Do you know what you’re doing when it comes to marketing data, marketing consents and legitimate interests?
Consent for marketing is nothing new.
The Privacy and Electronic Communications (EC Directive) Regulations (“PECR”) set out a number of electronic marketing rules which vary depending on the medium used (email, SMS, phone, fax, etc.) and the audience being targeted (customers, other businesses, sole traders, etc.). Specifically they set out the scenarios by which you need “consent” to send electronic marketing messages and make reference to the fact that for the purposes of the regulation, “consent” is to take the same meaning as set out in data protection legislation. PECR has been around since 2003 and is still in place in UK law (i.e. it hasn’t been replaced by GDPR).
GDPR and lawful basis for processing
Last year of course GDPR arrived with a “new” consent rule. From a data protection perspective, consent isn’t just about permission to send marketing materials, it’s one of number of lawful basis of processing, or, put another way, the rules about when it is lawful to process data and the the type of consent varies depending on the type of data you’re processing.
Another lawful basis for processing is “legitimate interest” which on paper looks like the saviour for all processing because, provided you can show you have a business interest in processing the data, you can rely on legitimate interest as the lawful basis for your processing. It’s of course not that simple — to rely on legitimate interest you will need to be able to demonstrate that it’s lawful, that you have a real reason to process the data, that it’s necessary for you to process the data and that by relying on this lawful basis you’re not undermining the rights of the data subjects. In essence if it’s not lawful for you to process the data in the first place then you can’t rely on legitimate interests.
Unfortunately, “consent” got messy. I’m sure you’ll remember the deluge of “we need your consent” emails that bombarded our email boxes in the run up to the GDPR implementation deadline in May. It got so messy in fact even the ICO had to write some myth busting blog posts to explain that consent isn’t the only way you can comply with GDPR.
From a marketing perspective the biggest issue was everyone being caught up in the new consent rules being a major new change. Yes it removed the use of pre-ticked boxes (in most scenarios) but it doesn’t mean you can’t use third-party email lists or that you have to stop emailing customers.
Another significant issue it would seem is that most people forgot or quickly disregarded PECR. The GDPR never did replace PECR; as before PECR sits alongside data protection regulation. What’s changed is that where PECR says you need consent to send marketing you now need to have GDPR compliant consent.
Legitimate interests confusion
Whether or not consent got you confused, legitimate interest (“LI”) is always a little confusing and whilst the GDPR changed very little about LI, it did wake people up to the concept of LI as a lawful basis for processing and the use of legitimate interest assessments (“LIA”).
However, what didn’t help from a marketing perspective was a mention in the GDPR’s recitals (Recital 47) that the “processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This got a lot of organisations thinking that where consent wasn’t possible or difficult at least they could rely on LI to make their marketing lawful. Unfortunately, as always, it’s not as easy as that — remember if it’s unlawful to process then you can’t rely on LI.
Consent or legitimate interests?
So, when you process data for marketing purposes the processing has to be lawful — you need to work out what your lawful basis for processing actually is, and that’s where PECR can help — if it says you need consent then you will now need to apply GDPR compliant consent; if you don’t need consent then you may be able to rely on legitimate interest (e.g. for marketing to your customers).
And don’t forget all other processing (e.g. storing in your CRM, giving to a third-party marketing company to process, etc.) is covered by GDPR and so GDPR still applies to your marketing data.
The other side of the confusion
One of the side effects of confusion around consent and the expectation that you need consent for all marketing (which you don’t) has had an annoying side effect for some businesses who are seeing a backlash from their prospects who believe that GDPR fixed the spam problem and that they shouldn’t have been contacted.
Because so many people forgot about PECR and misunderstood (or were badly advised) that you always need consent for marketing, businesses who are legitimately carrying out cold-prospecting for sales (e.g. B2B email marketing) are finding themselves at the receiving end of individuals who thought they knew the law when they didn’t and I’ve seen situations where they are being challenged about the legitimacy of their marketing, resulting in some cases in complaints and subject access requests, causing an unnecessary (but allowable) resource headache.
Still not sure?
If you’re still not sure about your marketing consents from your marketing legitimate interests or how GDPR impacts marketing data, come along to one of my workshops.
If you can make it to Poole in Dorset on the 22nd February then come along to our workshop at the Dorset Chamber offices, details here: https://digitalcompliancehub.co.uk/event/data-protection-privacy-for-digital-marketers/
Alternatively, dial into the same workshop, but online on the 16th April: https://digitalcompliancehub.co.uk/event/data-protection-privacy-for-digital-marketers-webinar/