With time running out everyone is feverishly trying to ensure compliance with the GDPR. But while focusing on the GDPR, are the current rules surrounding electronic marketing communications being forgotten? I’m seeing a few blank faces when raising the fact such communications will not only need to comply with the GDPR, but will also need to stick to the rules within the UK’s Privacy and Electronic Communications Regulations (PECR).
It was anticipated a new EU ePrivacy Regulation (governing electronic communications) would be enforced in line with the GDPR, however it has now been confirmed this will be delayed until 2019. We now know for certain that come 25 May 2018, PECR will sit alongside the GDPR, as it currently does with the Data Protection Act.
PECR gives marketers specific rules concerning sending marketing emails, text messages or conducting telemarketing calls. Marketers also need to consider the lawful basis they’re relying on under the GDPR for processing personal data for marketing purposes.
There are 6 lawful bases for processing under the GDPR (Article 6) and of these two are appropriate for direct marketing activities, either Consent or Legitimate Interests. The GDPR specifically says in Recital 47: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. But be aware, when relying on either of these lawful bases there are specific requirements and conditions that must be met.
Under PECR, in some circumstances you will have to obtain Consent; and this Consent will need to meet the GDPR standard to ensure it is valid. See the ICO’s Guide on Consent.
When do you need Consent?
Email/Text: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without specific Consent (unless an exemption applies).
When are you NOT required to have Consent?
Email/Text: There is an exemption within PECR, rather ambiguously known as the “soft opt-in”, whereby you can send emails/texts without Consent as long as the following conditions are met:
– You have obtained the contact details in the course of a sale (or negotiations of a sale) of a product or service
– You are only marketing your own similar products and services
– You provided a simple opportunity to refuse or opt-out of the marketing, when you first collected the contact details and in every subsequent communication.
This means you may be able to email or text your own customers without Consent, but this will not apply to prospective customers, bought-in lists, and in general does not apply to non-commercial promotions, e.g. charities.
Business contacts: PECR distinguishes between individual subscribers and corporate subscribers. For the latter, the rules on Consent for emails/texts and the “soft opt-in” exemption do NOT apply. I have another be aware, the definition of individual subscribers includes sole traders and some partnerships.
Telemarketing: In brief, PECR stipulate that you must not make marketing calls to anyone who has told you they don’t want your calls. Additionally, you shouldn’t make calls to any number registered with the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS). In a business-to-business context, it is advisable to screen numbers against both lists, to ensure you don’t call sole traders or some partnerships. There are more specific rules on telemarketing in the ICO’s Guide to PECR.
What do I need to do if I’m not relying on Consent?
If you choose not to rely on consent for any of your marketing channels, you’ll still require a lawful basis to process personal data for this purpose under the GDPR; Legitimate Interests. It isn’t as simple as thinking “this is reasonable; it is legitimate.” Recital 47 says direct marketing may be a legitimate interest but it also says:
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
You are required to carry out an assessment (LIA) and would be wise to document it. An LIA comprises a 3-stage test:
1. Identify a Legitimate Interest
2. Carry out a Necessity Test – consider whether the processing of Personal Data is “necessary” for the pursuit of your commercial or business objectives
3. Carry out a Balancing Test – you can only rely on a genuine Legitimate Interest where the rights and freedoms of the individual whose Personal Data will be processed have been evaluated AND these interests do not override the Controllers’ Legitimate Interest
The ICO has published detailed guidance on Legitimate Interests and the Data Protection Network has also published industry-led Legitimate Interests Guidance which includes examples of where LI may apply and an LIA template.
A further be aware, if you considering relying on Legitimate Interests for the processing of existing customer data, to comply with the GDPR, you should notify individuals of this.
Why you might opt for Consent?
The bar is set high under the GDPR for Consent to be valid, however, it does offer organisations more legal certainty; Legitimate Interests being by its very nature subjective. There is also a growing expectation from consumers that they should be asked to “opt-in” to receive marketing communications. This expectation can only increase as publicity surrounding the GDPR grows. Furthermore, in tests the data protection consultancy Opt-4 has conducted on consumer attitudes to permission statements, the message is abundantly clear that people dislike opt-out boxes. They are perceived as confusing, misleading or a deliberate attempt to “trick”.
And finally, don’t forget ePrivacy
On 25 May we will have the GDPR and PECR, but the ePrivacy Regulation is looming in 2019. The current draft text raises some uncertainties, concerns and considerations for marketers.
– Will it distinguish between corporate users and individual users? (current draft does NOT)
– Will the “soft opt-in” exemption remain? (currently it DOES but with a limited scope)
– Will the definition of direct marketing be very broad and potentially apply to all advertising? (currently undecided)
The staggering of new legislation undoubtedly means marketers need to be even more mindful. Think the GDPR and PECR for now and consider the potential ePrivacy impact.
Philippa Donn, February 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.