Skip to main content

Lesson 23 of 25

Surveillance & Direct Marketing Compliance

5 min read · CIPP/E

Handle CCTV, geolocation, biometrics, and interception, plus the GDPR-and-ePrivacy rules for direct marketing, the absolute marketing opt-out, and online behavioural targeting.

Two compliance arenas: watching and selling

  • Surveillance — CCTV, geolocation, biometrics, interception
  • Direct marketing — emails, profiling, behavioural targeting
  • Both blend GDPR with the ePrivacy Directive
  • Proportionality and consent are recurring themes

This lecture covers two of Domain five's arenas: surveillance, the watching of people, and direct marketing, the selling to them. Both blend the GDPR with the ePrivacy Directive, 2002/58, and both turn on the themes we keep returning to, proportionality and consent. Surveillance asks when it is lawful to monitor people in public or private spaces and to intercept their communications.

Direct marketing asks when you can contact and profile people to sell to them. Let's take surveillance first, then marketing, watching for the points where ePrivacy, not the GDPR alone, supplies the rule.

Surveillance by public authorities and interception

  • State surveillance must have a legal basis and safeguards
  • Law Enforcement Directive 2016/680 governs much police processing
  • Interception of communications is tightly restricted
  • ECHR Article 8 and CJEU limit mass surveillance

Surveillance conducted by public authorities is constrained by both EU law and human-rights law. State surveillance must rest on a clear legal basis, pursue a legitimate aim, and be necessary and proportionate, with safeguards against abuse. Much police and criminal-justice processing falls under the Law Enforcement Directive, 2016/680, rather than the GDPR, so do not reflexively apply the GDPR to a policing scenario.

The interception of communications, wiretapping, accessing messages, is especially tightly restricted; recall that the Schrems judgments turned on excessive state access to data. The European Court of Human Rights, applying Article 8 of the Convention, and the CJEU have both struck down disproportionate mass-surveillance and bulk-retention regimes. The exam tests that even the state needs a legal basis and proportionality, and that 2016/680 may govern instead of the GDPR.

CCTV, geolocation, and biometrics

  • CCTV — lawful basis (often legitimate interests), signage, minimise
  • Geolocation — precise location is sensitive; necessity and notice
  • Biometrics for unique ID = special-category data (Art. 9)
  • Facial recognition needs an Article 9 condition; often a DPIA

Now the specific technologies the Body of Knowledge names. CCTV processes personal data, so it needs a lawful basis, often legitimate interests, balanced against people's expectations; signage to inform people; minimisation, capturing only what is needed; and limited retention. The EDPB has dedicated CCTV guidance.

Geolocation data, especially precise tracking, is intrusive, so it demands a strong justification, necessity, and transparency, and continuous location tracking of staff or users is hard to justify. Biometrics is the big one: when biometric data, like a faceprint or fingerprint, is processed for the purpose of uniquely identifying a person, it is special-category data under Article 9, so you need both a lawful basis and an Article 9 condition, and facial-recognition deployments typically require a DPIA. The exam tests that biometric identification crosses into special-category territory.

Direct marketing under GDPR and ePrivacy

  • Need a lawful basis (often consent or legitimate interests)
  • ePrivacy: consent generally required for electronic marketing
  • 'Soft opt-in' for existing customers in some cases
  • Absolute right to object to marketing (Art. 21(2))

Direct marketing sits at the intersection of the GDPR and the ePrivacy Directive. Under the GDPR you need a lawful basis to process data for marketing, commonly consent or legitimate interests. But for electronic marketing, emails, texts, automated calls, the ePrivacy Directive usually adds a consent requirement on top, this is where Article 13 of 2002/58 applies.

There is a limited soft opt-in: you may email existing customers about your own similar products if you gave them an easy opt-out when you collected their details and on every message. And remember the GDPR's trump card from Domain two: under Article 21(2), the right to object to direct marketing is absolute, no balancing, you must stop on request. The exam loves to pair the ePrivacy consent rule with the absolute marketing opt-out.

Online behavioural targeting

  • Tracking across sites to build profiles for ads
  • Cookies/trackers need ePrivacy consent
  • Profiling triggers transparency and possibly Article 22
  • EDPB scrutinises consent quality and dark patterns

Online behavioural targeting, tracking people across websites to build profiles and serve targeted ads, gets specific attention in the Body of Knowledge. Two regimes apply. First, the cookies and trackers that enable the profiling require consent under the ePrivacy Directive, valid GDPR-standard consent, freely given and unbundled.

Second, the profiling itself is processing under the GDPR, so it needs a lawful basis, transparency about the logic involved, and, where it produces significant effects through solely automated decisions, it engages Article 22's safeguards. The EDPB has been critical of weak consent banners and dark patterns that nudge people into accepting tracking. So the exam's right answer on targeted advertising usually involves genuine, freely given consent and real transparency, not buried defaults.

We cover cookies and dark patterns in more detail next lecture.

Recap

  • State surveillance: legal basis, proportionality; often 2016/680
  • CCTV/geolocation: basis, notice, minimise; biometrics = special data
  • Marketing: GDPR basis + ePrivacy consent; absolute opt-out
  • Behavioural targeting needs real consent + transparency

So, surveillance and marketing. State surveillance and interception need a legal basis and must be proportionate, with much police processing governed by the Law Enforcement Directive rather than the GDPR. CCTV and geolocation need a basis, notice, and minimisation, and biometric data used to identify someone is special-category under Article 9.

Direct marketing needs a GDPR lawful basis plus, for electronic channels, ePrivacy consent, and the right to object to marketing is absolute. And online behavioural targeting requires genuine cookie consent and real transparency. Next, the final compliance lecture: cloud, cookies, social media, and AI.

First, go test yourself on surveillance and marketing.

Sources

  • Regulation (EU) 2016/679 (GDPR), Article 6, Article 9, Article 21(2) (objection to direct marketing)
  • Directive 2002/58/EC (ePrivacy Directive), Article 13 (unsolicited communications)
  • Directive 2016/680 (Law Enforcement Directive)
  • EDPB guidance on CCTV/video devices (Guidelines 3/2019) and biometrics
  • ECtHR case law on interception

Test your knowledge

A few CIPP/E questions on this material — pick an answer to see the explanation.

  1. Q1. What is the purpose of a layered privacy notice, as endorsed by the EDPB?

  2. Q2. Brexit resulted in the UK leaving the EU and the GDPR ceasing to apply directly. Which of the following best describes the current data-protection landscape in the UK?

  3. Q3. When processing special-category data on the basis of explicit consent under Article 9(2)(a), how does 'explicit' consent differ from ordinary consent under Article 4(11)?

  4. Q4. An online retailer collected customers' email addresses for order-confirmation emails. It now wants to use those same email addresses to send promotional newsletters without obtaining new consent. Which factor from the Article 6(4) compatibility test most likely renders this purpose incompatible?

Ready to practice?

Put this lesson to work on real CIPP/E questions.

Drill the full CIPP/E bank →