GDPR and Legitimate Interests for Marketing Purposes

Transcript of the Video

Good evening, ladies and gentlemen. Suzanne Dibble here, data protection law expert, coming to you raw and uncut from Thailand today, and struggling with a little bit of a headache, not sure if it's the wine on the plane or the two cocktails at happy hour that I'd hoped were single measures, maybe they weren't. But anyway, I'm going to give you a quick video. I'll try my best, because it is quite a complicated one, and it's an important one, so we'll see how we get on.

Okay, so legitimate interests and marketing, it's probably the most talked about area, well, legitimate interest versus consent in a marketing context is probably one of the most talked about areas of GDPR. I have been thinking about it more today because a good friend of mine, Nicola Bird, posted about Pinterest's new privacy policy that she'd just been sent. She said, "Surely, this isn't compliant, because they're not asking for my consent to show me ads." When we looked at it, it said, because of the cost of the free service, Pinterest is obviously free to use, and it's a considerable cost when you think of the number of users on there and the way that it all works, their legitimate interest in showing adverts to you, so processing your personal data to show you adverts, was a legitimate interest of theirs because in effect that was what funded your free use of Pinterest.

That got me thinking more about legitimate interest and indeed whether, I know we talked previously about, if you have a free opt-in on your website, maybe it's a report or something else of really significant value that you're giving away for free, would you then be able to rely on legitimate interest to say, "Well, because you've had my free opt-in, therefore I'm going to send you my marketing emails, because in a sense that is funding my free opt-in."

So I had a bit of a think about that and I studied the ICO guidance in more detail, and I think that it's questionable, certainly in terms of the freebie opt-in and sending marketing under legitimate interest. But let's work through it. I'm going to post a link to the ICO's guidance on a legitimate interest, which is actually reasonably helpful.

So firstly, it's clear that you can rely on legitimate interest for marketing activities if you can show that how you use people's data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. Then within that confine, within that context you've also got to think about PECR, the Privacy and Electronic Communications Regulations, which in effect say that if you're sending unsolicited direct marketing emails or texts, any electronic communications to individual subscribers, which also includes sole traders and partnerships, then unless the soft opt-in applies, you have to have their prior consent.

What the ICO is clear about is that you should avoid using legitimate interest if you're using personal data in ways that don't understand and would not reasonably expect, or if you think people would object if you explained it to them. So if you think about it in the context of the freebie and sending follow-up marketing communications, would people reasonably expect that? Well, yes, I think in the context of internet marketing nowadays, then yes, you know, when I sign up for a free report I expect to get some follow-up emails, and I know that I can opt-out of those emails at any time.

Now, the bit that I struggle with is, you should avoid using legitimate interest if you think some people would object if you explained it to them. I think that there would be some people who objected if you explained it to them. Now, if you said to them, I suppose it depends how you explain it to them, if I said to somebody, "It's going to take me 20 hours to produce this really valuable legal report that's going to save you thousands of pounds, because you won't need to go and consult a lawyer one to one. But because of that and because I need to earn a living, and I can't just be working for 20 hours for free, because of that, I need to send you some marketing about my services. Now, obviously, if you don't want them, that's absolutely fine, but I'd love to be given the opportunity to let you know how I can help you."

Now, if I could explain it in that type of way, would people object? You'll probably always get some person, won't you? You know, there's always cantankerous people that would ... But I think that if you explained it on that basis you'd have a reasonable argument, that people wouldn't object to that. The ICO guidance says you should avoid the legitimate interest basis for processing that could cause harm. Well, am I going to cause anyone harm by sending them some marketing emails that they can opt-out from? I don't think so.

What is clear, again from the ICO guidance, is it's really important to do your legitimate interest assessment form, to do that balancing test that we've talked about a number of times; it's in my pack, and to keep a record of the legitimate interest assessment and the outcome. That is stressed a number of times, so if you are relying on legitimate interests, then it's absolutely key to have that documented. Another thing that they stress is to keep the legitimate interest assessment under review and to refresh it if there's a significant change in the purpose, nature, or context of the processing.

If you're relying on legitimate interest for direct marketing, then the right to object is absolute and you've got to stop processing when someone objects. Now, of course, if we're sending marketing emails following-up from our freebie opt-in, then typically we've always got the opt-out, the unconsent, that shows my brain isn't working, the opt-out at the bottom of all of our emails, so of course, you know, if somebody opts-out, we're not going to carry on sending them our marketing, are we?

If you're relying on legitimate interest as your basis, you've got to tell the individuals what these legitimate interests are. As we know, the place to do that is in our new privacy policy, which again is in my pack. I've not seen one like this in a privacy policy yet. Do let me know if you've seen anything like this. But if we set out in our privacy policy, you know, when we produce free reports, and other items of value that are offered to you for free, we're relying on legitimate interest to send you marketing communications because, what I just said about time and effort and all the rest of it. So it would be interesting to know if anyone's seen anything that sets out a legitimate interest in that way in a privacy policy.

Yep, so opt-outs obviously we've talked about. Okay, so legitimate interest, the three-stage test. This is what's in the legitimate interest assessment form in the pack, but in summary, it's a purpose test, which is, is the legitimate interest behind the processing a necessity test? Is the processing necessary for that purpose? Then a balancing test is the legitimate interest overridden by the individual's interests, rights or freedom.

Now, just want to pull out a few things in the guidance that relate to that specifically. Now, you interest has got to be legitimate, okay? So in the context of marketing, let me just scroll down to the relevant bit, there's a lot of guidance here and I haven't got a printer to highlight the bits that I need. Yeah, so it has to be legitimate. Now some forms of marketing may not, and this is in the ICO guidance, some forms of marketing may not be legitimate if they do not comply with other or ethical standards or with industry codes of practice. However, as long as the marketing is carried out in compliance with e-privacy laws, that's things like the PECR that we've just talked about and other legal and industry standards, in most cases it's likely that direct marketing is a legitimate interest.

But again, it says, "However, this does not automatically mean that all processing for marketing purposes is lawful on this basis. You still need to show that your processing passes the necessity and balancing tests." Okay? So for the first bit of the test, that it's legitimate, that's what you've got to consider, okay? Is the marketing legal? Is it ethical? Is it in accordance with industry codes of practice? So spam email would not be legitimate.

Okay, so after the first stage of the test, which is the purpose test, is there a legitimate interest behind the processing? Then you look at the necessity test, is the processing necessary for that purpose? Now, you need to demonstrate that the processing is necessary. That doesn't actually mean that it has to be absolutely essential, which would have been my reading of necessary, but anyway, it doesn't mean that it means it must be a targeted and proportionate way of achieving your purpose. The ICO guidance says, "You need to decide on the facts of each case, whether the processing is proportionate and adequately targeted to meet its objectives and whether there is a less intrusive alternative, i.e. can you achieve your purpose by some other reasonable means without processing the data in this way?"

Okay, so we're talking still about our freebie, and then following up with marketing communications, so we've sent this freebie, we've identified that direct marketing is our legitimate purpose. Now, is the processing proportionate and adequately targeted to meet its objectives, and is there any less intrusive alternative? Well, is it proportionate? I think so, I think it's proportionate. Is it intrusive? You know, my view is that if you've always got that clear opt-out at the bottom, then if people don't want your stuff, they just opt-out, don't they? You know, surely it's not a massive deal for someone to click on unsubscribe if it's clearly shown at the bottom of an email.

Okay, so the next part of the test is the balancing test. You need to assess whether the individual can reasonably expect the processing, taking into account in particular when and how the data was collected. Okay, so this is very relevant in terms of our freebie and follow-on marketing, because particularly the bit where it says, "Taking into account in particular when and how the data was collected." Okay, so how was the data collected? Well, they were signing up for a free bit of content about something that they were particularly interested in. Is it, therefore, reasonable for that individual to expect more information about that specific area of interest? In my view, yes.

And when, when the data was collected. Now, obviously, if you collected the data 12 months ago and then suddenly decided to start marketing to somebody, that would not be as reasonable as if you had a follow-up sequence that maybe a couple of days after they downloaded the report you sent them some relevant information with a promotional offer in there. Okay, clearly there would be more of an expectation of receiving that follow-up email two days after they've signed up for the freebie than 12 months after they have signed up for the freebie.

Now, one of the factors, interestingly, that may affect what individuals reasonably expect is what you tell them in your privacy information. If you include clear information about your processing they are more likely to expect that processing. So again, arguably, if you have in capital letters and bold in your privacy policy, the fact that if you sign up for my free report, we are going to send you marketing emails under the lawful grounds of legitimate interests, then according to the ICO guidance that individual can then reasonably expect the processing, i.e. the follow up marketing, after they signed up for the freebie.

So in my view, after having read all that, and you know I'm a bit of a risk taker anyway, I think that I could mount a pretty good argument for legitimate interest for sending follow-up marketing when people have signed up for a freebie. Now, I did phone the ICO and I asked them about freebies and follow-up marketing, but that was actually in the context of tick boxes and whether you needed a tick box or not, whether it was on the grounds of consent by them entering in their email into the box, and whether you needed a tick box or not. As you might remember, when I reported this, initially their view was, "Oh no, you definitely need a separate tick box for the follow up marketing." But when I probed a bit further, they said, "Oh no, well, it might be okay then." In that, you didn't need that tick box for the follow-up marketing. But this is a different angle, which is, whether you could rely on the grounds of legitimate interests for that follow-up marketing when somebody has signed up for that freebie opt-in.

So final word from the ICO on legitimate interests, you should not look to rely on it simply because it may initially seem easier to apply than other lawful bases such as consent for example. It's not always the easiest option, and in fact, places more responsibility on you to justify your processing and any impact on individuals. In effect, it requires a risk assessment based on the specific context and circumstances to demonstrate that proceeding is appropriating. So it isn't the easy option, and I think you do have to be a little bit of a risk taker to say, "Okay, well I'm going to rely on legitimate interests for sending marketing emails when people have signed up for my freebie."

It'll be obviously very interesting to see if there are any test cases about it or any further guidance. But if any of you are phoning the ICO in the next week or so while I'm in Thailand, then ask them that question. Be really interesting to hear their point of view on that. Do remember with the ICO, if you ask them something they might give you an answer, but if you probe them a little bit further they might change it. So maybe put some of these points to them and see what they say.

So let me see if there's anything else I need to tell you here. Yes, in the context of marketing, okay, so this is specific guidance on marketing, okay? Right, in some cases marketing has the potential to have a significant negative effect on the individual depending on their personal circumstances. For example, someone known or likely to be in financial difficulties, who is regularly targeted with marketing for high-interest loans or gambling sites or anything like that, is a significant negative effect. That would need to be looked at when you're doing that balancing test.

But you should also consider factors such as whether people would expect you to use their details in this way, which we've talked about. But this is interesting, the potential nuisance factor of unwanted marketing messages and the effect your chosen method and frequency of communication might have on more vulnerable individuals. Okay, so they're interesting, aren't they? Then finally it says, "Given individuals have the absolute right to object to direct marketing under Article 21(2). It's more difficult to pass the balancing test if you do not give individuals a clear option to opt-out of direct marketing when you initially collect their details, or in your first communication if the data was not collected directly from the individual. The lack of any proactive opportunity to opt-out in advance would arguably contribute to a loss of control over their data and act as an unnecessary barrier to exercising their data protection rights."

So, interestingly, what they're suggesting here is that next to your, say, freebie opt-in box, you would have a tick box but it wouldn't be an opt-in consent, it would be an opt-out consent. You'd be relying on legitimate interests, you'd need a link to your privacy policy that shows very clearly that you're relying on legitimate interest to send them follow-up marketing communications, and you would have a tick box for an opt-out at that point, and then on each individual email going forwards.

Final note, can we use legitimate interests for our business to business contacts? Business-business here, because of PECR, is limited companies. Yes, it's likely, it's not quite that straightforward of course, yes, it's likely that much of type of processing will be lawful on the basis of legitimate interest, but there is no absolute rule here and you need to apply the three-part test. You're still processing personal data when you're using and holding the names and details of your individual contacts at other businesses, and you must have a lawful basis to process that personal data. You can consider using legitimate interests for such processing, but you still need to go through that three-stage test, okay? So it's more likely that you can rely on legitimate interests for business to business contacts and marketing, but you need to go through that three-stage test.

Okay, good, right, so yes, if you phone the ICO in the next week, then do ask them about legitimate interests for follow-up marketing emails after someone's signed up for a freebie, and let me know. If not, I shall be phoning them myself when I get back to Blighty. But something to think about. Thank you very much for listening. Slightly long one today. Yeah, I'm going to ponder more on this one, going to ponder. Right, ladies and gentlemen, I'll see you tomorrow.