The GDPR – Some Troublesome Aspects and Misconceptions, Part II: ‎Confusion Around Marketing and Consent

Privacy & Cybersecurity Newsletter
January 2019

In the last edition of the Privacy & Cybersecurity newsletter, we discussed troublesome aspects and misconceptions of the ‎GDPR related to application of the regulation. Here, we tackle issues around marketing and consent.‎

One of the main changes brought about by the GDPR is that it is much more difficult to obtain a valid “consent” from an indi-‎vidual to process his or her data. This is important because you must have a legal basis to process personal data. Under the ‎previous law, obtaining consent was probably the most common way for organizations to show that their data processing was ‎lawful. Often they achieved this simply by having general terms and conditions which conferred consent to all data pro-‎cessing unless individuals ticked a box to opt-out or unticked a pre-ticked box. ‎

Under GDPR, consent can no longer be obtained in this way. Consent must be freely given, specific, informed and unambig-‎uous. It can never be implied, pre-ticked boxes are not allowed, and it cannot be general. In other words, it requires an ‎‎“opt-in.”‎

For this reason, many organizations assumed that, in order to continue to send marketing materials once GDPR was in force, ‎recipients had to “opt-in” beforehand and, if they did not, their contact details had to be removed from the database. This ‎was of great concern because of the huge reliance businesses place on their database of customers and contacts. Sometimes ‎this is their most valuable asset. They therefore wrote to all their customers and other contacts, whether businesses or con-‎sumers, requesting an opt-in and promising to delete details and cease sending any communication if that opt-in was not re-‎ceived by May 25, 2018.‎

The fundamental error in this approach is that consent is not the only or the most appropriate legal basis for the processing of ‎personal data involved in storing customer and contact information and sending communications. GDPR makes it clear that ‎direct marketing can be a “legitimate interest” so long as the recipient has not opted out and is given an opportunity to do ‎so. The main limitation to this is in another European law, the “e-privacy directive.” This requires that any form of electronic ‎marketing, such as email or text, can only be sent with specific GDPR standard consent, but this is subject to two exceptions. ‎The first is that it only applies to individuals. Second, consent is not required for existing customers who bought or negotiated ‎the purchase of a similar product or service from the organization in the past.‎

The conclusion is that, broadly:‎

  • Organizations that have a genuine relationship with a business can continue to send the business e-marketing materials and ‎keep them in their databases without consent, so long as the organizations provide an opt-out.‎
  • Organizations can continue to send e-marketing materials to individuals without opt-in consent where it has previously sold ‎the individuals similar goods or services or negotiated to do so.‎

One can only speculate on how many organizations unnecessarily deleted vast quantities of valuable contact information and ‎stopped communicating with their customers by misunderstanding these rules.‎