Personal data processed for direct marketing purposes relies mostly on “consent” (art. 6a) and “legitimate interest” (art. 6f). However, there is strong tendency in the market to suggest that consent is the only valid legal ground for the commercialization of data. Data trading companies will not be able to continue their activities if they are required to have consent to trade personal data without having the use of legitimate interest. Considering consent is the only legal ground to be allowed to process personal data would put a whole marketing sector, trading data, at risk.
Companies trading data (e.g. data service providers) are not necessarily consumer facing, in the sense that they do not offer the consumer products or services in a direct way. Therefore, collecting consent directly from the data subject is more challenging. Moreover, from experience we know that – even with an interesting offer for the consumer – at most 10% of the persons grant consent (simply because an active operation must be undertaken, e.g. by “clicking”).
According to a DMA study in 2012, integrated into an analysis by Deloitte concerning the economic impact of the GDPR, each euro invested in direct marketing generates between €8 and €21 additional turnover, so that the effect of direct marketing on the economy is to be multiplied considerably.
According to the aforementioned study by Deloitte, powered by Data Industry Platform, the reduction of “data driven” activities to “data driven activities based on consent” would have an impact of 1.34% on GDP and 1.30% on unemployment.
This will, in concrete terms, result in a significant drop in the amount of data available on the market for direct marketing. Companies will no longer have, except via worldwide internet players, sufficient data available for performing segmented prospect campaigns, nor for the correct cleaning up and adjusting of their databases.
Companies processing and trading data have a legitimate interest in performing this specific processing of personal data. They can also appeal to the legitimate interest of third parties (art. 6.1.f GDPR: “… the legitimate interests of those responsible for processing or of a third party …”).
Consent does not protect more than legitimate interest. Rather each legal basis has its advantages. Consent and legitimate interest are equally valid legal bases for data processing for direct marketing purposes. Consent is explicitly required by the GDPR for the processing of special categories of data, international data transfers and profiling with a legal or similarly significant effect. Therefore, for direct marketing purposes, organisations are free to choose between the use legitimate interest, respecting the conditions of necessity and balancing tests, or consent. Moreover, the GDPR states in recital 47 that direct marketing may be a valid legitimate interest. In this case, the data subject is empowered by a right to object to processing of personal data for direct marketing purposes, distinct from withdrawal of consent.
Everybody has by now understood that consent can be a barrier to the consumer experience and that the consumer does not always take the time to read the privacy notice, but rather consents automatically.
The conditions that are imposed so that the consent is deemed valid are less strict than the conditions linked to invoking legitimate interest as a legal ground. In addition to a high transparency towards the consumer, for whom the intended processing of the personal data must meet their “reasonable expectations”, the GDPR also imposes the obligation to perform a so-called “legitimate interest assessment”. In this assessment, the rights of those involved must be assessed against the interests of the company that processes the personal data. This way of working involves an important analysis of the pros and cons connected to the relevant processing for each of the parties. Such an analysis is not stipulated in the event of consent.
Legitimate interest is also about freedom to do business allowing the free choice of economic activities as included in art. 16 of the Charter of Fundamental Rights of the European Union (incidentally stated in the same chapter as the right to protection of personal data). This right is consequently considered a fundamental right at European level.
Personal details have been commercialized for many years and used by a broad range of organizations, both in a B2C (for communication to consumers) and B2B (for communication to businesses) context.
In fact, it is the emergence of the digital world and more specifically the growing impact of worldwide major internet players on the processing of personal data which is at the root of the need for clear guidelines and regulation. This in order to guard the consumer from losing control of their personal data. Tightening of European and local rules can be justified in this context.
The commercialization of personal data is a fully-fledged economic activity and has moreover worked for many years within the framework of the FEDMA code of conduct. Industry should be enabled to continue to perform their activity based on our legitimate interest in a way that is respectful towards the consumers.
Article by Ivan Vandermeersch