“Do you still want to hear from us?”, “We don’t want to lose you!”, “Please don’t go!”. Sound familiar? Over the last few weeks we have been inundated with businesses and other organisations sending us increasingly panicked messages seeking consent to enable them to continue marketing. If you are anything like us, most of these messages end up in the trash without any action having been taken, which must mean that organisations are losing huge numbers from their marketing databases.
But are these messages really necessary? In many cases the answer may well be no. The General Data Protection Regulation (GDPR) does not place any new requirements on organisations to seek consent for marketing communications. The key requirements under GDPR remain the same as they were under the old regime: make sure you inform people that you will be marketing to them, ensure you have a legal basis to make the processing lawful and respect opt-outs.
In relation to legal basis, the recitals to the GDPR expressly state that legitimate interests can be relied upon for marketing, meaning that you do not have to rely on consent. So where has this panic about new consents come from?
The Privacy and Electronic Communications Regulations (PECR) require prior consent for electronic marketing, so perhaps the answer lies here. It is correct that if you are relying on consent under PECR, a GDPR standard of consent will be required going forward. Therefore, if your existing PECR consent does not meet GDPR requirements for “clear affirmative action” there is a need to obtain updated consent.
However, many organisations can take advantage of the “soft opt-in” exemption under PECR. This allows marketing to be carried out without prior consent where contact details have been obtained in the course of a sale or negotiations for a sale, an opt-out is provided and an organisation is solely promoting its own similar products and services. For most organisations this exemption covers the majority of their marketing database, meaning that new consents are not necessary.
So what is the moral of this tale? In our experience, a detailed analysis of the sources of your marketing database is key to enable you to determine the necessary action required. In many cases organisations do not have a clear audit trail of the basis upon which people have been added to their marketing database, making it difficult to know the standard of consent that has been obtained or whether the soft opt-in can relied upon. Going forward, maintaining that audit trail will be crucial to enable compliance with both GDPR and PECR requirements.