Disclaimer: this is informed advice but not legal advice.
On 25th May 2018, GDPR came into force. Many marketers have questions about which types of marketing now require consent. This article covers the following types of marketing, and explains what consent is now required: Personalize Web & Email, Cart & Browse Abandon Emails, Gated Content, Bulk Email, Targeted Social Marketing, Targeted Advertising, Leadgen by Telephone or Email, Data Collection.
What are the GDPR and PECR?
Marketers face two pieces of legislation, the recent "General Data Protection Regulation" (GDPR) and the 15 years older "Directive on privacy and electronic communications" (PECR). As the UK Information Commissioner's Office (ICO) states, "You need to comply with both GDPR and PECR for your business-to-business marketing." NB: the PECR lacks "legitimate interests" but fortunately its consent has been updated to copy the GDPR.
Regarding GDPR consent, most first-party marketing should be done without GDPR consent, using "legitimate interests". The ICO states, "let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way" and "Consent is one lawful basis for processing, but there are five others. Consent won’t always be the most appropriate or easiest". And the GDPR states, "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest" (whereas 47).
Regarding PECR consent, "legitimate interests" hadn't been invented when the PECR was written, but a lot of first-party marketing should be done using "automatic consent" (my phrase). This is what the ICO means when it says, "Consent should not be a precondition of signing up to a service unless necessary for that service". For example whenever an end-user clicks on an email in their inbox, they are making an informed decision to see the content of the email, which is necessary for their email client to work properly, so it's as though consent happens automatically.
Let's drill down into that advice about PECR consent, using the legislation. On 25 May 2018, the definition of consent in the PECR changed to match that of the GDPR (whereas 3). PECR consent was originally complex, requiring the end-user to decide based on "clear and comprehensive information" (regulation 6.2), but in copying the GDPR it became "easily accessible", "clear and plain” (article 7.2). This GDPR-style consent also provides automatic consent for first-party marketing, because "Consent should be given by [...] conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data (whereas 32). So, as in my previous paragraph, when an end-user opens a marketing website or marketing email, they expect to see and want to see the marketing content, so their action (conduct) automatically provides consent.
So when exactly do marketers need GDPR/PECR Consent to use Personal Data for Marketing?
No for first-party marketing (such as personalization of web and email, popovers, and triggered messaging) which is fine using GDPR legitimate interests and PECR "automatic consent", and doe not need GDPR-style consent.
No for B2B off-site marketing (such as bulk emails) and targeted third-party marketing (such as adverts, sponsored social posts and lead-gen by phone or email).
Yes (consent needed) for B2C off-site marketing (such as bulk emails) and targeted third-party marketing (such as adverts and sponsored social posts).
No for Data Collection.
Let's analyze those in a bit more detail...
Data Collection: (No Consent is Needed)
There's no such thing as GDPR consent for data collection because that would conflict with data minimization. See GDPR article 5.1, "Personal data shall be [...] collected for specified, explicit and legitimate purposes[...] limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)". You're not allowed to collect data without having a specific purpose for it.
Under GDPR you ask consent for the purpose(s) of the data, if necessary, not collecting the data itself. And because the PECR now uses the same definition of consent, it's the same.
You must tell data subjects what data is collected and the purpose (what it will be used for) and you may need consent for that purpose. But you don't need to get consent that's specifically for data collection. Here is the Legitimate Interests Assessment.
Personalize Web & Email, Cart & Browse Abandon Emails, Gated Content: (No Consent Needed)
Because they are first-party marketing, consent is not necessary for personalization and processors can do this as a "legitimate interest" (GDPR) or automatic permission (PECR). The marketing is happening because the end-user actively requested marketing (e.g. by clicking on a link on your marketing website). There's no need for a consent form.
You must tell data subjects what data is collected and what it will be used for - using clear and plain language - and help them to use their GDPR individual rights. Here are the corresponding GDPR Legitimate Interests Assessments: Personalize Web and Email, Cart Abandon, Browse Abandon, Gated Content.
B2C: Bulk Email, Targeted Social Marketing, Targeted Advertising (Consent Needed)
These are types of marketing where you definitely need to collect the data subject's permission, probably using a consent form.
These types of unsolicited marketing infringe the data subject's right to a private life and they can only be done with consent. You must also tell data subjects what data is collected and what it will be used for - using clear and plain language - and help them to use their GDPR individual rights. Here is a Legitimate Interests Assessment: Bulk Email.
B2B: Bulk Email, Targeted Social Marketing, Targeted Advertising, Leadgen by Telephone or Email (No Consent Needed)
Where the data subject is a company representative whose job includes handling inbound requests, contact can be made by legitimate interest/automatic consent. There's no need for a consent form. Taking such a job is "conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data (whereas 32).
You must also tell data subjects what data is collected and what it will be used for - using clear and plain language - and help them to use their GDPR individual rights. Here are the Legitimate Interest Assessments: Bulk Email, Leadgen by Phone, Leadgen by Email.