Consent vs Legitimate Interest:
Understanding which legal basis best suits your needs is essential! We know that both legitimate interest and consent have their benefits and downfalls when looking to communicate with consumers. However, depending on the brand, industry sector or channel of communication one or the other can play a major role in the success of the marketing strategy.
What is Consent?
Consent is when the individual has given consent in the form of an ‘opt-in’ for a company to process their personal data for a specific purpose.
Consent requires an organisation to be named at the point of data capture and the consumer must ‘opt-in’ to be contacted by the brand, with the consent statement allowing for unbundled data collection with the boxes never pre-ticked i.e consent requires a positive /affirmative action to be recorded.
It is often seen as the ‘safe’ option when it comes to collecting consumer data for marketing purposes. Whether it is using a tick box or a subscription form, consent offers the consumer a clear choice, ultimately helping to build a brand’s reputation as trustworthy, transparent, and responsible, subject to the below guidelines also being followed:
- The opt – in is a positive action – Reliant on the consumer ticking to receive communication (remember, no pre ticked boxes)
- The statement of consent is clear and unambiguous
- All third-party data controllers are named
- Information on how to withdraw consent is clear and easy to find
- The communication methods and content addressed to the consumer must then fulfil the purposes stated when consent with given
Consent is only one of the lawful bases under which companies can collect consumer data. It gives consumers a choice whether to be communicated with, and by which channel, and ultimately can build a more trusting relationship when it comes to data transparency.
Remember – when data is collected via consent, and the purpose of collecting that data remains the same, it can then also be used under the legal basis of legitimate interest.
What is Legitimate Interest?
Legitimate interest is when you or a third-party have a genuine reason that makes processing the data necessary, and there are no other interests that outranks your business interest. For example, your organisation may be able to demonstrate a legitimate interest in marketing your goods to existing customers in order to increase sales.
Legitimate interest is another of the six lawful bases for processing consumer data for marketing purposes, in line with the ‘lawfulness, fairness and transparency’ regulations. However, whereas consent is centred around a purpose, legitimate interest is more flexible and can apply to a wider range of consumer communications where needed.
When using consent, the consumer’s relationship with the brand is balanced and based on a transactional agreement. When using legitimate interest, the purposes are often less transparent to the consumer but offers more flexibility for marketing purposes. You can rely on using legitimate interest, if you can show how your use of the consumer data is proportionate, has a minimal personal impact and the consumer is unlikely to be surprised or object to what they receive.
To be clear, within the GDPR itself, Direct Marketing is specifically singled out as a legitimate interest. It is important to note however, that unlike data which has been captured under consent, once data is collected under that basis of legitimate interest it cannot then be used for consent-based marketing.
How to apply a Lawful Bases:
Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis. Remember, you must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time – you cannot swap to a different lawful basis at a later date without good reason.
Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. If your purpose does change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent). If you are processing special category data, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
Overall, both consent and legitimate interest serve a purpose. Consent builds a level of trust and brand awareness whilst enabling communication to consumers. Legitimate interest on the other hand, helps brands target a broader consumer or prospect base. There is no one size fits all when it comes to collecting data, so when choosing a lawful basis take care and don’t be afraid to ask for advice!
Check out more of our blogs on lawful bases or get in touch today for advice on data protection:
By Scott Logie, MD, Insight at REaD Group
Many have likened the impending GDPR to a data apocalypse and the end of marketing as we know it. Certainly, if you have been brazen enough to ignore the new regulation altogether and failed to prepare then it is most likely a ‘data hell’ that beckons. However, your actions in the final days before the changing of the guard from DPA to GDPR (and beyond for that matter) will determine whether it’s an apocalypse that awaits, or a nirvana.
There have been countless examples over the years of companies committing data blunders and ‘bad data’ seriously affecting consumer’s perception of a brand’s image. Indeed, research carried out in 2016 found that two thirds (66%) of consumers said that they would boycott organisations that continued to send mailings to a loved one that was deceased .
Given recent events surrounding misuse of data and growing unease and distrust from consumers around how their data is used, it seems likely that this figure will only have grown.
In 2014 a woman in California received a credit card offer from Bank of America addressed to ‘Lisa is a…(well, let’s just say a rather offensive word that rhymes with mutt…) McIntyre ‘. A photograph of the offending letter was shared on Twitter and subsequently went viral. While this is perhaps a fairly amusing example of inaccurate data backfiring – and luckily for the bank in this case Lisa saw the funny side – it certainly highlights the importance of ensuring that your database is clean before running a campaign.
Similarly, there is the infamous ‘Dear Rich b**tard’ incident, which has now passed into marketing urban legend. After doing my own research into the origins and validity of this story I discovered that this particular gem of a blunder was carried out by a small UK based company in the early 1990s. After a programmer classed poorly formatted data under the placeholder phrase ‘Rich B**tard’ this was never updated, resulting in mailings being sent out addressed ‘Dear Rich B**tard’. A small mistake to make, but one that could have been far more serious, and costly. Interestingly the company was later contacted by a prospective customer who was indignant that he had not been contacted in this manner as he felt that he qualified for such a title!
I remember a bank a few years ago who mistakenly mailed all of their suppressed records (including deceased and goneaway contacts) instead of suppressing them. As you can imagine they were inundated with complaints from angry consumers…but at the same time received an amazing response rate!? Rather than advocating this mistake, this merely promotes the argument for keeping track of relocated consumers and looking at new occupiers.
Perhaps one of the most distressing and horrific mistakes related to inaccurate data happened in 2014 to a recently widowed woman from Cardiff. After her husband passed away she was bombarded with mailings from her husband’s mobile provider demanding overdue payments and offering new tariffs and deals. Despite attempts to inform the company that her husband had passed away, the mailings continued and became less friendly in tone. Following three visits to a branch, on one occasion bringing her husband’s ashes and death certificate with her, the matter was finally resolved after a huge amount of unnecessary distress and anguish to her and her family had been caused.
This is an extreme example, but the brand damage and bad publicity such an error could cause is enormous – the coverage of the story was incredibly widespread at the time. But it could all have been so easily avoided.
With data cleaning solutions readily available, and with the advent of DaaS (Data as a Service) allowing data to be cleaned in real time, there really is no excuse for having data that is not accurate and up to date.
Article 5 (d) of the new Regulation states that data must be kept accurate and up to date or deleted. This is not something that is up for debate or a nice-to-have, but something that will be enforced in law. Failure to comply with this aspect of GDPR will result in potentially hefty fines from the ICO.
 Wilmington Millennium, The True Cost of Mailing the Dead: Brand Damage, 2016
We are now less than two months away from the day that has been striking fear into businesses across Europe (and beyond) for the best part of a year – 25th May 2018. However, there is a particular aspect of the new regulation that many have overlooked, assigned a low priority to or simply ignored. The regulation is a comprehensive document containing 99 articles in total, but Article 5 (Principles relating to processing of personal data) appears to have slipped under the radars of many.
GDPR Article 5 (1) (d) requires that data be accurate and kept up to date or DELETED. Once the implementation phase of GDPR ends on May 25th and the regulation is enforceable, this will be law – no ifs, ands or buts.
‘‘(…) personal data shall be:
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;’’
There is no doubt that data has become an integral part of how many businesses function today, but it is crucial to ensure that this data is the RIGHT data.
Why lose customers and prospects altogether or cause your brand reputational damage by failing to comply with Article 5 when there is a simple solution? The truth is that data accuracy is no longer a nice-to-have but a necessity – it is something you MUST do.
The law is changing and GDPR takes a far stricter stance on data accuracy than its predecessor, the Data Protection Act; in addition to potentially incurring the wrath of consumers, failure to comply could result in a substantial fine from the ICO.
In the last 12 months the majority of businesses, and the media, have continued to panic and focus their attention on the consent aspect of GDPR, but the ICO is very clear that all clauses carry the same importance and weight. Hoping for the best and assuming that the term ‘reasonable steps’ justifies taking no action is naïve at best and arrogance at worst. Investing in a solution that ensures that data is kept clean and up to date on a regular basis, or even in real-time with Data as a Service products, is most certainly a reasonable step.
Recent ICO guidance confirms that postal marketing can be conducted using the basis of Legitimate Interest (LI) under GDPR. This will undoubtedly result in many more brands incorporating direct mail into their marketing mix over the coming year. It has therefore never been more important to ensure that postal data is accurate and up to date.
By continuing to market to the previous address of individuals who have relocated, you are not only wasting marketing budget that could be better spent elsewhere, but also losing contact with a customer that may subsequently become lapsed. Furthermore, the current occupants of that property will be far less likely to engage with a brand that is inundating them with a previous-tenant’s post.
In a similar respect, failing to screen for deceased contacts in your database is a similar waste of marketing spend, but more importantly one that has the potential to cause undue distress to the families of those still being contacted. Why risk tarnishing your brand’s reputation? Equally, why risk incurring penalties from the ICO for non-compliance?
It is not too late to take the necessary steps to ensure you are GDPR ready in relation to Article 5. Keeping data accurate by removing and keeping track of gone aways and screening for deceased individuals will not only be complying with GDPR, but also boost the performance of marketing campaigns and save time, money and resources by not marketing to people who will not receive the communication. Where GDPR is concerned, the message is clear – CLEAN it or LOSE it.