Soft spam, final interpretation by the Court of Cassation

The Decision no. 7555 of 15 March 2023 of the Italian Supreme Court of Cassation regarding the processing of personal data has made a striking interpretation of the concept of "soft spam". The latter consists of the widespread market practice envisaged by paragraph 4 of art. 130 of the Privacy Code, according to which if the data controller uses the e-mail address provided by a data subject in the context of the sale of a product or service, for the purpose of direct sale of its products or services, the data controller may not request the consent, provided that the services are similar to those being sold and the data subject, adequately informed, does not refuse such use.

With the aforementioned Decision, the Second Civil Section of the Court provided a decisive definition of the scope of application of the “soft spam” regime, to be interpreted in a wholly exceptional and restrictive manner.

In the case at issue, a company offering online quote comparison services claimed to have legitimately carried out the activity of soft spam also towards "non-paying users", i.e. subjects who had registered to obtain a free trial of the service. The Court of Cassation then provided its interpretation of this practice, clearly establishing that the Privacy Code, in art. 130, regulates the so-called “unsolicited communications” providing that "the use of automated call or call communication systems without the intervention of an operator for sending advertising or direct sales material or for carrying out market research or commercial communication is permitted with the consent of the contractor or user". On the contrary, the soft spam regime configures only an exception to the general rule of consent and concerns the hypothesis in which the data controller has obtained the e-mail address "in the context of the sale of a product or service", thereby excluding all other hypotheses in which the acquisition of personal data takes place in a different way and for different purposes. To this end, the term "sale" must obviously be intended in a technical sense, requiring that an onerous contractual relationship must be established between the data controller and the data subject, in which the latter has been clearly informed of the receipt of advertising material.

As  a consequence, according to the Court, "non-paying customers", such as users who have only registered or have tested the service on a website without concluding any contract, cannot be included in the soft spam regime: for the Court, therefore, it is not sufficient “that the test is aimed at the sale but it is necessary, for the purposes of applying the derogatory regime pursuant to Legislative Decree no. 196 of 2003, art. 130, paragraph 4, that the sale contract has been completed".

In the light of this stringent interpretation, it is important for operators and companies that carry out marketing activities not to be caught unprepared, carrying out appropriate assessment activities on the various methods and channels through which their marketing campaigns are carried out, as well as on the legal bases used (e.g. consent, legitimate interest), in order to implement all the necessary measures to make their internal processes involved in marketing activities as compliant as possible.