Consent, legitimate interest, personal data: Your GDPR marketing questions answered
“What’s that coming over the hill; is it a monster?”
No, it’s GDPR. And it’s getting closer.
The 4th of May is deadline day for the new ruling. If you’re a business owner, you will have been exposed to a torrent of conflicting advice about it.
Much of this advice is speculation, because the implications of the regulation have yet to be decided. However, we now have a very good idea of the situation regarding consent for email marketing.
In this article, we’ll provide a list of need-to-knows for email marketing in the context of GDPR.
To compile our guidance, we’ve used information from the following sources:
- The Digital Marketing Association (DMA),
- The Data Protection Network (DPN), and
- The Information Commissioner's Office (ICO)
Each of these organisations has been responsible for lobbying for and helping craft the incoming legislation. Please note, however, that this guide does not constitute legal advice.
Let’s dive in.
Do corporate email addresses count as personal data?
In short, yes. For more on this, click to read the DMA guide here.
What data am I allowed to use to justify my email marketing campaigns, under GDPR?
The General Data Protection Regulation sets out six legal bases for storing personal data. Two of these can be used as legal bases for sending email marketing campaigns.
The six bases for storing data are below. This wording is provided by the DPN, in collaboration with the DMA.
A. CONSENT – the individual has explicitly given their Consent to the processing of their Personal Data.
B. CONTRACTUAL - processing of Personal Data is necessary for the performance of a contract to which the individual is a party or for the Controller to take pre-contractual steps at the request of the individual.
C. LEGAL OBLIGATION - processing of Personal Data is necessary for compliance with a legal obligation to which the Controller is subject.
D. VITAL INTERESTS - processing of Personal Data is necessary to protect the vital interest of the individual or of another individual.
E. PUBLIC TASK - processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
F. LEGITIMATE INTERESTS – processing is necessary under the Legitimate Interests of the Controller or Third Party, unless these interests are overridden
Of the six bases above, only A and F may be used to justify sending email marketing campaigns: consent and legitimate interest.
What is considered ‘consent’ under GDPR?
Consent is consent; someone has agreed to receive emails or marketing materials from you.
From May 4th, this agreement must be made in-line with GDPR guidelines, which demand a higher standard of consent than existing data protection regulations.
Under GDPR, consent has been granted when all of the following conditions have been met:
- A contact has taken affirmative action to opt-in to your communications (i.e. ticked an opt-in box);
- Your organisation has made explicitly clear how their data will be used;
- Your organisation offers a clearly-written privacy notice alongside the opt-in call-to-action, which is separate from other terms and conditions text; and
- Your organisation has maintained evidence to demonstrate consent.
The DMA has produced a good infographic on the legal base for consent, including the handy breakdown below.
As many B2B businesses’ current consent protocols won’t meet the GDPR standard for consent, many will refer to ‘legitimate interest’ as their lawful basis for processing personal data.
B2C businesses are more likely to rely on ‘consent’.
What counts as ’legitimate interest’ under GDPR?
Direct marketing – which includes email marketing – falls under the jurisdiction of legitimate interest when an organisation can prove their case via a Legitimate Interest Assessment (LIA).
The DMA has produced a great guide and template for conducting a LIA on page 14 of this document.
The LIA template involves three main areas of questioning:
- Identifying a legitimate interest. What is the purpose the data processing? Is it necessary, and do the organisation’s guidelines identify the purpose of the data processing as a basis for legitimate interest?
- The necessity test. What is the importance of data processing to the data controller and their related parties? Is there a possible alternative which does not require disproportionate effort from the controller?
- The balancing test. Will the subject expect data processing? Does it expose them to unnecessary harm or distress? Is processing the data fair, and is there a balance of control between the subject and the data controller?
If you’re using legitimate interest as grounds for consent, you must complete an LIA and – if the outcome is positive – record and store the document.
This done, you must make it clear to your email contacts that legitimate interest as defined by your LIA is the reason you have consent to send them marketing emails.
Our interpretation is that this can be done in the footer of your email. In the same statement, you must also link through to a clearly-written privacy notice which explains the consent terms in more detail.
Of course, control of your contacts’ data must still be in the hands of each individual. They have the right to know what data you hold on them and for what purpose, and they have the right to ask you to delete their data.
This means offering a simple and immediate way for them to opt-out or unsubscribe from your email communications. We recommend including a link to a preference centre in your emails. This gives contacts the option to choose which communications they receive from you, as opposed to unsubscribing from you entirely.
What should your privacy notice look like?
A clear and well-written privacy notice will do two things: help make your GDPR-compliant and help explain to contacts why you have sent them a marketing email.
Again, the DMA has provided a good overview and examples for creating your privacy notice, here.
If you’re using legitimate interest as your basis for consent, make sure this is clearly explained and outlined in your privacy notice. State why it is of benefit to the individual to be receiving your emails, and make it clear that they’re in control of their data by telling them how they can unsubscribe.
Below is a good example of a notice from the Data Protection Network (DPN). This and other examples can be found on pages 16 to 18 of the DPN’s legitimate interest guide, here.
Can I email my existing email contacts and ask them to opt-in?
If you’re contacting your existing email list to ask individuals to opt-in ready for GDPR, this means you are seeking consent as your legal basis for future email communications with them.
You won’t require this opt-in if your consent is to be based on legitimate interest.
Tread carefully when asking for consent in this way. Honda was fined £17,000 for sending an email to their contacts asking them to opt-in, because they couldn’t provide evidence that they had prior consent from their contacts list to send marketing emails.
You may only email your existing email list to ask for GDPR-compliant opt-in consent if you have received previous consent from your contacts.
In addition, you must be able to offer:
- Evidence that each individual has provided this consent, and
- A clear reason that you are asking them to re-opt-in in your email request. In short, you are asking them to opt-in once more because you want to bring their consent up-to-date with GDPR guidelines.
Already got prior opt-in consent from your contacts? Check out this example of a well-executed re-opt-in email from Manchester United.
So, what do I do now?
Firstly, decide on what grounds you have the basis to lawfully process individuals personal data for the purposes of direct marketing.
Assuming this is legitimate interests, you should conduct an LIA. If the outcome is positive, you should make sure you have a clearly written privacy notice, including all the details of consent and how individuals data is being used, and make this privacy notice easy to access to your email subscribers.
You may also enjoy reading our article ‘GDPR: Best examples of opt-in user flows, copy and content’.