Direct marketing questions continue to befuddle marketers and data practitioners alike. Whilst marketing success and GDPR compliance are not mutually exclusive, the interplay between different pieces of legislation can make this a confusing area.
A year after marketing consents were refreshed, below we answer four of our most commonly-received marketing consent questions. Together with our handy marketing compliance sheet, these should help you untangle any remaining marketing knots.
Can we use legitimate interests as our lawful basis for direct marketing?
Yes. The GDPR recitals specifically state that "legitimate interests" can be used as the lawful basis for direct marketing. It's easy to assume that "consent" is the most appropriate lawful basis for marketing, but "legitimate interests" is very useful, particularly if you carry out a lot of B2B marketing or rely heavily on "soft opt-in" (see below). Provided your marketing satisfies the legitimate interests "balancing" test, you can rely on this as your lawful basis. Consider recording the rationale that supports your "legitimate interests" conclusion, particularly if the balancing test is a "close call" (e.g. marketing to children).
So does that mean we don't have to get consent?
Not necessarily. If your direct marketing is sent by electronic means, the Privacy and Electronic Communications Regulations 2003 (PECR) apply. PECR requires explicit, opt-in consent to electronic direct marketing if you are marketing to consumers and you cannot rely on "soft opt-in".
Can we obtain implied consent?
Yes, where the "soft opt-in" exemption applies. This applies where you obtain an individual's contact details during the sale or negotiations for the sale of a product or service and you are going to market your own similar products or services only. The exemption means that the PECR explicit consent rules do not apply, but you still need to offer an opt-out option at the point of data collection and in all subsequent marketing communications. In practice, this often means using a pre-ticked consent box, or an unticked opt-out box).
If you do rely on soft opt-in, consent will not be a valid GDPR lawful basis. GDPR consent must be explicit and demonstrated by a clear, affirmative action. Soft opt-in consent, whilst valid for PECR purposes, will not meet these requirements. So, if you intend to rely on soft opt-in, "legitimate interests" is likely to be your most appropriate lawful basis.
What if we are marketing to business customers?
Direct marketing rules are less strict where you are marketing to business contacts. Whilst sole traders and partnerships are treated in the same way as consumers for marketing purposes, marketing to individual contacts at companies (e.g. firstname.lastname@example.org) is not subject to the PECR consent rules. This means that, if you rely on legitimate interests, you do not need to obtain explicit consent to send electronic direct marketing to these types of contacts. As with soft opt-in, you do need to offer opt-out options at data collection and in subsequent communications. Sending marketing messages to "generic" company email addresses (e.g. email@example.com) doesn't require consent or an opt-out option (though it is arguably best practice to offer "unsubscribe" options in marketing messages).