The ASA/CAP have released a post called: Using consumers’ data for marketing – Consent and legitimate interest. I have enclosed the text of the link below, but please have a look at the ASA/CAP site as there are lots of things of interest to anyone with an interest in Ethical Marketing.
If you haven’t received consent from a consumer, you don’t have a valid ‘legitimate interest’ for using their data and you don’t have another legal basis to rely on, you’re likely to breach the rules in Section 10 if you send them a marketing communication.
This guidance explains the rules and how to make sure you don’t break them.
Consent or legitimate interest?
When collecting and using consumers’ data for marketing, the most common legal basis is either ‘consent’ or ‘legitimate interest’. Other narrow grounds for processing or limited exemptions set out in the regulations (GDPR) may be available to marketers, but if you want to rely on them you would need to be able to readily explain to the ASA how they are applicable. Since these rules are based on legislation, you could also face enforcement action from the Information Commissioner’s Office (ICO) if you break them.
What counts as consent?
There are several criteria that need to be met if you’re using people’s data on the basis of consent (these are outlined in the‘Definitions’ in Section 10);
- First, the consent needs to have been freely given. If you offer something (e.g. a prize, or entry into a promotion) in exchange for consent, or if consumers are prevented from accessing a product or opportunity unless they give their consent, the ASA is unlikely to accept that it was ‘freely given.
- Consent also needs to be specific, informed and unambiguous. If consent to receive advertising messages is bundled in with other T&Cs, or is explained in a vague way, it’s unlikely to count as genuine consent. So it needs to be separated and clearly explained.
- Finally, consent needs to be given through a clear affirmative action. This means that you should give consumers a means of giving consent through a positive action such as clicking a ‘tick box’. As explained above, this ‘tick box’ (or equivalent) should relate specifically to consent to receive marketing communications, rather than this being bundled in with other T&Cs. If consent isn’t given through an active gesture (e.g. if the ‘tick box’ is pre-ticked, so that consumers would have to actively un-tick it to withdraw their consent), this is unlikely to comply with the rules in Section 10.
When processing the data of under-13s for marketing purposes, marketers are likely to need the consent of a parent or guardian, and should hold some form of evidence to verify that they’ve received it (Code rule 10.15).
When can you use your ‘legitimate interest’?
If you’re intending to use the data to send messages by “electronic mail”, you can’t rely on legitimate interest – you need consent or to have obtained the contact details from a previous sale and be marketing a similar product. ‘Electronic mail’ doesn’t just mean e-mail. It could be any type of text, voice, sound or image message sent over electronic media. If you’re unsure whether your marketing message counts as electronic mail, we advise consulting this guidance from the ICO or seeking legal advice.
If the ads won’t be sent through “electronic mail”, data can also be processed if the marketer has a ‘legitimate interest’ in doing so. Advertisers should seek legal advice to make sure their data-processing is based on a valid ‘legitimate interest’ (Code rule 10.2.3). If it is, it’s important to remember that ‘legitimate interests’ don’t override consumers’ right to privacy, and they need to be given the opportunity to object to their data being used (10.5). They should be informed of their right to do so when they are first contacted, and this should be stated clearly and separately from any other material in the message (10.13).