The DPDI No.2 Bill (the “Bill”) overturns the Third Party direct marketing rules in relation to data subject’s consent that have applied for 40 years, ever since the DPA1984. This blog illustrates how Third Party marketeers will be able to lawfully rely on legitimate interest for such marketing.
For the purposes of this blog, the old ICO DPA1988 Guidance on the processing of personal data for a direct marketing purpose had a useful summary concerning the use of data subject’s consent. This summary is unchanged by the UK_GDPR except consent has to be obtained by “opt-in”.
“Consent is central to the rules on direct marketing. Organisations will generally need an individual’s consent before they can send marketing texts, emails or faxes, make calls to a number registered with the TPS, or make any automated marketing calls under PECR.
They will also usually need consent to pass customer details on to another organisation under the first data protection principle. If they cannot demonstrate that they had valid consent, they may be subject to enforcement action.”
For convenience, I have modified this summary to highlight the proposed legislative changes in the Bill:
“Legitimate interests is central to the rules on direct marketing. It is best practice for organisations to provide an opt-out to an individual before they can send marketing texts or emails to their customers, or pass customer details on to another organisation for their marketing purposes.
In many circumstances, especially where personal data is collected from publicly available sources, the information concerning the opt-out can be sent with the first marketing message. Consent for a marketing purpose will only be required in exceptional circumstances (e.g. when using health personal data for a marketing purpose; sending an unsolicited email marketing message to a domestic email address).
This blog explains how the Bill achieves the above.
Changes to the UK_GDPR
Direct marketeers prefer “opt-outs” for marketing (e.g. “tick the box if you don’t want marketing”); by contrast, European DP regulators insist that consent for the marketing purpose should be an “opt-in” (e.g. “tick the box if you want marketing”). As the lawful basis of “consent” requires an “opt-in”, it follows that “legitimate interests” lawful basis, if used, can be satisfied with an “opt-out”.
This impasse has not been helped by the text of Recital 47 of the GDPR which supports claims for using “opt-out”. The Recital includes the statement that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
So what does that “may” mean? Should that “may” be interpreted as allowing “legitimate interests” to be used only in “exceptional” circumstances (e.g. where obtaining data subject consent is impractical) or can legitimate interests apply in “most” circumstances (e.g. as an alternative to obtaining data subject consent)?
The data protection regulators prefer the former, the direct marketing lobby prefer the latter.
The Bill has no truck with this divergence of views. It has determined that the legitimate interests lawful basis is satisfied if the processing of personal data is for a marketing purpose. (See the proposed new Article 6(9) of the UK_GDPR).
In further detail, the lawful basis in Article 6(1)(f) [..“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data”] is satisfied if specific processing of personal data is designated as being “necessary for the purposes of a legitimate interest”.
Such designated processing includes “processing that is necessary for the purposes of direct marketing” (my emphasis on is). This “is” also means that no Legitimate Interest Assessment is required to balance the competing interests between controller or third party versus data subject. The matter has been resolved in favour of processing of personal data for the marketing purpose.
Note that the Bill does not limit the application of legitimate interests to a marketing purpose undertaken by the controller who first collected the personal data directly from the data subject. The provision is so generously drafted that it allows “necessary for the purposes of a legitimate interest” to apply to any Third Party marketing.
It follows that Third Party marketing can be legitimised by an opt-out. Thus ending a four decade requirement that a controller indulging in Third Party marketing has to obtain data subject consent for that Third Party marketing.
Recognise that controllers are going use legitimate interest for its marketing wherever possible as this lawful basis is devoid of all the consent baggage which protects data subjects (e.g. it is as easy to provide consent as to withdraw consent; evidence of consent).
Obtaining personal data from the data subject?
The rights and interests of the data subject as specified in A.6(1)(f) are the right to be informed about the marketing purpose (in A.13 and A.14) and the right to object to marketing (in A.21). These are taken into account by offering an opt-out in every marketing communication with the data subject.
In addition, if a controller is obtaining personal data directly from the data subject, this opt-out has also to be provided before or at the time of collection. This now includes any opt-out from any Third Party marketing purpose.
Fairness under the First Principle (of A.5) still requires the opt-out box to be prominently positioned but if the box is missed by a data subject, then the default position is that the data subject will be sent all controller (and any Third Party) marketing as described in the right to be informed/privacy notice, until the data subject reverses this position.
Finally in this section, those of you who fondly remember the DPA1984 and DPA1998, will look forward to re-engaging with the game of “Where’s Wally?”. The “Wally” in question is identifying the location of the opt-out box that one has to tick before completing the rest of the form.
Obtaining personal data from elsewhere
But what happens in other circumstances when the personal data are obtained not from the data subject? For example, suppose I trawl through an organisation’s public facing website picking up staff names and business email or postal addresses.
Usually, if one has the name of a member of staff (e.g. Fred Bloggs) and the work place domain (e.g. domain.com) one can usually deduce a likely email address for each employee (e.g. [email protected]).
Such email addresses are personal data but the PECR marketing rules do not apply as the addresses hoovered up (or generated) do not belong to individual subscribers.
As the personal data have been obtained from a source other than the data subject (e.g. from the company website), notification of the marketing purpose can be sent at same the time as the marketing message.
This is because Article 14(3)(b) states the controller can provide the right to be informed/privacy notice “at the latest at the time of the first communication to that data subject”. The first communication in this case being the marketing message plus the related opt-out details.
Hopefully the recipient of such an email at work will be diligent enough to find what these opt-out arrangements are. If the communication is deleted unread, then further legitimate interest marketing emails (including any unticked opt-out Third Party emails) will continue to arrive in the Inbox. Spam in the work-place is therefore set to increase.
Suppose another company wants to use home address personal data for a postal marketing purpose. So long as they do not collect the home addresses directly from the data subjects concerned, they too can indulge in informing the data subject and provide an opt-out with their first marketing communication. There again, if one fails to respond to the opt-out invitation then such marketing will continue until you do so.
The Third Party opt-out rules will also apply to your home and work phone numbers, so I would consider putting them both on the Telephone Preference Service. However, if you sign up for a service, make sure you do not miss any associated opt-out of Third Party telemarketing.
If you miss it and return an unticked opt-out “approving” Third Party marketing, then TPS is unlikely to automatically save you from unsolicited telephone marketing: the missed Third Party opt-out could be enough to make those Third Party marketing calls legitimate.
No longer unfair
The old DPA1998 guidance stated that marketeers “… will also usually need consent to pass customer details on to another organisation under the first data protection principle”.
It is important to explain why this requirement will not apply with the Bill, as the ICO had previously employed an “unfair processing” argument to arrive at the requirement for data subject consent for Third Party marketing.
There are three main reasons why this approach does not work under the Bill:
- First the legitimate interest lawful basis makes the processing for a Third Party marketing purpose unequivocally and explicitly lawful; the statement in new A.6(9) that the “processing that IS necessary for the purposes of direct marketing” makes sure of that. If Parliament has determined that processing for a Third Party marketing purpose IS lawful, any unfair processing is not going to make that processing also unlawful.
- Second, the A.14(3)(b) requirement to send the right to be informed/privacy notice at the time of first communication with the data subject is satisfied, and the right to object requirement is offered as an opt-out so all the relevant rights of data subjects are respected. Hence the processing cannot be unfair on these grounds.
- Third, the DPA1998 and DPA1984 had a statutory interpretation of fairness that is absent from the UK_GDPR, and the fairness arguments associated with the previous legislation did not have to deal with the statutory provisions described in the two previous bullets. In other words, the changes made by the Bill will negate or distinguish the relevance of previous Tribunal precedents on data subject consent for Third Party marketing.
In general, I think the issue of “fairness” will be reduced to procedural irregularities and issues such as the opt-out box is not in the correct location, or the opt-out box is not prominent, or the box is a small type-face etc. Fairness, in my view, will no longer require prior consent unless the legislation itself demands consent (e.g. as in some limited email marketing under PECR).
Concluding comment
It is clear to me the “legitimate interest” changes proposed by Government are a disaster; it risks a spammers charter. And that is before any consideration of the expansion of the “soft-opt in” (which really is an opt-out) for individual subscriber emails.
The Bill's Third Party marketing proposals are either wholly careless or deliberate. If it is the former, one wonders what other horrors in the Bill have been carelessly drafted. If it is the latter, one wonders how much in donations have been promised to the ruling political party.
Data Protection Courses (Summer 2023)
An all-day Zoom workshop (10.00-4.30) on the Data Protection and Digital Information No 2 Bill. Will be held on Thursday 13 July 2023 hopefully to include changes made during the Committee stage of the Bill. The fee will be £250+VAT. Email [email protected] for workshop agenda or to reserve a place on this session.
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- The next Data Protection FOUNDATION Course is on Zoom only (June 20-22 2023 (Tuesday to Thursday, 3 days: 45am to 5.00pm).
- The next Data Protection PRACTITIONER Course is in London on Monday, 24 July 2023 to Friday, 28 July 2023 (5 days: 9.30am to 5.30pm).
Full details on the new Amberhawk website (www.amberhawk.com) or obtained by emailing [email protected].