You might, but should you really care? Gillian Scribbins, in Muckle LLP's data protection legal team, tackles the key question on every marketer's lips.
A silent war of wills is raging in our office at the moment, and it’s akin to many we know to be going on in businesses throughout the North East, and we suspect in offices Europe over.
The bone of contention is this: can we continue direct marketing to our existing customer database after the 25 May? The camps are divided – ‘yes, we have a legitimate interest’, and ‘no, we don’t have compliant consent’.
As in any good debate, there is no right or wrong answer. At the recent Direct Marketing Association (DMA) conference, Elizabeth Denham, the UK’s information commissioner, explained the sticking point is because we are waiting for an update to the Privacy and Electronic Communication Regulation (PECR), which sits alongside GDPR.
At the minute PECR allows for a soft opt-in, where businesses can assume that certain existing or former customers are happy to receive direct marketing, subject to certain conditions. However, this looks set to change and all consumers will be required to actively opt-in to receive direct marketing.
Legitimate interests
The DMA and others successfully lobbied for legitimate interests to be a lawful basis for direct marketing under GDPR. However, because of the way GDPR corresponds with PECR, it is only really an option for B2B marketing, postal marketing and for emails to soft opt-in customers.
And there are conditions to using legitimate interests as a legal basis for direct marketing. You need to declare what that legitimate interest is, and you need to be sure it isn’t overridden by the interests or fundamental rights and freedoms of the person you are contacting.
Consent
Consent is the only other basis you can rely on to send direct marketing, but it’s not as simple as clicking yes. Consent is stricter now than it has been, meaning even if at one point you had consent, it may not fulfil all the criteria of consent under GDPR.
So what does this look like in practice?
If you’re completely satisfied that everyone on your marketing database is an existing or former customer, who has recently engaged with you and has not requested to unsubscribe; your communications always provide a clear option to unsubscribe; and your marketing is only for products or services similar to what they have purchased from you in the past, then you have a soft opt-in legitimate interest to continue email marketing (not phone or text) to these customers.
If you are not confident of the above, then you need new, GDPR compliant consent. This means an active opt-in, specific and granular, clear and separate from any other service, affirmative action which confirms that an individual wants to receive electronic marketing from your organisation, and via which medium.
If your marketing goes via a third party, then that needs to be explained as well, and every subsequent communication should remind customers they can withdraw their consent at any time.
You can read lots more on consent and legitimate interests at www.ico.org.uk. In the meantime, I’ll leave you with another quote from Denham’s address to the DMA: “It seems to me that a lot of energy and effort is being spent on trying to find a way to avoid consent.
“You say you will lose customers. I say you will have better engagement with them and be better able to direct more targeted marketing to them.”