Lawgistics has drawn up advice on the standard to be achieved when relying on consent as the lawful basis for utilising personal data for direct marketing purposes, direct marketing being defined in the current Data Protection Act as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.
Article 6 of the GDPR sets out 6 lawful bases for processing personal data:
- Necessary for a contract with the individual
- Necessary for compliance of a legal obligation
- Necessary to protect interest of the data subject or another natural person
- Necessary for a public interest task or official duty
- Necessary for legitimate interests of the controller or a third party.
While consent may seem the obvious basis for marketing activity, pre-existing marketing databases may not meet the GDPR standard and unless a business wished to scrap its entire marketing database, it will need to see if another base can apply. This is where ‘legitimate interests’ may be applicable.
Lawgistics feel that ‘legitimate interest’ basis will be well used and thus the ICO will no doubt be keen to ensure it is not overused.
Recital 47 of the GDPR specifically states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This is good news and could mean marketing may be sent out under the lawful basis of legitimate interest. However, it must be balanced this against the requirements of the Privacy and Electronic Communications Regulations (PECR) which deals with electronic marketing.
PECR Regulation 22 requires that a company needs consent to send a marketing email unless;
a) the recipient is an existing customer or potential customer who has previously made an enquiry for a product or service
b) the direct marketing is in respect of similar products and services only; and
c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.
A business will therefore need to meet the GDPR criteria for consent to marketing unless it meets the above PECR criteria which is known as the ‘soft opt-in’ rule. The ‘soft op in’ means marketing can be sent to existing customers about similar products as long as they have been offered the opportunity to opt-out when their details were first collected and they are offered the same opt-out opportunity in every subsequent marketing communication.
If details were collected from existing customers and with an opt-out option, this marketing can continue under GDPR (using legitimate interest as the basis), however the business must comply with Article 21 of GDPR which gives customers the ‘right to object’ at any point.
However, any business whose current marketing is not already compliant with the law in regard to email marketing will probably need to start again and get consent when the customer first makes contact.
Lawgistics’ advise regarding the acceptability of a consent box and statement under GDPR is that the statement: “We may use your information to send you details of special offers on products and services. Please tick if you do not wish to receive such emails” is not acceptable under GDPR because the GDPR requires a positive opt-in, not an opt-out and so the clause would need to read:
“From time to time we would like to send you information about our products, services and special deals. Please tick this box if you would like to receive such updates from us.”
Any business whose marketing database does not meet either the GDPR consent criteria or the criteria for the ‘soft opt in’ under PECR Regulation 22 will not be able to send an email asking for consent to further marketing emails, as that email itself will be considered as marketing, may be considering telephoning these people to get consent.
Live phone calls are covered by Regulation 21 of the PECR. This allows businesses to make unsolicited marketing calls to people. However, before making a call, the business must check that the person is not registered with the Telephone Preference Service (TPS). If a person is on that list and they do not want to receive calls, and cannot be telephoned without specific permission from that individual. Having checked the TPS and established that the customer is not listed, they can be call to ask for consent to future email marketing but businesses are advised to keep a clear record of the conversation and date. Anyone who expressly requests to not receive further calls must be noted and that list checked each time such calls are made in the future. A busines must not withhold its number when making these calls.
If a marketing call is to another business both the TPS and the CTPS lists must be checked as some businesses (e.g. sole traders) will be registered with the TPS and some will be registered with the CTPS (limited companies). However if the business is not on either list, they can continue to be called. Under GDPR, legitimate interest would be cited as the basis for processing.