Marketers need separate consent for marketing and data sharing
Personal data must be collected for ‘specified, explicit and legitimate purposes’ according to the GDPR.
Part of being specific is ensuring that, where you are asking for consent as legal basis for processing, the purposes for processing are not confused and muddled together into one all encompassing checkbox.
Such a user experience would mean the data subject cannot seek separate consent for each purpose, and therefore would suffer a lack of freedom. This is why GDPR guidance recommends ‘granularity’.
How does this relate to lead generation? Well, the Article 29 Data Protection Working Party (WP29) – which is essentially a body with a data protection representative from each EU state – offers the following example in its guidance on consent.
Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there is no separate consents for these two separate purposes therefore the consent will not be valid.
So, marketers, make sure that if you’re relying on consent as a legal basis for data processing you offer different checkboxes for different purposes.
Is the data collection necessary?
Here’s another example from WP29’s guidance on consent:
A mobile app for photo editing asks its users to have their GPS localisation activated for the use of its services. The app also tells its users it will use the collected data for behavioural advertising purposes. Neither geolocalisation or online behavioural advertising are necessary for the provision of the photo editing service and go beyond the delivery of the core service provided. Since users cannot use the app without consenting to these purposes, the consent cannot be considered as being freely given.
It’s clear that if you are asking for personal data that is not deemed necessary, whether in your lead generation activities or as part of a service, then consent is not the right option if subjects have no choice.
But hang on a minute, what does that mean when marketers insist their audience fill in a form in order to download a whitepaper, for example? Would some of the data arguably be unnecessary – other than perhaps an email address to deliver the report?
Is consent freely given? Well…
Incentivising consent for marketing is okay
The key here is to understand where the PECR and the GDPR overlap.
Though the GDPR is clear that consent is not freely given if the subject is unable to refuse without detriment, there is guidance from the ICO which clears up this matter somewhat.
The guidance says:
It may still be possible to incentivise consent to some extent. There will usually be some benefit to consenting to processing. For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal. However, you must be careful not to cross the line and unfairly penalise those who refuse consent.
So, if you’re asking the subject to fill in a form in order to download a whitepaper, asking for consent to electronic marketing (as precondition to download) would seem to be okay as this relates to the PECR. Note that if you are targeting businesses, i.e. business email addresses, you may not need to use the consent checkbox approach – many organisations simply detail that email marketing will be sent, and then link to a privacy policy which says the subject has the right to object at any point. It should also be noted that the PECR doesn’t rule out implied consent.
But what about the legal basis for data processing, such as the storage of this personal information, as dictated by the GDPR? What legal basis should marketers use here?
Relying on legitimate interests then?
Here’s what the ICO guidance on consent has to say:
In some limited circumstances you might be able to overturn this presumption and argue that consent might be valid even though it is a precondition and the processing is not strictly necessary, but this would be unusual…you would always be taking a risk that the consent would be considered invalid as not ‘freely given’. In general, it would be better to rely on ‘legitimate interests’ as your lawful basis in such cases, combined with a clear and transparent privacy notice.
So, on your lead generation forms you may seek the data subject’s consent to electronic marketing (or implied consent for businesses), but the legal basis for other data processing (e.g. the storage of data, the analysis of it, perhaps direct mail) could be legitimate interests. N.B. There are no plans by the WP29 to release guidance on legitimate interests (further than that released in 2014), but there is plenty of discussion afoot.
Of course, other legal bases may also be relevant. For example, if you are entering into a contract with the data subject, the contract basis may be most appropriate.
Note that double opt-in is not specified in the GDPR
Though there are many people who recommend double opt-in (i.e. sending a confirmation email that must be clicked) as the best way to confirm consent to electronic marketing, the GDPR does not specify double opt-in as necessary.
Of course, that doesn’t mean that double opt-in isn’t a good way to keep your database clean.
Marketers have to be clear about how they intend to use personal data
Reading all the guidance available, the overarching principles of the GDPR come across loud and clear – marketers need to strive for transparency, collecting data for specific, explicit and legitimate purposes.
As long as marketers are clear with data subjects in their privacy notices, and understand the interplay of the PECR and GDPR, they should be fine.
As the WP 29 puts it, “a purpose that is vague or general, such as for instance ‘improving users’ experience’, ‘marketing purposes‘, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of being ‘specific’.”
Lead generation doesn’t give marketers the right to keep data in perpetuity and use it wherever they see fit. Get planning your lead generation campaigns early, otherwise you may come unstuck.
Note that this article represents the views of the author solely, and is not intended to constitute legal advice.
Econsultancy offers online and face-to-face training in GDPR for marketers.
Thanks for publicising the ICO’s “Consultation: GDPR consent guidance”.
At first sight this destroys the business model of the big social networks, because the imbalance of power vs private citizens means they can never get legal consent for anything, but we’ll see.
And the whole business of granularity seems a huge kludge. If something is strictly necessary it doesn’t need separate consent. For example, if you integrate everything so data sharing is an integral part of all your processes, then marketers don’t need separate consent for it.
I know what I’m going to be reading this week!
https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
Worth adding that the ePrivacy Regulation when it comes in may require B2B marketing to use consent as a legal basis for email.
Thanks for writing Ben.
Basically, its really unclear isn’t it? B2B marketers ‘could’ be compliant by using legitimate interest for processing and, perhaps, doing the same under PECR to ‘target’ their email at business contacts (corporate subscribers) who fill in their forms.
But legislators have made this so unclear that doing so, I fear, leaves businesses open to unfair and inaccurate challenges over their compliance to one or more regulations.