Consent best practice: common questions and answers to typical scenarios
You probably already know by now that assuming consent from a tick box answer is not legal under GDPR and you can probably work out that consent can't be gained in return for something like wi-fi service or downloadable consent, because this means it isn't freely given.
Consent can be withdrawn at any time so the organisation must stop sending marketing information to that customer if consent has been withdrawn.
What does this mean in a practical sense?
In the two scenarios below I have asked questions based upon ensuring we are compliant with both GDPR and PECR.
Planning on running a campaign and using legitimate interest as your lawful basis?
1. Can you prove that you informed the data subject that you would use their data for marketing purposes stating it as in your legitimate interest, for example privacy notice?
a. If your answer is No then order to meet principle 1, you must inform the data subject that you consider marketing is in your legitimate interest before you commence your campaign.
2. If Yes; Have you collected the data in the course of a previous sale (or negotiation for a sale) of a product or service to that person and is this product/service similar?
a. If your answer is No then PECR and GDPR prohibit you from using this data without full opt-in consent.
3. If Yes; you may market these customers/clients with this campaign, however; you must provide each person with the opportunity to refuse or opt-out of marketing in every message to them.
Planning on running a campaign and using consent as your legal basis?
1. Planning on running a campaign and using consent as your legal basis?
a. If your answer is No then you must remove this data subject from your campaign and consider if you can 're-consent' this individual (see below).
2. If Yes; you may include this data subject in your campaign, however; you must provide each person with the opportunity to refuse or opt-out of marketing in every message to them.
How do I re-consent my data subject?
You should review your pool of data subjects and look at the proof you have around consent. You will find you have three groups:
1. Individuals where you can prove consent was legal under GDPR terms.
2. Individuals where you have assumed consent (e.g. by having pre-ticketed box etc)
3. Individuals where you know consent was refused or withdrawn.
This is good data, the individuals should not be surprised by your action as they have previously consented, moreover you will likely get a better return on your campaign as these individuals want to hear from you. - You do not need to ask these individuals to consent again.
This is NOT good data. You can't be sure that the individual actually wants to hear from you as you weren't completely honest in your means of getting their data. From May 25th these individuals' data will need to be removed from your mailing list and you will no longer have a legal basis from marketing them.
If you wish to keep these individuals, you must contact them and inform them that previously you assumed that they wanted marketing and now they must confirm that they do want to remain in your mailing list in order to continue receiving your offers. When doing this, you should not use any enticements or competitions etc. as this would not be giving the individual a free choice.
This is bad data! You cannot use this data now for marketing and you cannot write to these individuals to ask to re-consent. You need to remove this data from you campaign list immediately.
Can I use a brought in mailing list?
You will be pleased to learn that GDPR doesn't stop you using a purchased mailing list and you can do this under the lawful basis of consent. However, this is where the good news falls short. The lists you purchased must be based upon consent and this consent should have been obtained at the original point of collection by the data provider. It must also have been explicit enough to tell the data subject that a third party will receive the data and use it for marketing purposes. In order for you to use this data you must:
- Obtain and retain evidence that the list was legally obtained (from your data provider); and
- Send a privacy notice to everyone on your purchased list within one month of receiving it (Article 14)
We would also recommend that you put in place a contract between you and your data provider which makes them liable for any sanctions you receive based upon the data being illegally obtained. This will no doubt increase your costs.
We have heard stories od data providers stating that 'data was collected from public sources, so it is OK'. Data collected in this way does not have a lawful basis and the the data subject has not been informed. You can also work out form the above that cold calling must become a thing of the past, which is great news for us as a data subject.
So which is best, legitimate interest or consent?
Legally obtained consent, coupled with good management of your database(s) is undoubtedly compliant with GDPR and PECR. Your mailing list remains as current as you could possibly expect and the people on it are warm leads, at least in the respect that they asked for the offers in the first place. Consent provides complete honesty to the individuals and gives them the opportunity to withdraw at any time. From a business perspective, you will most likely return a better response rate if you base your campaign on consent.