After GDPR, will an organisation who has sold a ticket be able to treat that purchase as tacit approval for future marketing?
The main and most important thing for this question is that organisations need to know what their legal basis is for processing information. They need to know if it’s consent and they need to know if it’s legitimate interest because that is going to depend on what you need to do.
If you’re relying on consent, then a soft opt-in isn’t an option. People have to make a definitive action. They have to tell you that yes, we want marketing, we want to hear more from you. If that is what you’re relying on now and that’s what you’re going to rely on moving forward, you need to look at your current consent process and say “is that compliant with GDPR?” If it is, you’re fine – you can keep marketing to them. If it’s not though you probably are going to go back and start looking at refreshing that consent.
When it comes down to legitimate interests, what’s really important is thinking about the relationship you have with that person. So it would be in your legitimate interest to send them marketing about similar events, but it’s important that they are similar events, especially when you think about the Privacy and Electronic Communications Regulation, because they say that if you’ve had a relationship with the individual beforehand, it’s okay to send them marketing on similar products. So if you are doing theatre workshops for kids, it might make sense that you are going to send that person marketing for a show like “The Singing Kettle” (I’m not sure if they’re still around anymore but that’s an example from my childhood) then you wouldn’t send them anything about Russell Howard, because Russell Howard is definitely – as funny as he is – not for children. If you’re relying on legitimate interests you need to make sure that whatever marketing you are sending out is relevant to the relationship you have to the individual.
Could you have both consent and legitimate interest with somebody? Does one trump the other?
Neither trumps the other. There is no one legal basis that is preferable or trumps another. Whatever your legal basis is, they all have the same gravity. It really comes down to what you are doing with that personal information. You could rely on consent for your marketing but then if you’re going to be doing some anonymous research looking at where people are coming from and getting an idea of what your market or audience is like. It would be in your legitimate interest to do that because you need to understand who your audience is so you can market appropriately. That would be a time when you would be using legitimate interest and consent because you are doing two different types of processing.
Whereas if it’s for the one process which is marketing you have to use one or the other. You are either using consent, in which case you’re making sure it’s GDPR compliant, or you’re relying on legitimate interests, in which case you need to make sure that any communications that you’re sending out are appropriate to the relationship and just be aware that individuals have the option to object to you processing that information for direct marketing.
Thanks to Alison Johnston and the ICO for taking the time to contribute to this video.
- Video production by Jack Perry, Culture Republic Marketing Assistant
- Interview by Ashley Smith Hammond, Culture Republic Content Producer
Watch on Vimeo.
This Culture Republic video is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.