In the run-up to GDPR enforcement day, many thought the only game in town when it came to lawful bases for processing personal data was Consent. It seemed Article 6 and it’s six lawful bases had been widely overlooked. Admittedly, four of the other lawful bases don’t apply when it comes to direct marketing communications, but could Legitimate Interests have been more widely adopted?
As the deluge of emails descended, pleading with us to opt-in or said organisation could never darken our email in-box again, some companies may have blindly followed the crowd when they could’ve potentially taken a different approach. And, to boot, an approach which would not have left them with a decimated email database. Anecdotally, it seems the ‘fortunate’ managed to secure a 10% opt-in rate, but others fared even worse.
What GDPR tells us is that we must identify a lawful basis for processing, but nowhere does the Regulation say Consent is required for direct marketing. In fact, in Recital 47 it clearly states, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” A crucial line that the European direct marketing industry fought hard to get included.
The key is the ePrivacy Directive which gave us PECR in the UK. PECR clearly tells us when we need Consent for direct marketing, namely to send marketing emails or texts to “individual subscribers” unless the “soft opt-in” exemption applies. Where Consent is not required Legitimate Interests is a clear choice.
Admittedly the ICO’s detailed guidance on Legitimate Interests arrived at the 11th hour in April, but others (including the Data Protection Network) had offered guidance earlier, and there was still time for companies to halt their repermissioning campaigns. In its guidance the Regulator clearly set out where Legitimate Interests might be appropriate for direct marketing activities.
Companies could have chosen to rely on Legitimate Interests to continue to email their existing customers, if they’d (a) always provided an opportunity to opt-out, and (b) were only going to send messages about their own products and services. Companies could also rely on Legitimate Interests to email or text “corporate subscribers” namely joe.bloggs@’corporation’.com, where the rules on consent and the “soft opt-in” do not apply.
Was Consent seen as the only route, or perhaps deemed the most open and trustworthy approach? Was Legitimate Interests considered, but in the end deemed to be too subjective and open to challenge?
Whatever choice companies made, it is clear many may be licking their wounds and working hard on strategies to rebuild their email marketing databases.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.