When GDPR came into force on May 25th 2018, some of the methods used by businesses to gain data-processing consent were outlawed. Previously, it was possible to gain opt-out consent from clients when they created an account. This type of consent involved either checking a box to avoid being on a mailing list or unchecking a pre-checked box. Consent was often given passively, using these slightly duplicitous methods.
Under GDPR, customers must now check an unambiguous box to opt in before they can be added to a mailing list. Predictably, this form of proactive consent is less often surrendered.
Customer consent is one of six legal justifications for processing personal data. The other five are contract, legal obligation, legitimate interest, vital interests and public tasks. Of these, legitimate interest (LI) offers a useful alternative to consent as a basis for processing data. It allows marketers to contact customers whose details they have secured during a sale or negotiations for a possible sale. This type of implied consent is known as “soft opt-in”.
Legitimate Interest Assessment
LI provides a lawful basis for processing data without consent, but it must still satisfy GDPR criteria. To be valid, it first has to pass a three-part legitimate interest assessment (LIA):
- Purpose; are you pursuing a real legitimate interest? This might include direct marketing to further the interests of your company or a third party, saving essential client or staff data, aiding IT security or fraud prevention.
- Necessity; can data processing be avoided while still achieving the desired purpose?
- Balancing test; do the data subject’s interests override the business’s interests (i.e. will the latter adversely affect the former).
Legitimate Interest applies to B2B clients as well as B2C, though businesses are expected to be more empathetic and robust in the face of data use. Special consideration must be given to the impact of data processing on individuals.
Can You Email Opted-Out Customers by Claiming Legitimate Interest?
In short; no. Direct marketing under the legitimate interest umbrella should comply with the Privacy and Electronic Communications Regulations (PECR). This means it must have been solicited by the data subject. If this isn’t the case, direct marketing can only be conveyed via post, live phone calls without TPS/CTPS registration or objection, or emails and text messages to soft opt-in customers or business contacts. You cannot use legitimate interest as a default, do-it-all basis for data processing.
Data Collection and Data Mapping
Marketers can send out promotional emails to opted-in customers. This might be done through agencies or email service providers such as MailChimp, GetResponse, SparkPost and others. The type of data collected and processed from individuals includes the following:
- Personal ID; name, address, telephone, email addresses, social network addresses, user IDs, consent or non-consent history for receiving marketing material.
- Further personal profiling; details about family, lifestyle, education, career, pets, car ownership, property ownership, tastes.
- Previous interaction with the company including transactions, communications, complaints.
It’s imperative for businesses to manage data sprawl, to comply with EU regulations and the UK’s DPA (Data Protection Act). A data mapping tool is an invaluable aid in achieving this. Once you can see how data passes through your business, you’ll also see what consent has been obtained (or not), avoid data breaches and make your database compliant.
Five Ways Legitimate Interest is Used by Marketers
Legitimate interest can be justified in numerous ways to engage new customers, reactivate dormant users or to otherwise benefit the business. Here are five such ways:
1. Direct Marketing
With some notable caveats, legitimate interest can be used for direct marketing purposes in place of consent. It’s particularly useful in conjunction with soft opt-ins. Meticulous records should be kept so that legal compliance can be demonstrated. Especially with B2C data, legitimate-interest assessments (LIAs) should show arguments against data processing as well as for.
The personalisation of a website so that it exploits an individual’s data is an obvious marketing tactic, but it can be justified through legitimate interest. An example of this is when companies offer similar or complementary items for sale based on a customer’s browsing or buying history.
3. Market Research
Businesses may collect and process data without consent for market research purposes, including trend analysis or a study of marketing effectiveness.
Suppression refers to a customer’s opposition to receiving direct marketing or having details kept on file, but a limited amount of data must be stored to ensure no emails are sent and that wishes are obeyed.
5. Snail Mail
Although you cannot send marketing emails to opted-out individuals nor try to entice them into opting back in (some large companies have been fined for doing this), you can try to re-engage customers by sending materials through regular post.
Don’t guess start with data mapping
An acid test for legitimate interest is always this; what does the customer expect to see or receive? That’s a reliable starting point. For GDPR compliance and efficient, lawful marketing, get your house in order with data mapping!