Home / Legal & Compliance

The GDPR consent dilemma: is there an alternative?

By / Philippa Donn / In Best practice /

It’s a huge burden for marketers aiming to stay on the right side of the law – and the customer – but deciphering and complying with the forthcoming changes in data protection regulations (GDPR and ePrivacy Regulation) are creating a major consent dilemma for businesses across the UK. Take heart! Here’s some help and guidance from those at the coalface who have been examining how ‘legitimate interests’ might apply.

Stricter rules on consent, under the EU General Data Protection Regulation, are causing a headache for marketers. With the 25^th May 2018 deadline looming, there is some frustration in the industry about what preparations are necessary to comply. Additional guidance from the UK Information Commissioner’s Office, and at EU level, is eagerly sought.

Adding to the regulatory burden on top of the GDPR is the prospect of an ePrivacy Regulation governing electronic communications. Replacing the EU ePrivacy Directive (which gave us PECR in the UK), the aim is for this new regulation to come into force in line with the GDPR next year. However, the final text has yet to be published and rumours are growing it may be delayed.

It’s becoming increasingly apparent that planning for the future isn’t easy.

Why will obtaining consent be tougher?

What we do know is the GDPR stipulates consent must be ‘freely given, specific, informed and unambiguous’. The Regulation continues: ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent.’

In its Draft Consent Guidance published in the March, the UK Information Commissioner’s Office (ICO) interpreted this to mean: ‘Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.’

The UK regulator went on to say consent must be granular; it mustn’t be a pre-condition or bundled in with terms and conditions. Perhaps most alarmingly for many was the requirement for third parties, with whom data would be shared, to be named. These are tough conditions for many marketers to meet and still hit their revenue targets.

The final ICO guidance on consent had been expected in June, then was moved to ‘summer’ and now more rumours circulate that it will be further delayed. I have heard it might even be as late as December – just five months before the GDPR comes into play. Many will be praying, when it finally arrives, some rules will be relaxed, others will be fearing they won’t be.

What the ICO did stress in its draft was that consent should only be used if consumers can be given a genuine choice. If they can not, alternative grounds for processing should be considered.

What’s the alternative to consent?

If you are unable to provide individuals with a genuine choice, you could consider relying on legitimate interests (GDPR Article 6.1(f)). This is a route that may prove popular specifically for postal marketing communications. However, this shouldn’t be viewed as an easy alternative. It needs careful consideration – the interests of an organisation must not be outweighed by the privacy rights and freedoms of individuals. You need to establish if the processing is necessary and would be in the reasonable expectations of the individual. You are also required to effectively communicate your use of legitimate interests and uphold the right to object to processing under such grounds.

The Data Protection Network (DPN) has recently published Guidance on the use of Legitimate Interests under the GDPR (sign up for the guidance free), to help organisations assess how and when legitimate interest might be used. The guidance was made possible by contributions from the UK DMA, ISBA and some of the UK’s largest companies and institutions, and has been welcomed by the ICO and the DPC in Ireland. The guidance includes:

understanding what legitimate interests are
examples of where such interests might apply
a template for conducting a Legitimate Interests assessment (LIA) – the crucial ‘3 state test’
examples for how organisations might communicate the use of legitimate interests to their customers.

Consent dilemma: what about the soft opt-in?

This somewhat ambiguously named term brings us back to the proposed ePrivacy Regulation. As it stands at the moment, marketing to individual consumers via email requires consent, unless you:

obtained the details from the individual during a sale or enquiry
are only marketing your own products and services, and
you provide the chance to object (opt-out) at the point of collection and in each subsequent marketing communication

‘Soft opt-in’ is not a way of collecting consent – by using this mechanism you are essentially relying on your legitimate interests to do so. What remains to be seen is the final ePrivacy text. In the draft text published at the beginning of the year, the soft opt-in was retained, but its scope limited to ‘in the context of the sale of a product or service’, rather than the current PECR wording allowing for it to be used in the context of ‘negotiations of a sale’. Again, we await further clarity.

What about B2B marketing comms?

The draft text of the ePrivacy Regulation is ambiguous as to whether a distinction can be drawn between corporate and individual email addresses. Will it still be possible to use opt-out for the former? The text could be read that it will be permissible for individual EU member states to make a provision for this under national law. However, even if this exemption stands, named corporate data – for example: john.smith@company.com – is personal data and would therefore need to be processed in line with the GDPR. A choice would need to be made, therefore, between using consent or legitimate interests for sending electronic B2B communications.

Yet again, the devil is the detail.

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

Read also:

GDPR and your data: check you comply . . . then check again

Countdown to D-Day: GDPR and affiliate marketing – will you be ready or devastated?

Emailers: 7 things you need to know about the opt-out process

Username

Basic Information

First Name *

Last Name *

Company *

Job Title *

Country *

Account Information

Password

Confirm Password

E-mail Address

Confirm E-mail

Biographical Info

Share a little biographical information to fill out your profile. This may be shown publicly.

Terms and Conditions

Terms and conditions – website usage

Welcome to the Global Marketing Alliance (GMA). The GMA website is a product of the Global Marketing Alliance Ltd. If you continue to browse and use this website, you are agreeing to comply with the following terms and conditions of use, which together with our privacy policy, govern GMA’s dealings with you in relation to this website. If you disagree with any part of these terms and conditions, please do not use our website.

GMA may amend these Terms and Conditions at any time by posting the amended Terms and Conditions on the GMA site.

The term GMA or ‘us’ or ‘we’ refers to the owner of the website whose registered office is at 7a Queen Street, Godalming, Surrey, GU7 1BA, UK. The term ‘you’ refers to the user or viewer of our website or to those who become members of GMA.

The use of this website is subject to the following terms of use:

The content of the pages of this website is for your general information and use only. It is subject to change without notice.
The information provided and the opinions expressed in this website represent the views of the authors and contributors.
Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose. We are not liable for any inaccuracies or errors.
Your use of any information or materials on this website is entirely at your own risk, it is your responsibility to check that the information available meets your requirements.
This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.
Information on this site may be contributed by our members or other contributors (including in blogs). We do not control the information they provide and are not responsible for the views expressed
If you believe that your intellectual property rights have been infringed on this site please notify us. We accept no liability for infringements as a result of user generated content but we will take reasonable action to remove such content where possible.
Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence.
Every effort is made to keep the website up and running smoothly. However, we take no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.
We reserve the right to refuse, suspend or cancel your access to the site at any time and without notice.
If you are acting as an employee, you warrant that you are authorised to enter into legally binding contracts on behalf of your employer. You further warrant that your employer agrees to be bound by these Terms and Conditions.
Purchases of training products or delegate places at events advertised on this site are subject to the terms and conditions of the providers.
Your use of this website and any dispute arising out of such use of the website is subject to the laws of England, Northern Ireland, Scotland and Wales.

Copyright notice

Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:

you may print extracts for your personal and non-commercial use only
you may refer to and quote from the content for review or reference purposes within the limits of “fair dealing”, but only if you acknowledge the website as the source of the material
You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

I agree to the Terms and Conditions

Full Name LEAVE THIS BLANK

I agree to the Terms and Conditions

Author: Philippa Donn

Editor at Data Protection Network | www.dpnetwork.org.uk

Philippa Donn is editor of the Data Protection Network and an associate at Opt-4 (opt-4.co.uk), where she advises clients on data protection issues, bringing day-to-day guidance on implementing data protection strategies to minimise risk to brand reputation. Philippa is an advocate of balancing best practice in compliance with commercial imperatives. Before joining Opt-4, she worked for nine years in compliance for two major UK data suppliers. Prior to that she spent 13 years in broadcast journalism.

The GDPR consent dilemma: is there an alternative?

Why will obtaining consent be tougher?

What’s the alternative to consent?

Consent dilemma: what about the soft opt-in?