Has opt-in suffered a blow?
It’s now official that opt-in for all forms of direct marketing has not proven a success for the RNLI, despite earlier reports to the contrary. The decision, taken four years ago, to make a move to collecting a clear opt-in consent to send marketing and communications has over time led to a shortfall in funds.
The charity says that, while well intentioned, the move had a bigger impact than anticipated and it’s now necessary to make changes so they can, ‘attract new supporters, raise vital fund, share safety advice and engage with people.’ Prior to adopting an opt-in approach the RNLI says it had a database of two million supporters, by 2018 this had fallen to half a million.
In a statement published this week, the RNLI’s Fundraising Director Jayne George said from 3rd October, ‘We’ll be moving to a Legitimate Interest-based approach to marketing and communications, which is fully compliant with data protection regulations and is in line with the approach taken by many other major charities.’
After seeking clarification on this the RNLI confirmed to the DPN they would continue to rely on consent for email marketing communications.
The RNLI also informed us that they won’t buy cold lists for either mail or telephone, and said marketing activity would be directed at individuals who had come into them and read a legitimate interests’ statement. A spokesperson said, ‘We will not be sending cold direct mail addressed to individuals or carrying out door-to-door fundraising. We will consider using door drops for some key activity, like fundraising appeals and sharing relevant safety advice to communities.’
Opt-in, even prior to GDPR, is cited as the most transparent and open way of collecting permission for marketing and is referenced as the ‘best approach’ by the UK Regulator (the ICO). However, many organisations feared switching to a consent regime would damage their business and some others incorrectly believed consent was the only approach for all channels. While there have been some reported success stories these fears may be reinforced by the RNLI’s announcement.
Switching your lawful basis
There’s some debate as to whether you can have two different lawful bases for essentially the same purpose, and/or whether you can change your lawful basis for a specific purpose. The ICO’s guidance on lawful basis for processing makes it clear that you can’t simply swap to another lawful basis at a later date, if it doesn’t work out. The guidance states, ‘You must determine your lawful basis before starting to process personal data. It’s important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, it will be difficult to simply swap to a different one. Even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements.’
The RNLI has confirmed to the DPN it will continue to rely on consent where this has been obtained for existing supporters and will only rely on legitimate interests moving forward for new supporters. They told us, ‘For those supporters who have already opted in, we will continue to respect their preferences. We had over 500,000 opt in-to RNLI communications in recent years. Moving forward, relying on legitimate interest for new supporters will provide us with a greater opportunity to talk about our need to raise funds, share lifesaving messaging and offer a better level of service to our supporters and donors.’
The decision by RNLI to change its approach and move away from consent for direct mail and telemarketing goes to demonstrate that consent can prove hard to obtain and that consent is not always the only way.
For reference: How can you ensure your direct marketing is compliant?
Organisations need to comply with both GDPR and PECR when it comes to their direct marketing activities by telephone, email, SMS or social media. Direct mail is not covered by PECR, so just GDPR applies.
GDPR requires organisations to have selected an appropriate lawful basis for each processing activity. There are 6 lawful bases, but for direct marketing the only viable options are consent or legitimate interests.
When do you need consent?
PECR stipulates that you must not send marketing messages by email or text to ‘individual subscribers’ without consent, unless an exemption applies.
When are you not required to have consent?
In some circumstances, organisations have a choice on whether to rely on consent as their lawful basis or whether to rely on legitimate interests for direct marketing activities (subject to an balancing-test assessment).
Soft Opt-in Exemption
PECR contains an exemption to the consent requirement for email and texts, which is commonly and rather ambiguously referred to as the ‘soft opt-in’. This only applies if the following conditions are met:
- You have obtained the contact details in the course of a sale (or negotiations of a sale) of a product or service
- You are only marketing your own similar products and services
- You provided a simple opportunity to refuse or opt-out of the marketing, when you first collected the contact details and in every subsequent communication.
The ICO’s guide to PECR states; ‘The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts (e.g. from bought-in lists). It also does not apply to non-commercial promotions (e.g. charity fundraising or political campaigning).’
Business to Business marketing communications
PECR distinguishes between individual subscribers and corporate subscribers. For the latter, the rules on consent for emails/texts and the “soft opt-in” exemption do not apply. Be aware, the definition of individual subscribers includes sole traders and some partnerships. And to clarify a subscriber is the ‘customer’ who has a contract with the service provider. So, for example I am an ‘individual subscriber’ for my personal email account, but a ‘corporate subscriber’ for my business email address.
In brief, under PECR you must not make marketing calls to anyone who has told you they don’t want your calls. Additionally, you shouldn’t make calls to any number registered with the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS). There are more specific rules on telemarketing in the ICO’s Guide to PECR.
What conditions need to be met when relying on Legitimate Interests?
Much has been made of the stricter requirements under GDPR for consent to be valid, however reliance on legitimate interests isn’t just a case of saying ‘it’s legitimate’. The law requires organisations to balance their interests with the rights and freedoms of individuals and cannot proceed if the latter are over-riding. Organisations relying on legitimate interests need to conduct an balancing-test assessment, furthermore they should be transparent and take appropriate steps to communicate their reliance on legitimate interests to individuals.
What does the future hold?
It’s worth keeping a breast of developments with the new ePrivacy Regulation. The final text is yet to be finalised but it could have an impact on direct marketing activities. ePrivacy Regulation – What’s happening?
Philippa Donn, 2nd October 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.