GDPR: Consent or Legitimate Interest?
Firms doing business with European companies are now only just over a month away from the implementation of the new General Data Protection Regulation (GDPR). We discussed everything marketers need to know about the GDPR at length in an earlier post — while the legislation itself is hundreds of pages, it amounts to eight key principles and rights for internet users, which will apply to marketers all around the world.
As we discussed, too many firms don’t realise what steps they will have to implement in order to comply with the GDPR, and many aren’t even aware that stiff penalties can be imposed in cases of non-compliance. One of the most important aspects of the new legislation revolves around the issue of consent and opting-in.
Within the new GDPR regulation, B2B marketers have two options when it comes to managing customer data:
- requested consent
- legitimate interest
As far as compliance with the GDPR, requested consent is the most obvious and clearest cut method, but it is not always the best one to use. Both options have benefits and drawbacks for B2B marketers, so let’s take a closer look at these options and see when and why you would use one or the other in a specific B2B marketing situation.
Article Four of the GDPR defines ‘consent’ as:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
What anyone should notice is how clear the GDPR’s language is in this case: consent must be freely given, specific, informed, unambiguous and affirmative. Later in the law’s text, it stipulates that “a clear affirmative action” rules out pre-selected boxes, inactivity, and other previously acceptable ways of making consent the default option.
In other words, the GDPR raises the bar for what constitutes consent. Users must make a conscious effort to opt-in, and this constitutes one of the major changes that the GDPR will impose on B2B marketers. In short, post-GDPR B2B marketing consent will need a lot more effort to remain above-board.
With B2C marketing, the EU makes matters even more complicated by mandating compliance with the Privacy and Electronic Communications Regulation (PECR). However, the good news is that the PECR does not apply to some categories of businesses, so GDPR B2B marketing consent compliance will be slightly easier.
The benefits of a clear a clear request for consent is pretty simple: compliance with the GDPR. Offering an affirmative choice ensures that your firm is on the right side of the law.
The reason that so many firms force customers to opt-out of emails is that customers usually go with the default options. Most customers don’t enjoy reading extra material or fine-print at the end of their transactions, so firms sneak in an opt-out button. Unfortunately, affirmative consent regulations will rule out this practice, which means that opt-ins will likely drop considerably.
What to do
If you want to ensure GDPR compliance by requesting consent, work around the constraints. Simplify the opt-in page, so that your customers only have the one option, for instance, rather than a slew of check-boxes. Make your opt-in page more visually appealing. Provide a concise summary of benefits they will enjoy by opting-in. With some smart design and copy, you can keep you opt-in offer enticing.
The legitimate interest dispensation differs from requested consent in some key ways. Of greatest interest to B2B firms may be this: as mentioned, the PECR applies less to B2B firms than it does to B2C, and since this is the case, B2B firms have greater leeway to invoke legitimate interest when doing business online. Legitimate interest may be the most expansive of the 6 legal options under which a B2B firm can choose to do business online.
The short version is that ‘legitimate interest’ refers to the fact the GDPR allows firms to send materials if it is in the customer’s legitimate interest in order to complete an existing transaction. So emails purchased in bulk would obviously violate the GDPR. However, if you do business with a certification of GDPR compliance, you will know that such measures are out of the question. Commonly understood to fall within the remit of legitimate interest are things like sending marketing materials to existing customers, continuing an existing dialogue, and adding information to an existing transaction.
Legitimate interest is a more broadly defined category for B2B businesses, so you will have greater leeway in avoiding the pitfalls of requested consent.
While the legitimate interest dispensation is broad, there are limits. ‘Legitimate interest’, at this stage, is still a bit murky. Also, in addition to being legitimate, the communication must be necessary, and the definition of necessary is itself still a grey area. Third, businesses (even B2B ones) must attempt to strike a balance between the interests of the send and the rights of the recipient. This means that there is a good deal of ambiguity.
What to do
Experiment with honing you legitimate interest in the weeks before the May 25th 2018 date when the GDPR goes into effect.
As always, contact us if you’re interested in fine-tuning your GDPR B2B marketing consent practices. Your business could depend on it.