There is much talk, and indeed confusion, about the need for explicit consent to process personal data for marketing purposes under GDPR.
All of the factual information that follows is extracted directly from the ICO websiteand we make it clear when we are applying our interpretation.
There is much talk, and indeed confusion, about the need for explicit consent to process personal data for marketing purposes under GDPR.
Less talked about is the alternative to gaining consent - demonstrating legitimate interest.
In simple terms, legitimate interest says that a business (the data controller) can process the data when it can show a valid reason for doing so. This ruling is more flexible than consent and could, in principle, apply to any reasonable purpose, including marketing.
The ICO acknowledges that the interpretation of legitimate interest can be broad and could include starting or growing a business. Indeed, Recital 47 of the GDPR says:
“...the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
Businesses are encouraged to use legitimate interest as their basis for processing data when:
Well, the starting point is that we can’t just decide that processing the data is in our legitimate interests. We need to be able to satisfy three tests:
We’ve established that direct marketing is likely to be considered a legitimate interest and, for most marketing activities, processing the data could be shown to be necessary for effective targeting and monitoring. Providing the activities don’t compromise an individual’s basic rights, we look to be in a good place.
There is a curve ball, however. Although marketing in general may be a legitimate purpose, the method of marketing has a bearing on whether legitimate interest can be claimed. To quote directly from the ICO website:
“If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc.) legitimate interests may not always be an appropriate basis for processing. This is because the e-privacy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing. It is the GDPR standard of consent that applies, because of the effect of Article 94 of the GDPR. You are not able to use legitimate interests to legitimise processing that is unlawful under other legislation".
Buying and using lists of consumer email addresses without a specific opt-in applicable to the purchaser would, therefore, be a breach because consent has not been given and “at the time and in the context of the collection of the personal data, the subject would not reasonably expect that additional processing to take place”.
The ICO does, however, offer a ray of light for marketers everywhere when it says:
"Based on the current legislation (PECR), and depending on the outcome of your three-part test, legitimate interests may be appropriate for ‘solicited’ marketing (i.e. marketing pro-actively requested by the individual), or for unsolicited marketing in the following circumstances:
The ICO explicitly says that "data about people in their professional capacity is considered less sensitive than in their personal capacity" and "most processing of business contacts data will be lawful on the basis of legitimate interests" with the caveat that there is no absolute rule and the three-part test needs to be applied to be certain.
The ICO seems to recognise the unintended threat of GDPR to responsible marketing and is making provision for it to continue.
There is clearly a significant difference between using personal data in the form of a business email address to send a marketing message which offers a service that you reasonably believe the recipient will be interested in, and the Cambridge Analytica style of use where the processing was “unexpected and the individuals lost control over the use of their data and weren’t in an informed position to exercise their rights”.
The less sensitive or private the data is, the less likely it seems it is going to be considered an intrusion. Using an email address to contact somebody in their professional capacity would appear to have a minimal impact on that person’s individual rights or freedoms and be unlikely to raise too many eyebrows in Officialdom. We also believe that while legitimate interest is much easier to prove for existing and previous customers because you can demonstrate “a relevant and appropriate relationship”, it may also be applied to prospects if handled responsibly.
The advice we are offering to our clients is to follow 8 Golden Rules
The closing thought to keep us all on our toes is that the EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). The new ePR is yet to be agreed and when it is, it could move the goal-posts again. We'll be watching the situation closely, but in the meantime, the existing PECR rules continue to apply.
For help on implementing GDPR compliant processes in your organisation, please contact us.
Neil is a Chartered Marketer and Fellow of the Chartered Institute of Marketing with many years' experience in marketing, brand and communications.
CEO / The Marketing Eye
by Darren Coleshill, 5 minute read
by Darren Coleshill, 4 minute read