How to use ‘legitimate interest’ instead of consent for marketing under GDPR?
- 16 Apr
All of the factual information that follows is extracted directly from the ICO website and we make it clear when we are applying our interpretation.
There is much talk, and indeed confusion, about the need for explicit consent to process personal data for marketing purposes under GDPR.
Less talked about is the alternative to gaining consent - demonstrating legitimate interest.
In simple terms, legitimate interest says that a business (the data controller) can process the data when it can show a valid reason for doing so. This ruling is more flexible than consent and could, in principle, apply to any reasonable purpose, including marketing.
What constitutes legitimate interest?
The ICO acknowledges that the interpretation of legitimate interest can be broad and could include starting or growing a business. Indeed, Recital 47 of the GDPR says:
“...the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
Businesses are encouraged to use legitimate interest as their basis for processing data when:
- The processing is of clear benefit to the business
- There is limited privacy impact on the individual
- The individual should reasonably expect you to use their data in this way
- You don’t want to bother people with disruptive consent requests when they are unlikely to object in any event.
So, why all the fuss about GDPR?
Well, the starting point is that we can’t just decide that processing the data is in our legitimate interests. We need to be able to satisfy three tests:
- Purpose test - is there a legitimate interest?
- Necessity test - is processing the data necessary for that purpose? Processing the data doesn’t have to be absolutely essential, but it must be a targeted and proportionate way of achieving the objective.
- Balance test - is the legitimate interest overridden by the individuals basic rights and freedoms?
We’ve established that direct marketing is likely to be considered a legitimate interest and, for most marketing activities, processing the data could be shown to be necessary for effective targeting and monitoring. Providing the activities don’t compromise an individual’s basic rights, we look to be in a good place.
There is a curve ball, however. Although marketing in general may be a legitimate purpose, the method of marketing has a bearing on whether legitimate interest can be claimed. To quote directly from the ICO website:
“If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc.) legitimate interests may not always be an appropriate basis for processing. This is because the e-privacy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing. It is the GDPR standard of consent that applies, because of the effect of Article 94 of the GDPR. You are not able to use legitimate interests to legitimise processing that is unlawful under other legislation".
Buying and using lists of consumer email addresses without a specific opt-in applicable to the purchaser would, therefore, be a breach because consent has not been given and “at the time and in the context of the collection of the personal data, the subject would not reasonably expect that additional processing to take place”.
The ICO does, however, offer a ray of light for marketers everywhere when it says:
"Based on the current legislation (PECR), and depending on the outcome of your three-part test, legitimate interests may be appropriate for ‘solicited’ marketing (i.e. marketing pro-actively requested by the individual), or for unsolicited marketing in the following circumstances:
- Live phone calls when there is no TPS/CTPS registration or objection.
- Emails/text messages to individuals with soft opt-ins.
- Emails/text messages to business contacts".
The ICO explicitly says that "data about people in their professional capacity is considered less sensitive than in their personal capacity" and "most processing of business contacts data will be lawful on the basis of legitimate interests" with the caveat that there is no absolute rule and the three-part test needs to be applied to be certain.
How might we interpret all of this?
The ICO seems to recognise the unintended threat of GDPR to responsible marketing and is making provision for it to continue.
There is clearly a significant difference between using personal data in the form of a business email address to send a marketing message which offers a service that you reasonably believe the recipient will be interested in, and the Cambridge Analytica style of use where the processing was “unexpected and the individuals lost control over the use of their data and weren’t in an informed position to exercise their rights”.
The less sensitive or private the data is, the less likely it seems it is going to be considered an intrusion. Using an email address to contact somebody in their professional capacity would appear to have a minimal impact on that person’s individual rights or freedoms and be unlikely to raise too many eyebrows in Officialdom. We also believe that while legitimate interest is much easier to prove for existing and previous customers because you can demonstrate “a relevant and appropriate relationship”, it may also be applied to prospects if handled responsibly.
The advice we are offering to our clients is to follow 8 Golden Rules
- Always provide a clear opportunity to opt out of marketing communications, either when the data is collected or in the first communication
- Respect all opt-outs as soon as they are received and make sure this removes them from profiling activities as well as direct communications
- Comply with all legal and ethical standards - no spam, always send relevant content and, of course, nothing inappropriate
- Consider the nuisance factor of unwanted or overly frequent marketing messages
- Don’t target vulnerable individuals e.g. by offering high interest loans to those experiencing financial difficulties
- Think specifically about the legal justification if you are considering doing anything new or innovative with the data
- To be super-safe, document your assessment of how legitimate interest applies and be prepared to justify your decision if necessary.
The closing thought to keep us all on our toes is that the EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). The new ePR is yet to be agreed and when it is, it could move the goal-posts again. We'll be watching the situation closely, but in the meantime, the existing PECR rules continue to apply.
For help on implementing GDPR compliant processes in your organisation, please contact us.