Last review date: 7 January 2025
No.
Last review date: 7 January 2025
Yes.
☒ email marketing
☒ prior opt-in consent
☒ prior existing business relationship (and subject to other requirements) with opt-out consent
☒ telephone marketing
☒ prior opt-in consent
☒ prior existing business relationship (and subject to other requirements) with opt-out consent
☒ SMS/text message marketing
☒ prior opt-in consent
☒ prior existing business relationship (and subject to other requirements) with opt-out consent
☒ postal marketing
☒ prior opt-in consent
☒ prior existing business relationship (and subject to other requirements) with opt-out consent
☒ online behavioral advertising targeting/social media targeting/ad personalization marketing
☒ prior opt-in consent
☒ prior existing business relationship (and subject to other requirements) with opt-out consent
NPC Circular No. 2023-04 states that when processing non-sensitive personal information, a controller may consider direct marketing as a legitimate interest, which would not require the consent of the data subject, provided that the controller conducts a legitimate interest assessment (LIA). If the LIA reveals that legitimate interest cannot be made the basis for processing, the controller may still process the personal data on the basis of consent. In case consent is relied upon by the controller as its legal basis for processing and such consent is withdrawn by the data subject, the controller cannot claim legitimate interest to continue the processing activity.
Additionally, in an office advisory issued by the NPC, the NPC reiterated that the DPA does not consider a soft opt-in approach as valid consent, and hence PICs and PIPs have to rely on the other lawful criteria for processing: (1) the legitimate interest is established; (2) the processing is necessary to fulfill the legitimate interest that is established; and (3) the interest is legitimate or lawful and it does not override fundamental rights and freedoms of data subjects.