In the last edition of the Privacy & Cybersecurity newsletter, we discussed troublesome aspects and misconceptions of the GDPR related to application of the regulation. Here, we tackle issues around marketing and consent.
One of the main changes brought about by the GDPR is that it is much more difficult to obtain a valid “consent” from an indi-vidual to process his or her data. This is important because you must have a legal basis to process personal data. Under the previous law, obtaining consent was probably the most common way for organizations to show that their data processing was lawful. Often they achieved this simply by having general terms and conditions which conferred consent to all data pro-cessing unless individuals ticked a box to opt-out or unticked a pre-ticked box.
Under GDPR, consent can no longer be obtained in this way. Consent must be freely given, specific, informed and unambig-uous. It can never be implied, pre-ticked boxes are not allowed, and it cannot be general. In other words, it requires an “opt-in.”
For this reason, many organizations assumed that, in order to continue to send marketing materials once GDPR was in force, recipients had to “opt-in” beforehand and, if they did not, their contact details had to be removed from the database. This was of great concern because of the huge reliance businesses place on their database of customers and contacts. Sometimes this is their most valuable asset. They therefore wrote to all their customers and other contacts, whether businesses or con-sumers, requesting an opt-in and promising to delete details and cease sending any communication if that opt-in was not re-ceived by May 25, 2018.
The fundamental error in this approach is that consent is not the only or the most appropriate legal basis for the processing of personal data involved in storing customer and contact information and sending communications. GDPR makes it clear that direct marketing can be a “legitimate interest” so long as the recipient has not opted out and is given an opportunity to do so. The main limitation to this is in another European law, the “e-privacy directive.” This requires that any form of electronic marketing, such as email or text, can only be sent with specific GDPR standard consent, but this is subject to two exceptions. The first is that it only applies to individuals. Second, consent is not required for existing customers who bought or negotiated the purchase of a similar product or service from the organization in the past.
The conclusion is that, broadly:
- Organizations that have a genuine relationship with a business can continue to send the business e-marketing materials and keep them in their databases without consent, so long as the organizations provide an opt-out.
- Organizations can continue to send e-marketing materials to individuals without opt-in consent where it has previously sold the individuals similar goods or services or negotiated to do so.
One can only speculate on how many organizations unnecessarily deleted vast quantities of valuable contact information and stopped communicating with their customers by misunderstanding these rules.