Marketing and data part 3

Consent vs legitimate interests

A big part of GDPR compliance is the legal basis you rely on for using people’s data.

There are 6 in total, but for marketing only 2 will apply.

  1. Consent.

You can choose to use consent or you may have to (automated calls and emails/text messages where the soft opt-in doesn’t apply).

When using consent, remember:

  1. It must be freely given – there must be a choice, either yes or no. You can’t tie up marketing consent in your terms and conditions for your services.
  2. The consent needs to be specific and informed – you need to explain exactly what the person is consenting to, so an email newsletter or general marketing emails sent every day.
  3. Be unambiguous in the words you use – it should be obvious what they have agreed to.

You can collect consent from your customers and prospects directly, or consent can be obtained on your behalf by a 3rd party. Make sure the 3rd party collects the consent legally otherwise you will not be able to contact those people.

Consent can degrade over time. Sometimes because it was obtained for a particular purpose, say an event and therefore once the event has taken place the consent will end, or over time. If you have consent for general marketing, you need to regularly communicate otherwise the consent will expire.

  • Legitimate interests.

You can look at legitimate interests if you don’t have to use consent. You need to show that your proposed use of peoples’ data is proportionate, has minimal privacy impact and is something the individual would expect or wouldn’t object to.

You need to justify using legitimate interests by following the 3 step test.

  1. Purpose – why do you want to use peoples’ data for your marketing? This could be for gaining new customers or launching a new product.
  2. Necessity – is it necessary to use the data in this way to achieve your goal? Is there another way without using the data?
  3. Balancing – you should weigh up the needs of the business to carry out the marketing with the interests of the proposed recipients.

If you want to use legitimate interests, you need to tell people when you collect their data and allow them to opt-out. As with consent, a 3rd party can obtain permission on your behalf to use legitimate interests.

Deciding which one to use is not always straightforward. But make sure you comply with the rules, whichever you decide, is important to your bank balance and your company’s reputation.

Comments are closed.