The Italian Data Protection Authority, with its recent decision of February 27, 2025, has sanctioned an energy company for violations in telemarketing activities. At the center of the decision is the use of inadequate «omnibus» consents, the failure to respect opposition expressed through the Public Opposition Registry, and the lack of oversight over the contact supply chain.
This case highlights the necessity of collecting free, specific, and granular consents. The importance of the Telemarketing Code of Conduct is reaffirmed as a reference for best practices.
The authority’s decision
The recent decision of February 27, 2025, by the Italian Data Protection Authority has led data controllers to reflect on the long-standing issue of telemarketing and omnibus consents collected for multiple processing purposes.
This decision fits into an already highly sensitive European regulatory framework, as evidenced by recent sanctions imposed by the UK Information Commissioner’s Office (ICO) for unlawful telemarketing activities by two companies involved in millions of promotional calls in violation of data protection laws.
In line with its strict approach towards major players who have misused telemarketing practices, the Italian Authority has imposed a €300,000 fine on a national energy company in this case.
The proceeding was initiated following 82 reports received by the Authority regarding unwanted promotional calls made without a valid legal basis. In many cases, the calls originated from numbers not registered with the Communications Operators Registry (ROC), thus violating transparency and traceability obligations.
The energy company also relied on commercial agencies for telesales and telemarketing activities. This practice raised further concerns regarding proper management of the processing chain and compliance oversight of external operators.
Once again, the Italian Authority has demonstrated particular attention to invasive telemarketing practices, highlighting the risks to individual privacy, both in terms of immaterial damages (such as anxiety and frustration) and material damages (such as connection costs or unauthorized contract signings). This sensitivity aligns with growing awareness of the need to protect data subjects’ rights against increasingly pervasive commercial practices.
Telemarketing, telesales, and the public opposition registry
Before understanding the concept of omnibus consents, which is central to the sanctioning decision, it is important to clarify the distinctions between telemarketing and telesales.
Referring to the «Telemarketing and Telesales Code of Conduct,» which the Authority has reiterated as a best practice reference even for non-adherents, telemarketing refers to operator-assisted phone contacts for promotional purposes through direct calls to national landline and mobile numbers. Telesales, on the other hand, refers to operator-assisted phone contacts for direct sales purposes through calls to national landline and mobile numbers.
The Authority also emphasizes that the definitions of telemarketing and telesales are based both on the means used for data processing and the purpose pursued by the data controller. Therefore, determining the applicable legal framework is not only about the contractual context but also the pre-contractual activities. If these take place via telephone, they are subject to the obligations and responsibilities governing telemarketing and telesales.
To fully grasp the scope of the decision, it is also necessary to recall that the Public Opposition Registry (RPO)—managed by the Ugo Bordoni Foundation—allows individuals to revoke all previous telemarketing consents for their registered numbers. Consequently, to contact a registered user for promotional purposes, companies must obtain a new (valid) consent from the individual.
Omnibus consents and granularity
In the case examined by the Authority regarding telemarketing and telesales activities, the following violations were found:
- certain phone numbers were contacted for promotional purposes despite being registered in the RPO, violating the «opt-out» mechanism.
- more significantly, subsequent consents expressed by individuals to receive promotional communications, including by phone, were inadequate and did not override their RPO registration-based opposition.
As mentioned earlier, when an individual is registered with the RPO, telemarketing and telesales activities can only be conducted if a new consent is obtained that effectively nullifies the opt-out status.
However, for such consent to be valid, it must be free, specific, and granular, as clarified by the Authority:
- free: The consent must not be mandatory (e.g., pre-checked boxes are invalid), and the individual should not feel coerced into providing it through misleading design practices.
- specific: It must clearly distinguish each purpose for which it is granted.
- granular: It must specify the means of communication (e.g., phone, SMS, email, etc.) and the category of commercial offers (e.g., telecom, energy, insurance, fashion, automotive, etc.).
Omnibus consents, where consent is given for multiple purposes indiscriminately across different means and commercial categories, are prohibited.
Conversely, general consent forms that do not allow users to select specific categories of commercial offers violate privacy regulations. Similarly, forms that gather a single all-encompassing consent across different purposes, categories, and communication methods are illegal and do not constitute valid, informed, and unequivocal consent.
Furthermore, an individual wishing to receive telemarketing communications only for a specific sector (e.g., clothing) would be forced into a binary choice—either giving no consent or accepting an omnibus consent, thus receiving unwanted communications across different sectors, channels, and senders. This leads to an unjustified invasion of privacy.
Telemarketing in Europe: comparative approaches
The Italian Authority’s decision is part of a broader European trend of increasing regulatory scrutiny over telemarketing activities. A comparative analysis highlights common trends but also significant regulatory differences:
- France: The French authority (CNIL) has taken a strict stance on telemarketing consents, requiring since 2022 a granular approach by communication channel and commercial partner type. Recently, it fined an energy company €1 million for aggressive telemarketing and non-compliant consent collection.
- Spain: The Spanish AEPD has issued specific guidelines mandating the periodic (at least quarterly) verification of consent validity and the implementation of contact-tracking systems. Spain emphasizes joint liability between data controllers and processors in telemarketing.
- Germany: German authorities enforce particularly strict rules against omnibus consents, with established case law invalidating consents that combine more than two purposes or communication channels. Germany has some of the most stringent formal requirements for consent granularity in Europe.
With this recent decision, the Italian approach aligns with the strictest European standards, emphasizing specificity and granularity of consent in full compliance with European Data Protection Board (EDPB) jurisprudence.
Telemarketing: best practices
The Authority’s decision serves as a significant warning for companies engaged in telemarketing or using this channel for commercial activities. In light of this ruling, an immediate review of consent collection and telemarketing practices is necessary. Companies should:
- provide individuals with adequate privacy notices, including during promotional calls, clearly explaining their rights.
- collect separate and specific consents for each purpose (e.g., marketing, profiling), avoiding broad, all-encompassing consents.
- ensure granular marketing consents, distinguishing commercial categories and communication channels.
- document the contact supply chain, tracking all involved parties, especially when outsourcing telemarketing to external call centers.
- implement measures to ensure call center operators comply with data protection rules, using audits, trap numbers, spot checks, and supplier selection criteria favoring those adhering to the Code of Conduct.
- schedule regular training (at least annually) on data processing for internal staff and require external processors to do the same.
- if acquiring contact lists from third parties, verify that individuals are not already on blacklists, RPO-registered, or have not revoked consent.
Failure to comply with the Authority’s guidelines not only exposes businesses to significant sanctions but can also undermine corporate reputation and consumer trust, potentially leading to consequences more damaging than the sanctions themselves in the medium to long term.
GDPR checklist for telemarketing
| Area | Requirement | Practical observations |
| Consent | It must be freely given, specific, and granular | Avoid pre-selected or bundled consents; distinguish purposes, channels, and product categories |
| Information notice | It must be provided clearly and comprehensively, even during the call | Specify the data controller, purposes, legal basis, and the data subject’s rights |
| Public Register of Objections (RPO) | It is prohibited to contact registered numbers without obtaining new valid consent | Systematically check the lists before each campaign |
| Documentation | Track the contact chain and the source of the data | Keep evidence of consent and control over suppliers |
| External processors | They must be formally appointed and subject to binding instructions | Introduce controls (e.g., audits, dummy numbers, strict contractual clauses) |
| Training | Periodic training is required for both internal and external operators | At least annually, with a focus on privacy, consent, and conduct during calls |
| Leads and acquired lists | Verify the origin, validity of consent, and exclusions (RPO/blacklists) | Request declarations and guarantees from the supplier, and include penalties for illegal use |
