject's consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a form that is clearly distinguishable from the other matters, in an intelligible and easily accessible manner, and using clear and plain language. No part of the declaration that constitutes a breach of this Regulation shall be binding.The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. Before giving consent, the data subject shall be informed thereof. Withdrawing consent shall be as easy as giving it.When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is made conditional on consent to the processing of personal data that are not necessary for the performance of that contract.This article aims to provide an overview of advertising methods and their implications for personal data protection.Definitions We must keep in mind two definitions that will be the cornerstones throughout this article.a. Advertising is understood as: "any form of communication carried out by a natural or legal person, public or private, in the exercise of a commercial, industrial, artisanal, or professional activity for the purpose of directly or indirectly promoting the contracting of movable or immovable property, services, rights, and obligations." (Art. 2 of Law 34/1988, November 11, General Advertising Law)b. Commercial communication: "any form of communication aimed at promoting, directly or indirectly, the image or the goods or services of a company, organization, or person carrying out a commercial, industrial, artisanal, or professional activity." (Annex to Law 34/2002, of July 11, on information society services and electronic commerce)It is interesting to note in the definition of advertising the reference "for the purpose of directly or indirectly promoting the purchase of movable or immovable property, services...", as well as in the definition of commercial communication, "any form of communication aimed at the direct or indirect promotion of the image or of the goods or services...". In other words, the term "indirect" practically covers all forms of advertising and commercial communication that we might think are not within the scope of the regulation, because the simple communication of a brand will fall within the definition of advertising or commercial communication, unless we prove otherwise. For example, sending an email asking a customer to subscribe to our newsletter is a commercial communication, and unless we have their consent, it cannot be sent.Basic regulationWhen a company decides to launch a new product and/or service, it implicitly entails making decisions regarding what type of advertising is most appropriate for the action they intend to carry out. To do this, it is necessary to know whether said advertising involves the processing of personal data or not, since this will determine whether, in the event of collecting personal data, different security measures must be established to protect the rights of users.What type of advertising involves data protection processing?Television advertising does NOT require data protection:If a company decides to promote its products, promotions, etc., through television, such advertising will not involve the direct collection of users' personal data, as feedback, understood as the possibility of creating a personal database with the user or consumer, is not possible through this medium. Therefore, the basic regulations governing such advertising are: o Law 7/2010, of March 31, on Audiovisual Communication.o Law 34/1988, of November 11, on General Advertising.o Law 3/1991, of January 10, on Unfair Competition.o Sectoral regulations.In any case, let's not forget that if it's a televised contest or sweepstakes, there's an obligation to provide information about data processing, including the cost of the call and the features of the service, among other obligations (Article 18 of Order PRE/361/2002, of February 14, implementing the rights of users and premium-rate services, Title IV of Royal Decree 1736/1998, of July 31, approving the Regulation implementing Title III of the General Telecommunications Law; in conjunction with Article 20 of the General Law for the Protection of Consumers and Users).Telephone advertising DOES involve the processing of personal data:How many times have we received a call offering us a product? Well, in those situations where the call is recorded and you are asked for certain information such as your first name, last name, email address, etc., personal data is being collected, and the relevant data protection regulations must be taken into account. Therefore, the reference regulations in these cases are:o Royal Legislative Decree 1/2007, of November 16, approving the revised text of the General Law for the Defense of Consumers and Users and other complementary laws.o Organic Law 15/1999, of December 13, on the Protection of Personal Data and its implementing regulations.o General Data Protection Regulation 2016/679.Advertising carried out electronically or through information society services DOES involve the processing of personal data:This type of advertising refers to advertising transmitted through websites, emails, text messages, etc. For example, when advertising is carried out through websites (banners, pop-ups, etc.), we are using the user's IP address to place cookies that help us generate more accurate and tailored advertising tailored to the user's needs. Therefore, we are processing personal data, since the computer's IP address is also considered personal data because it allows us to identify the user of that device.The regulations we must take into account are:o Law 34/2002, of July 11, on information society services and electronic commerce.o Organic Law 15/1999, of December 13, on the Protection of Personal Data and its implementing regulations.or General Data Protection Regulation 2016/679.Commercial communications and data protectiona. What should be done before sending commercial communications?Before sending any commercial communications, we must pay attention to the following aspects:If you are not our clients: - Common files for exclusion from the sending of commercial communications (Article 49.4 of the RLOPD); these files are also known as the Robinson List. Currently, the Robinson List of the Spanish Association of the Digital Economy is the only exclusion file existing in Spain.- Any individual registered on this list expresses their opposition to the sending of commercial communications by digital means. In other words, all companies intending to send commercial communications must consult this list beforehand, in order to exclude from their mailings all users listed in their databases. In any case, please remember that we cannot send commercial communications electronically without the express consent of users.If you are our clients: - Review of the company's own exclusion list. That is, the list of users in the database of the company in question who have expressed their opposition to data processing. Users on this list must be excluded from receiving commercial communications; however, it is permitted to retain the data truly essential to identify the user and not send them commercial information.- We must also verify that the user has been given the right to object to receiving commercial communications or that express consent has been obtained to send commercial communications (Article 15 of the Regulations for the Development of the Organic Law on Data Protection).b. After sending commercial communications- After sending commercial communications, the company must keep track of the objection requests received and proceed to delete said data. Diligence must be exercised in managing ARCO rights and developing and designing a simple and free procedure for exercising them. We must strictly comply with the regulations, thus maintaining an up-to-date file. Relevant Aspects of Telephone AdvertisingThe reform of consumer and user regulations has resulted in the limitation of telephone advertising. For this purpose, we must adhere to Articles 96 et seq. of the General Law for the Protection of Consumers and Users, which establish the following:- Under no circumstances may telephone calls be made to consumers before 9:00 a.m. or later than 9:00 p.m., nor may they be made on holidays or weekends.- If communication techniques involving an automated call system without human intervention, or faxes, are to be used, the consumer's prior express consent is essential.- Telephone calls must be made from an identifiable telephone number; that is, a hidden number may not be used.- The identity of the company and the commercial purpose of the call must be clearly communicated at the beginning of any conversation. Likewise, the identity of the person making the call and their relationship with the company they are calling on behalf of must be disclosed.- It is very important to know that when a consumer contacts the company regarding any incident or complaint, they should not be offered new services or products during the call.Relevant aspects of electronic advertisingWe must also keep in mind the formal aspects established in the Law on Information Society Services and Electronic Commerce (LSSI) regarding the content and format that commercial communications must comply with via this medium, among which we highlight the following:- Commercial communications must be clearly identifiable; for this purpose, the words "Advertising," "Publi," "Newsletter," etc. must be used (Article 20.1 LSSI).- The legal or natural person sending the message must also be clearly identifiable in the message (Article 20.1 LSSI).- It is advisable to include direct access to the website's terms of use and privacy policy (Article 20.1 LSSI).- The possibility of exercising ARCO rights easily and free of charge must be included in each message (Article 21.2 LSSI).Viral marketingIt's becoming increasingly common to hear the term viral marketing, videos that become viral content, etc., all because they spread very quickly. Therefore, we can define the concept of "viral marketing" as: that which manages to generate interest and the willingness to make potential purchases of a brand or product through messages that spread like a virus; it is carried out easily and quickly from person to person; hence, social media is the ideal medium for such advertising.Taking "Refer a Friend" as a reference, we can observe:i. Problems: The Spanish Data Protection Agency (AEPD) has sanctioned this activity on several occasions, based on the fact that the company provides the "sender" with a system for sending data to the "receivers," considering that this involves processing personal data without the latter's consent. (Sanctioning Procedure/00183/2009 and Sanctioning Procedure/00323/2007).ii. Solutions: The website owner must not process personal data (neither of the sender nor of the recipient), and the user must send the commercial communication at their own risk. For example, technically, a form-mail provided by a third party that does not collect personal data must be provided.However, this practice, sanctioned by the Spanish Data Protection Agency, a consequence of abuse in certain online sweepstakes, is still inconsistent with one of the reasons why the Internet exists: to share news.Anonymity on the InternetThe goal of anonymity is more ambitious than simply hiding the name of the person or user by whom they are identified. Rather, what is sought is confidentiality in the activities we carry out online and, above all, what is intended to be protected is, on the one hand, the protection of anonymous speech (freedom of expression) and the protection of personal data. However, the reality is somewhat more complicated if we consider that most of the time, the transactions we carry out are recorded.For example, if you send an email to another person through a provider like Google or Yahoo, it reveals that you are both in contact and contains a series of metadata such as the location where you were when the email was sent, the time, the software used, etc.The same would happen when we visit a website, as it usually has cookies installed through which the website can know where you were when you visited the page, the time, and whether you previously used the same device to access the website. Therefore, when you access any website, you will almost certainly have provided this information, among other things, to the internet service provider, the search engine, and third parties that enable our daily internet use.Therefore, it is important for users (individuals or legal entities) to be aware that IP addresses identify the device from which they are carrying out transactions and are therefore considered personal data (AEPD Report 327/2003).Finally, to generate greater trust in service providers and intermediaries, they must be encouraged to exercise due diligence regarding the personal data they handle to safeguard user rights.CookiesFirst, we must define what cookies mean: "They are files that allow the storage of amounts of data ranging from a few kilobytes to several megabytes on the user's device" (definition given by the AEPD Cookie Guide, accessible in this guide).In other words, they are files containing small amounts of information that are downloaded to the user's device when they visit a website. Their main purpose is to recognize the user each time they access the website.a. Type of cookies1. Technical cookies. These are those that allow the user to navigate through a website, platform, or application and use the different options or services available therein.2. Personalization cookies. These are those that allow the user to access the service with some predefined general characteristics based on a series of criteria on the user's device.3. Analysis cookies. These cookies allow the data controller to track and analyze the behavior of users on the websites to which they are linked.4. Advertising and behavioral advertising cookies. These manage advertising space, and the latter also analyze information on user behavior obtained through continuous monitoring of their browsing habits.b. Legal regulationArticle 22.2 of the Law on Information Society Services and Electronic Commerce (LSSI) (transposition of Directive 2009/136/EC) must be applied in accordance with the Cookie Guide of the Spanish Data Protection Agency (AEPD). In summary, the following must be reported via a first layer (via a pop-up window, etc.):- The use of cookies and whether they are first-party or third-party cookies. Only those cookies that are not exempt need to be reported, as provided in Article 22.2 of the LSSI (technical cookies).- First-party cookies: those sent to the user's terminal from a computer or domain managed by the website owner and from which the service requested by the user is provided.- Third-party cookies: those sent to the user's terminal from a computer or domain not managed by the website owner, but by another entity that processes the data obtained through the cookies. Similarly, cookies installed from a computer or domain managed by the website owner, but the information collected through them is managed by a third party, are not considered first-party cookies.- Where applicable, a warning that if a certain action is performed, the user will be deemed to have accepted the use of cookies (e.g., by browsing, you accept the Cookie Policy).- A link to a second information layer containing more detailed information.Online advertisinga. Types of Online Advertising:- Paid Search: sponsored links such as Google AdWords.- Contextual advertising (keywords).- Personalized advertising: e.g., registered user.- Geotargeting (IP).- Social advertising: Facebook, LinkedIn, Instagram, etc.- Retargeting or remarketing.- Behavioral advertising.b. Behavioral advertising:i. Definition“Advertising that is based on the continuous observation of individuals' (online) behavior” (Opinion 2/2010 of the Article 29 Working Party on Online Behavioral Advertising, June 22, 2010).ii. Characteristics- Browsing tracking (tracking cookies);- The creation, by companies, of browsing profiles based on certain criteria;- The sending of a specific advertisement to a specific browser so that it appears during the user's browsing.iii. Participants:• Advertisers.• Web publishers: On-site advertising (first party) or through an intermediary (third party).• Ad networks: intermediaries between advertisers and publishers (e.g., DoubleClick).• Ad servers: send the advertisements.iv. Guidelines to keep in mind for profiling (Art. 22 of the General Data Protection Regulation 2016/679):- The website must inform you about the possibility of user profiling for segmentation, the tools that will be used, and the purpose.- Obtain consent clearly and explicitly.- Offer the right to exercise ARCO rights.c. Codes of conduct: a set of rules not imposed by law or regulation, which define certain behaviors or commercial practices to which companies that decide to adhere to them are subject.- EASA Best Practice Recommendation on Online Behavioral AdvertisingInformation obligations according to the codes of conduct:- On your own website:- Who is responsible for the cookies- What data they collect- What is the purpose of using the data- In or around advertising:- A universal informational icon that provides access to a tool to opt out of this type of advertising.- http://www.youronlinechoices.com/es/
