Do you need GDPR consent to send marketing emails to existing customers?

[LawJaw 50]

We are advising our members on the standard they must achieve if they wish to rely on consent as their lawful basis for utilising personal data for direct marketing purposes. Direct marketing being defined in the current Data Protection Act as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.  

As a reminder Article 6 of the GDPR sets out 6 lawful bases for processing personal data:

1.    Consent

2.    Necessary for a contract with the individual

3.    Necessary for compliance of a legal obligation

4.    Necessary to protect interest of the data subject or another natural person

5.    Necessary for a public interest task or official duty 

6.    Necessary for legitimate interests of the controller or a third party. 

While consent may seem the obvious basis for marketing activity, your pre-existing marketing databases may not meet the GDPR standard and so unless you want to do a Wetherspoons and scrap your entire marketing database, you will need to see if another base can apply. This is where ‘legitimate interests’ can come to your aid. 

We suspect ‘legitimate interest’ will be well used. The ICO will no doubt be making sure it is not overused.

So, what will work?

Recital 47 of the GDPR specifically states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.  This is good news and could mean we can send out marketing under the lawful basis of legitimate interest. However, we need to balance this against the requirements of the Privacy and Electronic Communications Regulations (PECR) which deals with electronic 
marketing. 

PECR Regulation 22 requires that a company needs consent to send a marketing email unless;

a.  the recipient is an existing customer or potential customer who has previously made an enquiry for a product or service 

b.   the direct marketing is in respect to similar products and services only; and

c.   the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.

So companies will need to meet the GDPR criteria for consent to marketing unless it meets the above PECR criteria which is known as the ‘soft opt-in’ rule. The ‘soft op in’ means you can send marketing to your existing customers about similar products as long as you offered them the opportunity to opt-out when you first collected their details and you offer them to same opt-out opportunity in every subsequent marketing communication.

So if you collected details from existing customers and had an opt out option, this marketing can continue under GDPR (using legitimate interest as the basis). But, you must comply with Article 21 of GDPR which gives customers the ‘right to object’ at any point. 

So, if you are a service and repair garage and you email existing customers prior to the anniversary of their car service to give them details of prices, then as long as you gave them the opportunity to opt-out when you took their details and state clearly in the email that they can opt-out at any time, you will be fine to continue emailing them every year. The same will apply if you send those customers details of similar services such as winter checks or MOT deals. Your GDPR lawful basis for processing is then legitimate interests (not consent as there is no opt-in, only an opt-out). 

However, if you haven’t been following the law in regard to email marketing already, then you are likely to need to start again and get consent when the customer first makes contact.  

 

Edited March 23, 2018 by LawJaw

[Spratleys 0]

In common with many small used car dealers / service / MOT stations we are grappling with how best to deal with GDPR and our existing customer database. Typically we contact our customers to inform them that their MOT and or service is due within a few weeks.

Am I correct in my understanding that sending our such reminders by letter, email or text is deemed as marketing and therefore covered by GDPR and as such can only be done with the opt in agreement of the customer? If we do not have such express documented agreement we should not send out such reminders. Are we therefore in danger of losing contact with our existing customers if we cannot contact those for whom we currently do not have a valid opt in?

As an alternative, could it be claimed that we have a duty of care to remind our customers that their MOT and /or service is due and if we do not include an offer to carryout to do the work in our communication then we would not be breaching the GDPR?

 

 

Edited April 9, 2018 by Spratleys
To add clarity to my question / thoughts

[Andy Entwistle 96]

Welcome to the forum. We will be hosting a session at CDX in May on GDPR and explaining what dealers need to do to ensure they comply, well worth you registering for tickets and coming along as its free and you'll be able to chat to Lawgistics directly too.

In simple terms, there is still some debate on the MOT piece, if its considered a safety related communication it may be ok to send, but if its considered as marketing your services then you will need to get the customers agreement. Its likely to be viewed as the latter and to be safe you should consider contacting your customers now who have not opted in and ask them for permission to continue to contact them.

[LawJaw 50]

We are pleased to note that the ICO have now produced a document Legitimate Interests which confirms what we at Lawgistics have been saying for many months and that is that legitimate interest is a business friendly ground for processing data.

As we have previously advised, business do not need to jump through the consent hoops and reviews to continue to market to existing customers.  To reiterate, garages can continue to send MOT reminders to their customer base as long as they offer the customer the option to opt out in every email or text. Further, it is absolutely fine to take a customer’s details and call them back – no separate consent is required, the customer has called you and so is expecting a call back. 

The trick to staying on the right side of legitimate interest is to consider the 3 part test which in plain English requires you to consider: 

• why do you want to process the data in question?
   
• will processing the data help you achieve your purpose and is there a less intrusive way to achieve it?
   
• would the data subject reasonably expect you to be using their data in this way?

As examples:

An employer may ask for next of kin details from their employee so they know who to contact in an emergency. There is no need to ask the individual next of kin for their consent to hold their personal data as it is not unreasonable for such details to be held for health and safety reasons. There is no less intrusive way to be able to contact a relative after an emergency, the impact is minimal and only the Line Manager and Directors will have the details. 

A car dealer has a problem customer and seeks help from Lawgistics. The car dealer is entitled to seek specialist legal advice and only provides the customer data relative to the case. It is entirely reasonable for a business to seek advice and the customer’s details are looked after by Lawgistics who are GDPR compliant meaning there is minimal risk to the customer (except that they are likely to lose their case of course!). 

The key is giving the matter some thought. If it can reasonably be justified, then legitimate interest is your ground of choice – much less hassle and for marketing to existing customers, more likely to keep your marketing list alive as asking for consent may well end up with a limited response.

So in summary, legitimate interest is your friend but like all good friendships, it shouldn’t be abused.  

Edited May 2, 2018 by LawJaw