Do I need consent for direct marketing?
With less than 50 working days until GDPR takes effect on 25th May 2018, many businesses are starting to consider the ‘hot topic’ of whether their marketing lists will still be valid. But it’s not just GDPR that needs to be considered……
Current Rules (up until 25th May 2018)
Data Protection Act 1998 (DPA98)
Privacy and Electronic Communications Regulations 2003 (PECR)
After 25th May 2018
General Data Protection Regulation (GDPR)
Privacy and Electronic Communications Regulations 2003 (PECR) BUT only until the Regulation on E-Privacy and Electronic Communications (the E-Privacy Regulation) comes into force
Under DPA98 “An individual is entitled at any time by notice in writing ……to require the data controller…to cease, or not to begin processing for the purposes of direct marketing….”
Whilst referenced in DPA98, the majority of the rules around direct marketing can actually be found in PECR. The ICO’s current direct marketing guidance, based on PECR, can be found at: -
Direct marketing can currently be carried out following a variety of opt-ins or opt-outs but under GDPR the rules become more challenging because giving consent (or opting in) to direct marketing has specific requirements.
GDPR says “Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time….”
“Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”
As we all know, under GDPR, organisations can only process personal data if they have a lawful basis for doing so (GDPR Article 5 clause 1). The test for ‘lawfulness of processing’ includes that the data subject has given consent for the processing, but this does not automatically mean that you need consent to carry out direct marketing (or any other type of processing).
Recital 47 of the GDPR states “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Even the ICO acknowledge that obtaining valid consent under GDPR (Art 7) will be challenging and they urge businesses to consider whether consent is the correct lawful basis for the processing of any data.
But when deciding whether the sending of direct marketing can be done as a legitimate interest, an organisation still needs to consider the rules under PECR.
Postal marketing – not covered by PECR so as long as the organisation identifies itself, offers an opt-out and screens addresses against the mail preference service then it’s ok to send first party marketing (about your own products and services) as long as the client has not previously opted out. If they haven’t previously opted out but have registered with the mail preference service then you need to leave them alone.
Email/SMS marketing – you must follow the rules in PECR which require an opt-in unless you have obtained the contact details of the individual during the course of a sale (or negotiations of the sale) of a product or service. The marketing must be of a similar product or service and the individual must have been given the opportunity to opt-out.
Telephone Marketing – for live marketing calls, the rules say you can contact anyone as long as they have not previously opted out and are not registered with the telephone preference service. You must not make automated calls to anyone unless they have specifically opted in to receive this type of call from you.
So what do you need to do?
Consider whether consent is the most appropriate lawful basis for processing – can you use legitimate interests instead?
Make sure your privacy notice covers direct marketing if you will be sending it to clients
Ensure that there is an easy way for clients to opt-out of marketing and that your system can record the opt-out
Ensure your marketing teams screen all marketing data against both the telephone preference service and mail preference service
If you do need (or want to rely on consent) then review your current opt-in’s, if they don’t meet the requirements of Article 7 then you will need to ask your clients to opt-in again
Keep an eye out for our updates on the E-Privacy Regulation – it was supposed to be ready for 25th May 2018 but this is looking increasingly unlikely as the text is yet to be finalised
We will be talking about the practicalities of GDPR at our upcoming conference in London on 26th April. You can find out more here