Explicit consent required

Explicit consent required

Elizabeth Denham, head of the ICO, has recently given a speech to the Direct Marketing Association setting out her latest thinking on GDPR.  In particular she says that claiming legitimate business interest will be limited and instead companies should be relying on obtaining unambiguous consent.

She says in her speech “Until the e-privacy regulation comes into force, PECR will sit alongside the GDPR.

“That means electronic marketing will require consent. Yes, there is potential to use legitmate interests as a legal basis for processing in some circumstances, but you must be confident that you can rely on it.

“It seems to me that a lot of energy and effort is being spent on trying to find a way to avoid consent. That energy and effort would be much better spent establishing informed, active, unambiguous consent.

“You say you will lose customers. I say you will have better engagement with them and be better able to direct more targeted marketing to them. You will have complete confidence that your customers have given informed consent.”

Clearly for those organisations that have decided to assert ‘legitimate business interest’ to justify using the personal data they hold for direct marketing purposes, it will be important to reconsider this decision in the light of this strong steer from the ICO. Exceptions to this requirement for consent currently exist, for example the soft-opt in where a data subject is an existing customer or in negotiations. There is also an exception for B2B marketing where contact is made with an individual who is representing his or her business (and not himself or herself personally). How some of these exceptions will fare under the new e-privacy regulation remains to be seen. For the majority of businesses that are asserting legitimate interests as their basis for electronic marketing to their B2C customers however, the ICO’s statement makes it clear that this is unlikely to receive support from the regulator in the event of a data breach or in the event of customer complaints and access requests.