When GDPR came into force on May 25th 2018, some of the methods used by businesses to gain data-processing consent were outlawed. Previously, it was possible to gain opt-out consent from clients when they created an account. This type of consent involved either checking a box to avoid being on a mailing list or unchecking a pre-checked box. Consent was often given passively, using these slightly duplicitous methods.
Under GDPR, customers must now check an unambiguous box to opt in before they can be added to a mailing list. Predictably, this form of proactive consent is less often surrendered.
Customer consent is one of six legal justifications for processing personal data. The other five are contract, legal obligation, legitimate interest, vital interests and public tasks. Of these, legitimate interest (LI) offers a useful alternative to consent as a basis for processing data. It allows marketers to contact customers whose details they have secured during a sale or negotiations for a possible sale. This type of implied consent is known as “soft opt-in”.
LI provides a lawful basis for processing data without consent, but it must still satisfy GDPR criteria. To be valid, it first has to pass a three-part legitimate interest assessment (LIA):
Legitimate Interest applies to B2B clients as well as B2C, though businesses are expected to be more empathetic and robust in the face of data use. Special consideration must be given to the impact of data processing on individuals.
In short; no. Direct marketing under the legitimate interest umbrella should comply with the Privacy and Electronic Communications Regulations (PECR). This means it must have been solicited by the data subject. If this isn’t the case, direct marketing can only be conveyed via post, live phone calls without TPS/CTPS registration or objection, or emails and text messages to soft opt-in customers or business contacts. You cannot use legitimate interest as a default, do-it-all basis for data processing.
Marketers can send out promotional emails to opted-in customers. This might be done through agencies or email service providers such as MailChimp, GetResponse, SparkPost and others. The type of data collected and processed from individuals includes the following:
It’s imperative for businesses to manage data sprawl, to comply with EU regulations and the UK’s DPA (Data Protection Act). A data mapping tool is an invaluable aid in achieving this. Once you can see how data passes through your business, you’ll also see what consent has been obtained (or not), avoid data breaches and make your database compliant.
Legitimate interest can be justified in numerous ways to engage new customers, reactivate dormant users or to otherwise benefit the business. Here are five such ways:
With some notable caveats, legitimate interest can be used for direct marketing purposes in place of consent. It’s particularly useful in conjunction with soft opt-ins. Meticulous records should be kept so that legal compliance can be demonstrated. Especially with B2C data, legitimate-interest assessments (LIAs) should show arguments against data processing as well as for.
The personalisation of a website so that it exploits an individual’s data is an obvious marketing tactic, but it can be justified through legitimate interest. An example of this is when companies offer similar or complementary items for sale based on a customer’s browsing or buying history.
Businesses may collect and process data without consent for market research purposes, including trend analysis or a study of marketing effectiveness.
Suppression refers to a customer’s opposition to receiving direct marketing or having details kept on file, but a limited amount of data must be stored to ensure no emails are sent and that wishes are obeyed.
Although you cannot send marketing emails to opted-out individuals nor try to entice them into opting back in (some large companies have been fined for doing this), you can try to re-engage customers by sending materials through regular post.
An acid test for legitimate interest is always this; what does the customer expect to see or receive? That’s a reliable starting point. For GDPR compliance and efficient, lawful marketing, get your house in order with data mapping!