In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?

A. When creating an untargeted pop-up ad on a website.

B. When calling a potential customer to notify her of an upcoming product sale.

C. When emailing a customer to announce that his recent order should arrive earlier than expected.

D. When paying a search engine company to give prominence to certain products and services within specific search results.

View Answer

Answer: B

Explanation:

Both ePrivacy and data protection rules (like the GDPR) can be applicable simultaneously in certain scenarios, particularly when it comes to direct marketing.

A brief overview of each option:

A. Untargeted pop-up ads on a website are mainly an ePrivacy issue as they involve the use of cookies or similar technologies. There might be a limited GDPR implication if personal data is collected through such cookies, but it’s less direct than other options.

B. Direct marketing calls, especially unsolicited ones, require compliance with ePrivacy rules (for example, checking against "do not call" lists). Additionally, any processing of personal data in relation to such calls (like storing phone numbers or using them for further processing) would fall under GDPR.

C. Informing a customer about their order status is transactional and necessary for the performance of a contract. It would not be considered direct marketing, so ePrivacy’s direct marketing provisions wouldn’t likely apply, although GDPR would still be relevant.

D. Paying for prominence in search results is an advertising activity. While this might involve some data protection considerations, it’s less direct in terms of combining both ePrivacy and GDPR implications compared to direct marketing activities.

Therefore, option B represents a scenario where both ePrivacy (related to direct marketing communications) and GDPR (related to the processing of personal data) would likely apply.