I have a data provider that provides us access to a targeted database of people (names, emails, company, title, etc).
In their database it includes people from EU countries.
I emailed them some questions, see below...
Our position is that if someone is a fit for business (target persona) in a B2B model, that qualifies under GDPR as legitimate interest and we believe that it's lawful to add that person to our database AND market to them. Therefore our customers like yourself should also be able to use this same criteria to prove legitimate interest, so long as you and we provide the means for them to opt out.
This is definitely contrary to our understanding and interpretation of the law of GDPR.
Am I right?
You are right. These people are encouraging lawbreaking, by any interpretation I have seen (and that's many across our clients).
Thanks. Coming from you this really helps me bed down my belief.
So basically their business is this, in a nutshell:
What a joke. They are clearly convincing themselves that despite GDPR, their business model is legitimate, and their lawyers (they told me two separate counsels) know sweet f*$& all about the law they are consulting on (why am I not surprised there).
OK, well that confirms for me that any of their records from EU countries, I don't have any legal right to import into our system, let alone market to.
I'd also agree this is not acceptable practice under GDPR. Although, I heard companies talking about using this approach also on Adobe/Marketo-sponsored events
Yeah, too many people wanting to believe that they can use "target persona who's a fit for what we sell" as grounds for legitimate interest. Ideally, GPDR people would throw a single large company under the bus for this and set the precedent.
Yes, I have seen this from basically every data vendor. Ultimately, if they sign a DPA with you, they're the ones who are going to take the fall legally. But I completely agree that this is a willful misinterpretation of legitimate interest.
OK I have two more questions:
I am a sales person and one of my target accounts is a company (in my case school) in the EU that I want to reach out to. I find a contact that is known to be a decision maker for purchasing my product. Can I create a record in my CRM and reach out to this person via email?
Can this email for a known decision maker then be emailed by my marketing team on the basis of legitimate interest?
Don't be shy here people, tell me your thoughts?
No, no, and no.
You can probably reach out to them via LinkedIn because they signed their TOS.
HOWEVER, I am not a lawyer, I am not your lawyer, and your company's legal counsel should be helping you develop policies and practices around privacy compliance.
So, I may be coming around on this legitimate interest thing.
This is from Marketo's policy... Privacy Notice » Marketo Documents
Our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which we collect it. We will collect and use your Personal Data where the processing is in our legitimate business interests, such as for direct marketing and sales of Marketo’s Marketing Automation Platform and Applications to prospective Business-to-Business (B2B) customers. Our legal basis for processing Personal Data in certain circumstances will also be based on your consent to do so or where we need the Personal Data to perform a contract with you or in order to enter into a contract with you. In some cases, we may also have a legal obligation to collect Personal Data from you.
So basically, the way I am reading the law, is that there are multiple categories that allow for personal data to be collected. Consent is one, legitimate interest is another. Under LI, it is worded to say LI for US or LI for them.
Under "How do they collect information" they also state "Information From Other Sources: In order to enhance our ability to provide relevant marketing, offers, and services to you, we obtain information about you from other sources, such as public databases, joint marketing partners, social media platforms, as well as from other third parties."
So that could mean for example, an email address from a prospect's public website in the public domain.
Here is a statement from Salesloft "Let’s start by taking a look at how GDPR will affect prospecting. The regulation doesn’t directly call out cold calling and cold email, but it does require you to have a legal basis to process data. Two common legal bases for processing are consent of the data subject, which is your prospect, and legitimate interest of the controller, which is you."
The law states that so long as the person could likely expect you to process their data, then it's OK. So most people are in fact reading this as "fit for business". I'm reading/thinking that the regulatory body is more about getting people to think better, spam less, make marketing more personalised and more targeted. It's not trying to stop people marketing all together without consent. The "rights of the individual" under legitimate interests are ambiguous and I believe designed to protect people such as children etc.
"legitimate interest balanced against the fundamental rights of data subjects"
"Legitimate Interest" is based upon assumptions of expectations that the protected party will have their data processed by a company in their general interest. This could include an active business relationship (I'm emailing you about your products you have purchased), their security or fraud (your password has been compromised), the general wellbeing of people/society ("our gas main has burst in your neighborhood"), or something along those lines.
It does NOT include, "You look like someone who would want to hear from me."
Also note that the legitimate interest is worded in terms of "may", and not "shall." This is legally meaningful, as "shall" is prescriptive, where "may" is guidance for interpretation. This article is explicitly held to a higher standard of proof if there is a complaint.
For GDPR purposes (and CASL, etc.), just don't use names that come from a rented or purchased lists, no matter how legitimate the source seems to be. If you want to take advantage of third party lists, look to a partner who will co-market for you and send those emails on your behalf to their opted-in customers.
Also, as a fellow Marketo user, please don't send to a bunch of purchased lists off of Marketo. There are other email providers who specialize in purchased lists. Our IP pool ends up on too many blacklists as it is!