In general, in the EU and UK there are two main laws that govern the processing of personal data for marketing purposes – the GDPR and the ePrivacy Directive.The GDPR applies to most electronic marketing activities, as these will involve some use of personal data (eg. name, email address). However, specific rules on electronic marketing are found in Directive 2002/58/EC (the ePrivacy Directive) including circumstances in which consent must be obtained. The ePrivacy Directive takes precedence over GDPR when it comes to direct marketing, meaning that if consent is required under the ePrivacy Directive and the company has not got the necessary consent, they cannot process this data for direct marketing purposes.In general, the ePrivacy Directive always requires consent to process personal data for electronic marketing purposes. However there is an exception, commonly called “the soft opt-in”, when consent is not required to send electronic marketing to existing customers provided the following conditions are met:
- The company collected the personal data directly from the customer in the course of a sale
- The product or service that will be marketed to the customer is the company’s own product or service
- The product or service that will be marketed to the customer is similar to the product/service the customer bought
- The customer was given a clear and easy way to refuse or opt-out of electronic marketing when their personal data was collected
- And finally the customer is given a clear and easy way to refuse or opt-out of electronic marketing in each following communication (e.g. unsubscribe link in an email)
Dataships optimizes marketing consent collection by using the above soft opt-in approach when all of the above conditions are met. When using the soft opt-in, consent is not collected and since processing of personal data for direct marketing purposes is not necessary for performance of a contract the legal basis that would apply for this processing is therefore the Legitimate Interest of the seller. Dataships provides a draft Legitimate Interest Assessment for customers in the Dataships Control Panel which they can review, update and sign. The assessment finds that this processing passes the 3 part test and does not override the rights and freedoms of the data subject. Guidance from data protection authorities specifically says that an organization's legitimate interest can be relied on for this processing (e.g. CNIL France see Irish DPC guidance on legal bases).