GDPR Consent or legitimate interest? Email marketers need both
14 Aug 2017
There’s a lot of debate and confusion around consent and legitimate interest, around GDPR and PECR/ePrivacy.
Currently, with PECR, we see opt-out and pre-ticked opt-in for marketing where there is a customer relationship. With this “soft opt-in” to email marketing you are required to give a means of opting out at the point where they sign-up or make a purchase. The opportunity to unsubscribe must also be provided in every message.
Because email marketers are used to this very common practice, it’s no surprise that when reading recital 47 and Article 21(2) email marketers think the GDPR is talking about “soft opt-in”. Literally the first thing an email marketer said to me after reading that was “so you just need soft opt-in for email?”. And it’s easy to see why:
GDPR recital 47 “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
Article 21 (2) “the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing”.
Is “processing personal data for direct marketing purposes” the same as “performing direct marketing”? No.
Is email marketing the same as direct marketing? No.
Article 21(1) does not say: “forget ePrivacy; you don’t need consent for email marketing because it is an organisation’s legitimate interest”.
The difference is that “processing data for marketing” is not necessarily “sending direct marketing” and it definitely is not “sending email marketing”
Electronic Communications and Data Protection
You need a legal basis to send email, SMS and automated telephone marketing (defined by PECR and ePrivacy). You need a separate legal basis to collect, store, process, share and use the contact details and all that ancillary data used for targeting, segmenting, personalisation (defined by DPA and GDPR). These are different laws and they work together.
How PECR/ePrivacy and DPA/GDPR work together for email marketing.
Under PECR and ePrivacy you need consent or an existing customer relationship to send email marketing. If you want to make your emails more timely, targeted and tailored to the individual, you need data: Demographics, preference, purchases, browsing behaviour, location and device information. All this extra information can help make email more relevant and valuable but data protection regulations (DPA and GDPR) require you to have a legal basis for this. This is to ensure what you do is fair, transparent, not excessive, and to make sure you look after the data you collect, store and use. And for that you need consent or “legitimate interest”.
Why not just make everything based on consent?
Consent can be difficult.
And the GDPR is making consent even trickier. Consent to GDPR standards requires you to explain what you are going to do, concisely, but in full, before you do collect the data. And you need to explain it in a way that makes your customer want to sign-up to it before they’ve seen the benefits. You may not know exactly what campaigns you’ll be running later in the year, or what clever new dynamic content your email provider is going to come out with next month, but you need to explain it to your customer and ask their permission before you collect the data. It may be that consent (with prior information and information only used for the purpose it was originally obtained) is not possible.
Legitimate interest may be easier.
You still need to explain and give relevant choices and appropriate control over what you do; but you have a little more flexibility over how you give this information because you can explain about the new data use when you start using it. We already see this on websites where product recommendations are given – the website should show why those recommendations are made and you can control what data (purchases/views) is used to make your recommendations. For more information on legitimate interests, read my guide here.
Read again GDPR recital 47 “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” and think about all that data you collect and use for targeting and personalisation and it all makes sense. You may not be able to get consent to GDPR standards, but you do need to let people know what you are doing, why and let them make choices.