Like many privacy lawyers, I came to the field from an intellectual property law practice. Property rights are inherently territorial, so holding a patent or trademark in one country does not provide enforcement rights in another; one must register anew in each territory of interest. 

This is a bit of a stretch, I admit, but applying the consent basis to data processing has territorial implications, too. Unfortunately, the EU’s General Data Protection Regulation contains some ambiguity regarding the proper legal basis to choose for the purposes of direct marketing — the two leading options seem to be legitimate interest or consent. One must look not only to the law but also to custom and practice in each region of interest.

Consent vs. legitimate interest

Article 6 of the GDPR requires data controllers to have a lawful basis for data processing. Anyone following the IAPP Privacy List knows that one of the hottest debates raging is whether direct marketing communications can rely on a “legitimate interest” basis or must be based on explicit consent.

One of the lawful bases under Article 6 is when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.” Recital 47 provides examples of “legitimate interest” when the data subject is a client of the controller, and explicitly states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” As a lawful basis, however, legitimate interest has some baggage. It is the only basis that is qualified by a balancing test, such that it may not be used when “overridden by the interests or fundamental rights and freedoms of the data subject.” One example of this given in Recital 47 is “where data subjects do not reasonably expect further processing.”

Due to ingrained “notice and choice” habits consistent with many direct marketing campaigns, efforts to generate new potential customers often already come with at least some form of notice that the consumers’ contact information will be used for marketing purposes. Anti-spam laws in the U.S. and Canada require that consumers be given an opportunity to opt-out (unsubscribe) from marketing communications at any time. So, the notion that consent (at least opt-out consent) is customary, if not legally required, for direct marketing is already ingrained in many national laws and customs.

This suggests — and so do most comments on the Privacy List — that while it is tempting to rely on legitimate interest for direct marketing purposes, consent is likely the more appropriate basis, especially when generating new customer leads. (Legitimate interest may support offering new products and services to existing and long-term customers, if contract fulfillment isn’t the right fit.)

Opt-in and local customs

This question (or some form of it) has been vexing me, and the Privacy List: When launching a marketing campaign in the EU that offers something free in exchange for an email address, should the customer provide separate, opt-in consent for receiving future marketing messages? I lean toward “yes,” for two reasons.

One, as I read Article 7(4), it’s not okay to bundle consent for multiple discreet things. Consent for receiving marketing messages may not be considered “freely given” if it is bundled with consent to receive just the free thing by email. Two, it seems to me that, outside the U.S., anyway, consent is often separate for each processing activity as a matter of custom, if not law. For example, when I travelled to Canada recently, I noticed that agreeing to, say, the terms and conditions of a free Wi-Fi service in the airport had a separate tick box from consent for getting marketing updates from the Wi-Fi service and its partners. 

In the U.S., these consents are often bundled together and may even be opt-out.

The IAPP has wise and generous members. I asked Gabe Maldoff, a Canada native and former IAPP Westin Center Research Fellow who is now an attorney at Bird & Bird in London, to weigh in on this question not just from a legal perspective but from a matter of custom. 

What do consumers expect? When doing business outside one’s home country it is crucial to meet cultural privacy preferences and not just the letter of the law. 

His answer is so thorough it bears publishing in full (with his consent, of course!):

The short answer is yes: You need to ask for consent to marketing separately from receiving the service. This usually needs to be opt in, but sometimes opt out will work as explained below.

In the U.K., you might be able to bundle it with accepting the service if the thing itself is solely for a marketing purpose. For example, if you're McDonald's and you have a competition for people to win free McDonald's swag, you could maybe argue that the email marketing and the competition are the same thing, especially if you're very clear that signing up for the competition will result in marketing emails. This will not fly in most EU member states and would be pushing the boundaries even under current U.K. law. Post-GDPR, this will become more challenging. And in terms of expectations, I think people do get annoyed (and often complain to regulators) when they have to sign up for marketing to get something else they want — especially the Germans and French. 

There's an exception that will let you rely on opt-out consent (subject to some small nuances of member state law). It applies if:

• The email address is obtained in the context of a sale of a good or service (Member State nuance: whether a free service counts is up for debate; also whether negotiation of a sale counts).

• The individual is clearly informed that her email will be used for marketing.

• The individual is given an opportunity to opt out at the time when she gives her email address.

• The marketing relates to a similar good or service. Important: The marketing must come from the same legal entity that sold the good or service (this doesn't work where you have multiple parties or cross-group marketing).

I think this is also aligned with expectations. If people sign up for something, I'd think they're okay with being prompted to opt out. If they don't opt out and accept the service, they would expect to get emails from the company they signed up with. They would not expect to get emails from 100 other companies that have nothing to do with that company. The group marketing part makes less sense, I think, because people tend to think about brands, not legal entities. But I guess the concept of a brand wouldn't translate easily into a bright line rule.

Segmenting the potential customer universe by geography allows marketing campaigns to respond to local legal requirements on consent and third-party sharing. From the organization’s perspective, bundling consent for future marketing messages with a lead generation campaign is the most efficient and if legal and not counter-cultural (as it is in the U.S.), then why limit the campaign to that market? Yet, it may be necessary to accommodate opt-in consent to receive marketing messages for potential customers throughout the EU. 

To paraphrase from one Privacy List comment, global marketing campaigns are a thing of the past; the future for marketing is to “think and act regional.”