GDPR - Direct marketing as a legitimate interest
19 Sep 2016
Legitimate interests of a controller
"Legitimate interests" is a sensible concept. It means that when you look at the overall needs and rights of data controller and data subject, there will be times where you don’t need to ask for consent to collect, store, use, disclose, process, destroy or otherwise “process” personal information.
For example, during an online purchase you have to provide contact, payment and address information, and the seller will have to record your transaction. It would be unnecessarily obstructive, annoying and off-putting for the seller to have to explain this and to obtain a record that the purchaser understood and agreed to this data collection and use. Of course there may be an option to use third-party payment services, sign up for an account, save details, sign up to marketing and more. But some basic information is necessary to fulfil a transaction, and is both “legitimate”, expected and should not be obstructed by a consent statement.
Within the GDPR text one single phrase has vexed me for months:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest
It’s vexing because it is the last sentence in an otherwise well-defined section. And that’s where it ends; the teaser at the end of the credits. It’s vexing because it’s easy to ignore the rest of the GDPR recitals and articles and read that sentence as “you don’t need consent for email marketing because it’s a legitimate interest”.
But if you think that you're reading this the wrong way round. Let me explain:
You have a collection of signup process for your marketing program. Through those processes you have contact details and other data provided by your customers and prospects which you use to generate or populate that marketing. Through those processes you can demonstrate clear and specific consent. Now let’s read that previously-vexing sentence again from this starting point:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest
How I read this is (annotated by me):
The [collection and use] of personal data [such as email address, name, interests and preferences] for direct marketing purposes may be regarded as [being] carried out [under the consent you’ve already obtained for marketing]
e-Privacy trumps data protection
What this statement is doing is actually reiterating that there are higher permission standards for digital marketing.
If you have data legitimately collected for direct marketing you must already have fulfilled the higher standards set by the e-Privacy directive (and PECR in the UK); so of course you can process that data for direct marketing.
It's not saying that legitimate interests is a basis for direct marketing activities without consent.
This is really interesting, I've been researching the same thing. As PECR does not cover postal marketing, does that mean that I can collect personal data for DM without consent?
Thanks, Mike
Progressive Media Group Limited
Data Protection Manager
Hi Steve, great article.
Strategy and Insight Director
Hi Mike - Simple answer: no.
Remember that the GDPR covers data collection, storage and use; how that data is protected while in your control; how data subjects control the quality, use, disclosure and destruction of that data.
You need a legal basis for collecting, storing and using personal data. Full stop!
Think of web browsing and purchase data, linked to an individual:
If you record page and product views, the device used and the location of the browsing; and you build up a profile based on this location and behaviour and it’s linked to an individual – this is a common scenario convered by the GDPR.
If you have marketing consent, that marketing consent may already cover that behavioural profiling:
The question to ask is: If you don’t have marketing consent what is your justification (the legitimate interest that you can prove) for collecting and processing personal data?
Emarsys UK Ltd
Head of Deliverability