The Information Commissioner’s Office has rubbish claims that it will not be issuing guidance on how companies can use so-called “legitimate interests” to gain consent for marketing data under the EU General Data Protection Regulation, insisting it will be included in its final consent guidelines.
There is nothing new about the “legitimate interests” concept; it is already included in the UK Data Protection Act; however, the GDPR now includes an explicit mention of direct marketing as a legitimate interest.
Put simply it means that there will be times where companies will not need to ask for consent to collect, store, use, disclose, process, destroy or otherwise “process” personal information.
The DMA quotes the following example: “During an online purchase you have to provide contact, payment and address information, and the seller will have to record your transaction. It would be unnecessarily obstructive, annoying and off-putting for the seller to have to explain this and to obtain a record that the purchaser understood and agreed to this data collection and use.”
It adds: “Of course there may be an option to use third-party payment services, sign up for an account, save details, sign up to marketing and more. But some basic information is necessary to fulfil a transaction, and is both “legitimate”, expected and should not be obstructed by a consent statement.”
Whether this will be sufficient consent for marketing, however, remains to be seen.
The DMA has been urging the ICO to provide help on the issue ever since it launched its draft consultation on consent, but has so far drawn a blank, leading to last month’s decision to join forces with ISBA, the Data Protection Network and cross-sector data protection specialists in an effort to produce their own guidance for marketers.
At the time, DMA managing director Rachel Aldighieri said: “Specifics for using legitimate interest are currently conspicuous by their absence from the ICO’s guidance. Marketers need to know the ‘how, when and why’ of legitimate interests as a legal basis for contacting potential customers so they can better understand and better prepare their businesses to operate properly and compliantly under the GDPR from May 2018.
“The Information Commissioner Elizabeth Denham said she wants to work with industry to develop practical guides, which is why the DMA joined the Data Protection Network’s legitimate interests working party to work with the ICO and draft practical guides to help the industry.”
In response, the ICO’s head of corporate affairs Robert Parker told Decision Marketing: “It’s not correct to say the ICO will not be issuing guidance on legitimate interest – because we will be.”
Industry on alert over third-party data legal crackdown
DMA joins forces in bid to demystify legitimate interests
GDPR consent updates spark chilling warning to brands
GDPR compensation to dwarf £30bn bill for PPI claims
Half of all firms still not compliant with 1998 data laws
Data compensation claims ‘could run into millions’