GDPR Shocker -- Did Email Marketers Just Win A Get Out Of Jail Free Card?

You can almost hear the "whoop" of joy around the DMA as it announces to members that the latest guidance by the ICO on implementing GDPR includes "legitimate interest" as a lawful alternative to outright consent. 

As the organisation for direct marketers points out, this has been an issue that it has raised with the ICO for quite some time now. The debate has raised a very interesting subject -- what other legal ways can an organisation process someone's data without explicit consent. It turns out there are five other legal ways to process someone's data if consent is not possible or is not the most appropriate way of remaining GDPR-compliant. These generally tend to be where the processing of data is vital to that person, is legally necessary, where there's an imbalance of power and so consent cannot be freely given, where it's necessary to perform a public function or where there is a contact which stipulates you're going to process that person's data. 

The issue of "legitimate interest" is a very interesting legal alternative to outright, freely given informed consent, as denoted by an affirmative action -- that's pretty much how GDPR rules define consent. With legitimate interest the organisation has to be able to show that is in the interests of the person or business concerned to have their data processed. Profit is not an issue here, as that is perfectly acceptable because the law acknowledges that most businesses are not driven by altruistic aims when processing data. 

In fact, it all comes down to having a "good reason" to process data, such as keeping or adding someone on an email marketing list. This good reason has to be balanced against doing the person harm. The company processing the data must, the ICO stresses, be open and transparent, and not cause the third party any harm. 

Now, when I read the DMA's note about the ICO guidance, I have to admit I was a little bit sceptical. I thought the DMA was clutching at straws, but for companies who may find offering full consent is too difficult or not appropriate, there is the alternative of "legitimate interest."

It sounds like a piece of the regulation that could be easily open to challenge as people try to claim that receiving direct mail shots and email marketing is harmful to them -- but as it stands, if you have a reason to keep someone on your lists, and making money actually counts as one of those reasons, then you can claim a legitimate interest. Presumably, still allowing someone to unsubscribe is a part of being accountable and transparent.

So I'm really not sure how to sign off here. The DMA had always said there would be an alternative to the onerous process of repermissioning people to get a more detailed clear and unambiguous consent and, well, it turns out there is. I am no lawyer, so please don't take my word for it. Read the guidance (pages 11 to 16 are particularly pertinent) and then have an expensive sit down with a lawyer and see what you conclude.

But as to whether there is a lawful alternative to consent in being GDPR-compliant, the ICO is surprisingly stating that there clearly is. 

1 comment about "GDPR Shocker -- Did Email Marketers Just Win A Get Out Of Jail Free Card?".
Check to receive email when comments are posted.
  1. Roy Smith from PrivacyCheq, March 8, 2017 at 10:39 a.m.

    We found the ICO proposal to be surprising as well. I wanted to make a few points that were missing in your post.  

    (1) The ICO publication is not the final word on this from the ICO, they are putting this out for "consultation" from public and industry until the end of March, and presumably this input will help inform a later, final 'code of conduct' publication. A version of this guidance was 'leaked' in December and it was quite different from the February version, illustrating that major changes between versions are very possible.

    (2) It should be noted that as an agency of the UK which will shortly be exiting the EU, the ICOs guidance on this matter may or may not be adopted by the rest of the EU DPAs as the final word on consent or legitimate interests.  We are in uncharted territory as the UK prepares to exit and other EU member states might not agree with the ICO's loosening of consent requirements. 

    In other words, in our opinion, it's still very early for the AdTech industry to declare victory on this issue.


Next story loading loading..