Disclaimer: this is informed advice but not legal advice.
On 25th May 2018, GDPR came into force in the EU. Many marketers have questions about which types of marketing now require consent. This article covers the following types of marketing, and explains what consent is now required: Personalize Web & Email, Cart & Browse Abandon Emails, Gated Content, Bulk Email, Targeted Social Marketing, Targeted Advertising, Leadgen by Telephone or Email, Data Collection.
EU marketers face two main pieces of legislation, the recent “General Data Protection Regulation” (GDPR) and the 15 years older “Directive on privacy and electronic communications” (PECR), together with their linked local laws. As the UK Information Commissioner’s Office (ICO) states, “You need to comply with both GDPR and PECR for your business-to-business marketing.”
Regarding GDPR consent, most first-party marketing should be done without GDPR consent, using “legitimate interests”. The ICO states, “let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way” and “Consent is one lawful basis for processing, but there are five others. Consent won’t always be the most appropriate or easiest”. And the GDPR states, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” (GDPR preamble 47).
Regarding PECR consent, “legitimate interests” hadn’t been invented when the PECR was written, but a lot of first-party marketing should be done using “automatic consent” (my name for it). This is what the ICO means when it says, “Consent should not be a precondition of signing up to a service unless necessary for that service“. For example whenever an end-user clicks on an email in their inbox, they are making an informed decision to see the content of the email, so it’s as though consent happens automatically.
Let’s drill down into that advice about PECR consent, using the legislation. On 25 May 2018, the definition of consent in the PECR changed to match that of the GDPR (GDPR preamble 11). PECR consent was originally complex, requiring the end-user to decide based on “clear and comprehensive information”, but in copying the GDPR the information requirements were relaxed to “easily accessible”, and “clear and plain” (GDPR article 7.2). This GDPR-style consent also provides automatic consent for first-party marketing, because “Consent should be given by […] conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data (GDPR preamble 32). So, as in my previous paragraph, when an end-user opens a marketing website or marketing email, they expect to see and want to see all the marketing content, including dynamic content and personalization, and their action (conduct) automatically provides consent.
So when exactly do marketers need GDPR/PECR Consent to use Personal Data for Marketing?
No for Data Collection, provided there’s a legal basis (probably consent or legitimate interests) for how the data will be used.
No for first-party marketing (such as personalization of web and email, popovers, and triggered messaging) which is fine using GDPR legitimate interests and PECR “automatic consent”, and does not need GDPR-style consent.
No for B2B off-site marketing (such as bulk emails) and targeted third-party marketing (such as adverts, sponsored social posts and lead-gen by phone or email).
Yes (consent needed) for B2C off-site marketing (such as bulk emails) and targeted third-party marketing (such as adverts and sponsored social posts).
Let’s analyze consent in a bit more detail…
Data Collection: (No Consent is Needed)
There’s no such thing as GDPR consent for data. See GDPR article 5.1, “Personal data shall be […] collected for specified, explicit and legitimate purposes[…] limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)”.
Under GDPR, you’re not allowed to collect data without having a specific purpose for it, and you ask consent for the purposes of the data, if necessary, not collecting the data itself. And because the PECR now uses the same definition of consent, it works the same way.
You must tell data subjects what data is collected and the purpose(s), what it will be used for – using clear and plain language – and help them to use their GDPR individual rights. And you may need consent for the purpose. Here is a simple Legitimate Interests Assessment for this issue.
Personalize Web & Email, Cart & Browse Abandon Emails, Gated Content: (No Consent Needed)
Because these are first-party marketing, consent is not necessary for personalization of them and processors can do this as a “legitimate interest” (GDPR) or automatic permission (PECR). Basically, the marketing is happening because the end-user actively requested marketing (e.g. by clicking on a link on your marketing website), so there’s no need for a consent form.
You must tell data subjects what data is collected and the purpose(s), what it will be used for – using clear and plain language – and help them to use their GDPR individual rights. Here are the corresponding GDPR Legitimate Interests Assessments: Personalize Web and Email, Cart Abandon, Browse Abandon, Gated Content.
B2C: Bulk Email, Targeted Social Marketing, Targeted Advertising (Consent Needed)
These are types of marketing where you definitely need the data subject’s permission. Often, this is by including consent checkbox(s) on a data entry form where you collect personal data, or by having a separate form requesting the marketing.
There are several ways to explain this, but how I see it is that these types of unsolicited marketing infringe the data subject’s right to a private life by interrupting them, and therefore can only be done with consent. You must get this consent when you collect the data that will be used for bulk email (e.g. the subject’s name and email address on a signup form) – using clear and plain language – and tell them about their GDPR individual rights. Here is a Legitimate Interests Assessment: Bulk Email.
B2B: Bulk Email, Targeted Social Marketing, Targeted Advertising, Leadgen by Telephone or Email (No Consent Needed)
Where the data subject is a company representative whose job includes handling inbound requests, contact can be made by legitimate interest/automatic consent. There’s no need for a consent form. Taking such a job is “conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data (preamble 32).
You must tell data subjects what data is collected and the purpose(s), what it will be used for – using clear and plain language – and help them to use their GDPR individual rights. Here are the Legitimate Interest Assessments: Bulk Email, Leadgen by Phone, Leadgen by Email.
There is debate about whether marketing to sole traders is really B2B, because in tax law a sole trader business is the same legal entity as the person doing the trading. But I prefer to point to the facts on the ground, that a sole trader business will typically have separate social media business pages and a separate business email address, showing that founders believe communicating with their business is not the same as communicating with them privately.
Bonus links: Which Privacy Laws apply to you?
The following reference pages allow you to find which privacy laws apply to you and your customers. (We are not responsible for the content of external sites.)
Data Protection Laws around the world, a clickable map from DLA Piper.
Data protection registrars around the world, a clickable map from CNIL (registrars are regulators who provide advice).
Privacy Laws by Country, brief descriptions from privacypolicies.com.
Data Protection Laws, Acts or Regulations, a list with links to the legal texts, from michalsons.