Re: GDPR Legitimate Interest

Sean_Richards · ‎10-02-2019

I have a data provider that provides us access to a targeted database of people (names, emails, company, title, etc).

In their database it includes people from EU countries.

I emailed them some questions, see below...

I have some questions in regards to your privacy policy. We are in the process of doing some new high quality targeted marketing (email) campaigns which include people from your database that fall under GDPR.

I should state up front that Natalie and I have invested many months studying GDPR and global privacy legislation, how it relates to our sales and marketing operations and implementing much of the technology to support our compliance.

In regards to your Privacy Policy, it states the following:

So, as long as your communications aren’t overridden by the interests or fundamental data protection rights and freedoms of the individual, you can use personal data for the purposes of sending direct marketing communications so far as GDPR is concerned. Relevant, targeted and unobtrusive direct business-to-business marketing is unlikely to be overridden by those interests, but please see our Purchasing Guide for further guidance.

The way I read this is it says that you take the position that targeted B2B sales outreach or direct marketing to people that are relevant, would in many instances be classified as implying legitimate interest and therefore "implied consent" under GDPR. However as we understand it, this is not the law. Unless the people under GDPR have provided explicit (opt-in) consent to marketing, they cannot be marketed to. Legitimate interest is reserved for people who are customers or moving through a businesses systems under a transactional process. Imagine someone orders a pizza from an online pizza store. They are providing their details and expect you to process their data to complete the order, but they did NOT agree to opt in to marketing.

What is your stance on this and can you provide explicit consent has been provided from the people within your database?

I also would like to know where in the policy it states that their opt-in (if any) also includes their consent to your customers (us in this case) using their personal information for marketing. If they have not agreed to this, we and you could be breaking the law by us marketing to these people who are under GDPR.

It seems you've taken a very liberal an approach to interpreting what constitutes "legitimate interests" and are essentially assuming "implied consent" if they are a match to our target market, much like our Privacy law in Australia (and many other countries that still allow inferred consent). However this is not how GDPR works.

Here as an example is a trusted resource that I've timestamped accordingly: https://youtu.be/k4hnSAM0nWI?t=818

Here is another timestamp: https://youtu.be/k4hnSAM0nWI?t=1522

Can I also ask how are you proving legitimate interest for keeping these people's data and do you have their explicit consent for us to use your data for our marketing purposes?

If you believe I have this wrong, please let me know. I am sure you have had to answer this already, so hopefully can copy and paste from another response.

Then I had a phone call with them where they stated:

Our position is that if someone is a fit for business (target persona) in a B2B model, that qualifies under GDPR as legitimate interest and we believe that it's lawful to add that person to our database AND market to them. Therefore our customers like yourself should also be able to use this same criteria to prove legitimate interest, so long as you and we provide the means for them to opt out.

This is definitely contrary to our understanding and interpretation of the law of GDPR.

Am I right?

Sean Richards

SanfordWhiteman · ‎10-02-2019

You are right. These people are encouraging lawbreaking, by any interpretation I have seen (and that's many across our clients).

Sean_Richards · ‎10-03-2019

Thanks. Coming from you this really helps me bed down my belief.

So basically their business is this, in a nutshell:

UK based data provider in niche vertical market space
They collect (via any means necessary) data on people around the world, including EU
They confirmed that they do not seek explicit opt it at any point
Their position is that so long as they email them within 1 month of adding them to their database and that email includes an opt-out link, that they are compliant.
Further, they then on-sell that data to 3rd parties and state along the whole road that so long as the people are a fit for business, that implies their consent.

What a joke. They are clearly convincing themselves that despite GDPR, their business model is legitimate, and their lawyers (they told me two separate counsels) know sweet f*$& all about the law they are consulting on (why am I not surprised there).

OK, well that confirms for me that any of their records from EU countries, I don't have any legal right to import into our system, let alone market to.

Crazy.

Sean Richards

Matjaž_Jaušove2 · ‎10-03-2019

I'd also agree this is not acceptable practice under GDPR. Although, I heard companies talking about using this approach also on Adobe/Marketo-sponsored events

Sean_Richards · ‎10-03-2019

Yeah, too many people wanting to believe that they can use "target persona who's a fit for what we sell" as grounds for legitimate interest. Ideally, GPDR people would throw a single large company under the bus for this and set the precedent.

Sean Richards

Amy_Goldfine · ‎10-04-2019

Yes, I have seen this from basically every data vendor. Ultimately, if they sign a DPA with you, they're the ones who are going to take the fall legally. But I completely agree that this is a willful misinterpretation of legitimate interest.

Amy Goldfine
Marketo Champion & Adobe Community Advisor

Sean_Richards · ‎10-03-2019

OK I have two more questions:

I am a sales person and one of my target accounts is a company (in my case school) in the EU that I want to reach out to. I find a contact that is known to be a decision maker for purchasing my product. Can I create a record in my CRM and reach out to this person via email?

Can this email for a known decision maker then be emailed by my marketing team on the basis of legitimate interest?

Don't be shy here people, tell me your thoughts?

Sean Richards

Amy_Goldfine · ‎10-04-2019

No, no, and no.

You can probably reach out to them via LinkedIn because they signed their TOS.

HOWEVER, I am not a lawyer, I am not your lawyer, and your company's legal counsel should be helping you develop policies and practices around privacy compliance.

Amy Goldfine
Marketo Champion & Adobe Community Advisor

Sean_Richards · ‎10-03-2019

So, I may be coming around on this legitimate interest thing.

This is from Marketo's policy... Privacy Notice » Marketo Documents

Our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which we collect it. We will collect and use your Personal Data where the processing is in our legitimate business interests, such as for direct marketing and sales of Marketo’s Marketing Automation Platform and Applications to prospective Business-to-Business (B2B) customers. Our legal basis for processing Personal Data in certain circumstances will also be based on your consent to do so or where we need the Personal Data to perform a contract with you or in order to enter into a contract with you. In some cases, we may also have a legal obligation to collect Personal Data from you.

So basically, the way I am reading the law, is that there are multiple categories that allow for personal data to be collected. Consent is one, legitimate interest is another. Under LI, it is worded to say LI for US or LI for them.

Under "How do they collect information" they also state "Information From Other Sources: In order to enhance our ability to provide relevant marketing, offers, and services to you, we obtain information about you from other sources, such as public databases, joint marketing partners, social media platforms, as well as from other third parties."

So that could mean for example, an email address from a prospect's public website in the public domain.

Here is a statement from Salesloft "Let’s start by taking a look at how GDPR will affect prospecting. The regulation doesn’t directly call out cold calling and cold email, but it does require you to have a legal basis to process data. Two common legal bases for processing are consent of the data subject, which is your prospect, and legitimate interest of the controller, which is you."

The law states that so long as the person could likely expect you to process their data, then it's OK. So most people are in fact reading this as "fit for business". I'm reading/thinking that the regulatory body is more about getting people to think better, spam less, make marketing more personalised and more targeted. It's not trying to stop people marketing all together without consent. The "rights of the individual" under legitimate interests are ambiguous and I believe designed to protect people such as children etc.

"legitimate interest balanced against the fundamental rights of data subjects"

Now, this data provider of mine is still bad because they are not stating that they are reselling people's data in their Privacy policy, where as Marketo's states the following:

How Will Marketo Share Personal Data It Receives?

Third-Party Business Partners:
Marketo partners with a variety of businesses and works closely with them to market or sell products or services. In certain situations, these businesses operate within the Sites. We may disclose Personal Data to our partners for the purposes described above. Some of our third-party business partners co-sponsor events and other offerings with Marketo. We may share Personal Data with these co-sponsors when you sign up for events or offerings to allow our partners to send you marketing communications and information that may be of interest to you, as permitted under applicable law.

Maybe I am wrong after all.

I mean Sanford's comment above was in response to them selling the data to me and not stating so in their policy. But Forget that provider breaking the law for a second. If we procure a record of a person and stand by that our legitimate interest is that we believe they are a decision maker and thus should reasonably expect us to target them as a prospective B2B customer, providing the means to opt out and making our privacy policy clear in those communications, and that this does not infringe on their fundamental rights, then I think we're OK.

There are some very large companies taking this stance and select few that are going "consent only" for EU, some going consent only for all.

Maybe, until there is precedent of punishment for a targeted b2b email, then we should not limit ourselves?

Sean Richards

Nik_Friedman_Te · ‎10-04-2019

"Legitimate Interest" is based upon assumptions of expectations that the protected party will have their data processed by a company in their general interest. This could include an active business relationship (I'm emailing you about your products you have purchased), their security or fraud (your password has been compromised), the general wellbeing of people/society ("our gas main has burst in your neighborhood"), or something along those lines.

It does NOT include, "You look like someone who would want to hear from me."

Also note that the legitimate interest is worded in terms of "may", and not "shall." This is legally meaningful, as "shall" is prescriptive, where "may" is guidance for interpretation. This article is explicitly held to a higher standard of proof if there is a complaint.

For GDPR purposes (and CASL, etc.), just don't use names that come from a rented or purchased lists, no matter how legitimate the source seems to be. If you want to take advantage of third party lists, look to a partner who will co-market for you and send those emails on your behalf to their opted-in customers.

Also, as a fellow Marketo user, please don't send to a bunch of purchased lists off of Marketo. There are other email providers who specialize in purchased lists. Our IP pool ends up on too many blacklists as it is!