2 Replies Latest reply on Feb 13, 2018 2:03 PM by Michelle Miles

    GDPR: Marketing Consent and Legitimate Interest

    Dan Stevens.

      It seems like each week there's new information, perspectives and guidance around what companies - specifically, marketers, in our case - need to do to ensure they comply with GDPR.  As a global organization, we have a pretty large team in place that's focused on GDPR compliance - including all of the transformation activities associated with it.  Since there's still some cloudiness around gaining proper consent (email opt-ins, cookie consent, data storage/processing, etc.), our legal team sent over this link to a blog post (dated November 2017) from a law firm in Europe: Re-consenting to marketing under GDPR? -  Privacy, Security and Information Law Fieldfisher.   Some of the information is pretty eye-opening - and if indeed accurate - paints a somewhat favorable scenario for marketers (especially for those that market to existing customers (who were given the ability to opt-out when they became customers); and those that have obtained prior consent for many of the contacts in their database).  For example:


      Marketing under the GDPR is regulated exactly like any other data processing activity.  This means that you have to show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based.  In fact, it often won’t be.  This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.  Recital 47 of the GDPR actually says that:  “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”


      Much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (i.e. consent).  In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.


      The blog then goes into some detail around the ePrivacy Directive - which contains supplemental rules governing consent requirements for digital marketing - which, it too, is going through some significant reform and will be replaced by a new ePrivacy Regulation (hopefully May 25, but I've heard as late as 2019) - keep in mind this is still a draft:


      The original draft of the e-Privacy Regulation proposed by the Commission largely retains (at Art 16) existing e-marketing rules as they apply under the current e-Privacy Directive.  The European Parliament has, to date, seemed relatively accepting of at least this aspect of the Commission’s proposed reforms, making it likely that opt-out e-marketing will remain possible once the e-Privacy Regulation is finally adopted.


      The current ePrivacy Directive - as most of you know - require opt-in consent for marketing emails.  Unless - and here's the kicker:


      ...an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time.  If so, first party e-mail and SMS marketing is possible on an opt-out basis.


      Consequently, much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (i.e. consent).  In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.


      Again, this is specific to companies that practice lawful opt-out marketing per the above statements (and the additional detail contained within the blog post).


      The blog then provides the following summary:


      • Much direct marketing (both snail mail marketing and e-marketing) is possible today on the basis of opt-out. Opt-in consent can be used, but is seldom legally required;
      • The GDPR does not change this position and, in particular, does not make opt-in consent a mandatory requirement for direct marketing - it acknowledges that marketing can be conducted in reliance on legitimate interests; but
      • The forthcoming e-Privacy Regulation seems likely to continue to allow opt-out based e-marketing in many cases, though marketing teams should monitor developments here closely.


      Interested to hear your thoughts.



      Grégoire Michel

      Michelle Miles

        • Re: GDPR: Marketing Consent and Legitimate Interest
          Grégoire Michel

          Hi Dan Stevens ,


          Thx for sharing the link to the article. Its conclusions are generally inline with that of our customer lawyers.


          It's quite interesting to note that quite often, the geographical origin of the lawyers has obviously an impact on the way they interpret the GDPR and the recommendations they make to their marketing teams. Typically, germans lawyers provide a more restrictive interpretation and provide stronger requirements (especially with the role of the opt-in) than French and British ones. France and the UK have had a less strict interpretation of the previous Directive than Germany and this reflects today in the way they look at the GDPR. IMHO, this means that the full harmonization that is the purpose of the GPDR is not yet fully achieved (dear reader, please remember that the R in GDPR  stands for Regulation, which under the contrary of a Directive, is supposed to be implemented as is, in an homogeneous way).



          • Re: GDPR: Marketing Consent and Legitimate Interest
            Michelle Miles

            Hi Dan Stevens. -


            Thanks for sharing! Apologies in the delayed response, I've been on vacation. Our legal team (interestingly, in France) has generally offered a more strict interpretation of the law. They do agree that an express opt-in prior to GDPR is still valid (assuming an appropriate duration). Beyond that, they are more strict, but acknowledge that legitimate interest will need to be carefully considered on an individual basis based on the opt-in source. Marketers without proper record-keeping may have a difficult time. Note Recital 47, which says: "The existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing." I agree that full harmonization has not been achieved, and am personally more comfortable following a conservative approach at this stage.