Back to Blog
GDPR Marketing – Consent vs Legitimate Interest

GDPR Marketing – Consent vs Legitimate Interest



May 11, 2018

In my Quick GDPR Compliance Plan yesterday I suggested GDPR presents an opportunity for businesses to sharpen their approach towards marketing by being more strategic. So, what should you specifically do to be able to use the contact details in your database for marketing purposes?

Marketing under the GDPR (whether postal, phone, email, SMS or any other form of marketing) is regulated like any other data processing activity.  So, you must show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based.  In fact, it generally won’t be.

This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.

What about the E Privacy Directive?

However, as well as GDPR we need to take account of the Privacy Electronic Communications Regulations (known as the E Privacy Directive or PECR).

PECR covers electronic communications such as phone, fax, email and SMS. It requires opt-in consent for email and SMS marketing unless an individual’s contact details were collected in the context of a sale or negotiations for a sale (prospects).  The other exception is if you are marketing to corporate subscribers (here the problem is that it’s difficult to exclude partnerships and sole traders who do not constitute corporates).

For these cases it is possible to send marketing communications by providing an unsubscribe link. And phone direct marketing is also generally possible on the basis of opt-out provided the call list is first screened against the relevant country’s national do-not-call registry. Here is a useful guidance note provided by the ICO recently.

Two weeks to go

  If you’re coming at this a couple of weeks before 25 May, you’ll likely want to know what you need to do to be able to continue communicating with your contacts. Specifically, what should you do to be able to use the email addresses you have in your database for marketing purposes.

Given the shortage of time available now, the question is to what extent you may use legitimate interest to continue to market to your contacts. That still entails sending an email to ask for an opt in but once you’ve done so you are unlikely to get many opt ins, so it comes down to analysing your database to understand who you may continue to market to.

Have you been doing any emailing?

So much depends on what you have been doing with the email addresses you’ve collected. How good are your systems in terms of recording permissions and background information.

For example, if you use Mailchimp and have been sending out emails, you will know who has been engaging with your emails and who has not even opened them. So, if you have records of that nature available to you it’s possible to separate your list of engaged contacts from your list of unengaged contacts. That will improve deliverability of your email to your engaged contacts.

That sort of data ultimately helps you to narrow down the number of names and email addresses you need to sift through manually when deciding which individuals you may legitimately market to even if they don’t opt in when you send your email requesting an opt in.

Improving the quality of your data

I’ve spent a good part of the last 2 years sorting out our CRM records to more accurately identify the different category of contact in our systems. We moved systems a few times over the last few years, including from Infusionsoft to Microsoft Dynamics 18 months ago. This resulted in some messing up of our data.  So, if you’re starting off from a point where you haven’t had time to organise your database it would be very difficult to do anything else but seek consent from the entire list of contacts and then sift through your database to identify those names to remove and those to retain.

Therefore, whatever email or series of emails you may decide to send out to get opt ins, it will be necessary to review your records afterwards to pick out names of customers who have bought from you and prospects or others whose consent you will not need.

Any business card contacts whose names you added to your database with their knowledge and approval you would need to take a view whether to continue to send emails to them.

I imagine that you will want to set yourself up properly moving forwards so that you collect emails in the right way, with relevant permissions duly recorded. Certainly, for me GDPR brought marketing lists and email marketing to the fore in a way that PECR had not.

If you want to market effectively, and be in compliance with GDPR and PECR, you have to have some sort of strategy about what emails you will be sending people moving forwards. This becomes especially relevant for web forms.

Web forms

To avoid the need for opt in tick boxes on your web form, you could comply with GDPR and PECR by including your newsletter as part of the offer. For example, if I’m offering a useful ebook on IP, I might say something like “Complete the form to receive our 7 Mistakes ebook and our monthly newsletter. If people don’t want the newsletter they can opt out at the earliest opportunity, but at least you don’t need to add tick boxes and go to extensive trouble if the whole reason for offering the ebook was to get an interested subscriber to whom you could send marketing communications.

This works if you know you will want to add everyone to one master list. It may not be transparent enough where you also want to send a sequence of emails relating to that ebook. If you do, then you would need to make this clear, or ask for further permissions in the email delivering the ebook.

Double opt in

Although not required by GDPR I recommend use of double opt in for delivering ebooks.

GDPR has given added reason to use this delivery mechanism. For one thing you can ensure it is a proper email address that the subscriber has provided. Secondly, you have more of an opportunity to get an opt in to something else if you send your request in the email delivering the valuable ebook because the email will be sitting in the subscriber’s emails whereas an opt in box is only fleetingly seen and may not be ticked.

Certainly, you should do some deep thinking about your future plans and objectives. If all you’re wanting is to know that you can send your sequence of emails relevant to that  download then as long as you make it clear in the invitation to sign up to that download that it includes your regular sequence of emails you will have all the consents you need. So this should be one reason not to just  collect email addresses without first having a clear overall plan.

If you don’t make it clear in the web page offer that you’ll be sending newsletters or other emails, or if you want to share data with third parties then you must have an opt in box on your web form.

I can’t stress enough how important it is that you properly understand the reasons for collecting email addresses, and whether you need to add opt in boxes.

If you would like help to comply with GDPR either now or after 25 May to review your marketing or other set ups, then do get in touch. We’d love to help.