We are advising our members on the standard they must achieve if they wish to rely on consent as their lawful basis for utilising personal data for direct marketing purposes. Direct marketing being defined in the current Data Protection Act as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.
As a reminder Article 6 of the GDPR sets out 6 lawful bases for processing personal data:
2. Necessary for a contract with the individual
3. Necessary for compliance of a legal obligation
4. Necessary to protect interest of the data subject or another natural person
5. Necessary for a public interest task or official duty
6. Necessary for legitimate interests of the controller or a third party.
While consent may seem the obvious basis for marketing activity, your pre-existing marketing databases may not meet the GDPR standard and so unless you want to do a Wetherspoons and scrap your entire marketing database, you will need to see if another base can apply. This is where ‘legitimate interests’ can come to your aid.
We suspect ‘legitimate interest’ will be well used. The ICO will no doubt be making sure it is not overused.
So, what will work?
Recital 47 of the GDPR specifically states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This is good news and could mean we can send out marketing under the lawful basis of legitimate interest. However, we need to balance this against the requirements of the Privacy and Electronic Communications Regulations (PECR) which deals with electronic
PECR Regulation 22 requires that a company needs consent to send a marketing email unless;
a. the recipient is an existing customer or potential customer who has previously made an enquiry for a product or service
b. the direct marketing is in respect to similar products and services only; and
c. the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.
So companies will need to meet the GDPR criteria for consent to marketing unless it meets the above PECR criteria which is known as the ‘soft opt-in’ rule. The ‘soft op in’ means you can send marketing to your existing customers about similar products as long as you offered them the opportunity to opt-out when you first collected their details and you offer them to same opt-out opportunity in every subsequent marketing communication.
So if you collected details from existing customers and had an opt out option, this marketing can continue under GDPR (using legitimate interest as the basis). But, you must comply with Article 21 of GDPR which gives customers the ‘right to object’ at any point.
So, if you are a service and repair garage and you email existing customers prior to the anniversary of their car service to give them details of prices, then as long as you gave them the opportunity to opt-out when you took their details and state clearly in the email that they can opt-out at any time, you will be fine to continue emailing them every year. The same will apply if you send those customers details of similar services such as winter checks or MOT deals. Your GDPR lawful basis for processing is then legitimate interests (not consent as there is no opt-in, only an opt-out).
However, if you haven’t been following the law in regard to email marketing already, then you are likely to need to start again and get consent when the customer first makes contact.