It’s just over 4 months since the General Data Protection Regulation (GDPR) came into force. During this time there has been lots of confusion among marketers about exactly which practices are allowed. It’s now a lot clearer what you can and can’t do, so there has never been a better time to clear up some of the myths still surrounding marketing under the GDPR.
Find out the answers to some of the most common GDPR & Marketing FAQs courtesy of Nash & Co Solicitors.
The relevant data protection rules sit within the Privacy and Electronic Communications Regulations (PECR) and the General Data Protection Regulation (GDPR). It is important that these two regulations are read in conjunction with one another and that you are compliant with both. The EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). However, the new ePR is yet to be agreed. The existing PECR rules continue to apply (with a new definition of consent) until the new ePR is finalised. The law in this area is therefore likely to evolve further.
Does the GDPR also apply to business-to-business marketing?
The GDPR applies wherever you are processing ‘personal data’. So if you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity. For example, a name and work email address (email@example.com) tells you Joe Bloggs works at Some Company, is personal data, and the GDPR will apply in respect of it.
What lawful basis can I rely on for marketing?
Consent or legitimate interests
Contrary to popular belief, not all use of personal data for marketing purposes requires consent – “legitimate interests” could potentially be applied in situations where PECR doesn’t require consent eg postal marketing, live calls to numbers not registered on the Telephone Preference Service where the person has not previously told you not to call them. or electronic mail where the ‘soft opt-in’ applies (see next FAQ).
What are ‘legitimate interests’?
Effectively a three-part test
Whilst a three-part test is not explicitly set out as such in the GDPR, there are three key elements:
Purpose test– is there a legitimate interest behind the processing?
Necessity test– is the processing necessary for that purpose?
Balancing test– is the legitimate interest overridden by the individual’s interests, rights or freedoms?
If relying on legitimate interests, you must be able to show the way you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing – but only if you don’t need consent under PECR.
The ICO have also provided a helpful ‘legitimate interests assessment’ (LIA) template, which walks you through the process and allows you to document the provisions you have made in using legitimate Interest as your legal basis. As your marketing campaign evolves, it is important that you continue to assess your use of legitimate interest and ensure that your reasoning remains valid.
Can I market by email/text without consent?
Yes – in certain circumstances
Sole traders, some partnerships and all individuals must have specifically consented to receive marketing in the form of text/email unless they have previously bought a similar product from you in the past and didn’t opt out from marketing messages when you gave them that chance at that time (”soft opt-in”).
However, you can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). Nonetheless, it is good practice, and good business sense, to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that. The only requirement is that the sender must identify itself and provide contact details.
Can I make live marketing calls without consent?
Yes – subject to the below
You can make live unsolicited marketing calls, but must not call any number registered with the Telephone Preference Service (TPS) unless the subscriber (the person who gets the telephone bill) has specifically told you that they do not object to your calls. The TPS registration effectively acts as a general opt-out of receiving any marketing calls.
And you must not make an unsolicited marketing call to an individual (whether as a consumer or sole trader or in partnership) where the person has previously told you not to call them even if they have not registered on the TPS.
It is also important to remember that some businesses (sole traders and some partnerships) register with the TPS, and others (companies, some partnerships and government bodies) register with the Corporate Telephone Preference Service (CTPS). For business-to-business calls, you will, therefore, need to screen against both the TPS and the CTPS registers, as well as your own ‘do not call’ list.
At the start of every marketing call, you must identify your business and provide a valid business address or Freephone number. This can be in the content of an automated call recording or when asked during a live call.
Can I make automated marketing calls without consent?
The rules on automated calls are stricter (calls made by an automated dialling system which play a recorded message). You can only make these calls to people who have specifically consented to receive them. Consent to receive live calls is not sufficient. Indirect consent (ie consent originally given to a third party) is also unlikely to be sufficient.
All automated calls must give the identity of the caller, and a contact address or Freephone number. You must allow your number (or an alternative contact number) to be displayed to the person receiving the call.
There is no need to screen against the TPS when making automated calls because even if the number is not on the TPS list, you cannot make this type of call without the person’s consent.
Can I send marketing about my products or services if they are similar products or services that an existing customer has previously bought or received?
Although you cannot send marketing emails or texts about similar products or services to general individuals without specific consent there is a limited exception for your own previous customers. This is commonly known as soft opt-in, which allows you to send marketing texts or emails to existing customers if:
you have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person;
you are only marketing your own similar products or services; and
you give the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.
Note, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send thereafter.
Can legitimate interests be used to send marketing emails to employees at a corporate body to their personal corporate email addresses (e.g., firstname.lastname@example.org)?
This question was recently addressed by the ICO who’s response as follows: “If you are sending a marketing email to a corporate subscriber such as, email@example.com, then you do not need prior consent before you send the marketing email…You may be able to rely on legitimate interests to justify some of your business to business marketing”.
However, it is important that you ensure that you can satisfy the three-part legitimate interests test. So, yes you can lawfully send marketing about your product or service to someone at their work email who you think could be interested but doesn’t know about your business yet provided that you satisfy the legitimate interests test.
Can I use legitimate interests for all forms of marketing?
If e-privacy laws require express consent, then you cannot rely on your “legitimate interests” in carrying out electronic direct marketing purposes to circumvent this and process the personal data without consent. Legitimate interests is not an absolute exemption under the data protection laws and cannot be used to legitimise processing that is unlawful under other legislation.
In the legitimate interests guidance released by the ICO they have summarised when businesses are likely to be able to use legitimate interests for sending marketing messages. Please see extract below taken from that guidance.
Does all of my marketing correspondence need an opt out?
If you are relying on legitimate interests for direct marketing, the individual’s right to object is absolute and you must stop processing when someone objects.
If you are relying on consent, there is no right to object as such, but the individual has a right to withdraw their consent at any time. You must stop the processing when they withdraw consent. You must make it easy for people to withdraw consent at any time they choose. This should be done by including an opt-out or unsubscribe option in the message.
You must keep records to evidence consent – who consented, when, how, and what they were told. This will make it easier for people to withdraw their consent at any time.
Can I use tick boxes?
Yes – so long as they are not pre-ticked
Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
Consent should be obvious and require a positive action to opt-in, pre-ticked opt-in boxes are not permitted under GDPR, silence or inactivity from the data subject will not show consent. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
The ICO has advised that the clearest way of obtaining consent is to invite the customer to tick an opt-in box confirming that they wish to receive marketing messages via specific channels (eg post, email, live phone call etc). This represents best practice and all organisations are advised to adopt this approach.
So long as marketing activity is carefully planned to ensure that it is compliant with both the PECR and GDPR then there is no doubt that businesses should continue to invest in marketing and use it sensibly for a number of things including; increasing brand awareness, promoting products/services, developing a niche and generally finding and keeping customers. GDPR and PECR combined should encourage the avid marketers amongst you to focus efforts on engaging those who are most likely to be interested rather in contrary to those who have previously sent out bulk emails or made bulk phone calls with little or no success.
In short, be responsible, aware and respectful in all of your marketing.
Original blog posted by Nash & Co Solicitors.