Dan Stevens.

GDPR: Marketing Consent and Legitimate Interest

Discussion created by Dan Stevens. Expert on Feb 9, 2018
Latest reply on Feb 13, 2018 by Michelle Miles

It seems like each week there's new information, perspectives and guidance around what companies - specifically, marketers, in our case - need to do to ensure they comply with GDPR.  As a global organization, we have a pretty large team in place that's focused on GDPR compliance - including all of the transformation activities associated with it.  Since there's still some cloudiness around gaining proper consent (email opt-ins, cookie consent, data storage/processing, etc.), our legal team sent over this link to a blog post (dated November 2017) from a law firm in Europe: Re-consenting to marketing under GDPR? -  Privacy, Security and Information Law Fieldfisher.   Some of the information is pretty eye-opening - and if indeed accurate - paints a somewhat favorable scenario for marketers (especially for those that market to existing customers (who were given the ability to opt-out when they became customers); and those that have obtained prior consent for many of the contacts in their database).  For example:

 

Marketing under the GDPR is regulated exactly like any other data processing activity.  This means that you have to show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based.  In fact, it often won’t be.  This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.  Recital 47 of the GDPR actually says that:  “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

 

Much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (i.e. consent).  In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.

 

The blog then goes into some detail around the ePrivacy Directive - which contains supplemental rules governing consent requirements for digital marketing - which, it too, is going through some significant reform and will be replaced by a new ePrivacy Regulation (hopefully May 25, but I've heard as late as 2019) - keep in mind this is still a draft:

 

The original draft of the e-Privacy Regulation proposed by the Commission largely retains (at Art 16) existing e-marketing rules as they apply under the current e-Privacy Directive.  The European Parliament has, to date, seemed relatively accepting of at least this aspect of the Commission’s proposed reforms, making it likely that opt-out e-marketing will remain possible once the e-Privacy Regulation is finally adopted.

 

The current ePrivacy Directive - as most of you know - require opt-in consent for marketing emails.  Unless - and here's the kicker:

 

...an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time.  If so, first party e-mail and SMS marketing is possible on an opt-out basis.

 

Consequently, much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (i.e. consent).  In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.

 

Again, this is specific to companies that practice lawful opt-out marketing per the above statements (and the additional detail contained within the blog post).

 

The blog then provides the following summary:

 

  • Much direct marketing (both snail mail marketing and e-marketing) is possible today on the basis of opt-out. Opt-in consent can be used, but is seldom legally required;
  • The GDPR does not change this position and, in particular, does not make opt-in consent a mandatory requirement for direct marketing - it acknowledges that marketing can be conducted in reliance on legitimate interests; but
  • The forthcoming e-Privacy Regulation seems likely to continue to allow opt-out based e-marketing in many cases, though marketing teams should monitor developments here closely.

 

Interested to hear your thoughts.

 

 

Grégoire Michel

Michelle Miles

Outcomes