Privacy (and the GDPR in particular) is often criticised for being a brake on business. I don’t subscribe to that point of view, but I do want to sell my product. I’ve sold it to all the people in my network who want it, but I also want to sell it to people who I don’t know.
So how do I send cold marketing emails to people in companies I’ve never met, or even spoken to?
A bit of law
The law isn’t clear. It doesn’t matter how many guides the regulator publishes, too many people still don’t know the answer to this question. It’s something we’ve written about before.
Imagine I’ve found Sam Bloggs’ work email address on the internet and I’d like to tell her about my fantastic product. Sam has definitely not consented to me sending her an email. Sending Sam an email would amount to the processing of personal data (Sam’s email address) and I need a lawful basis for doing so. I can’t use consent because I don’t have it. The only lawful basis might be ‘legitimate interests’.
But what if I don’t just want to send an email to Sam? I want to send emails to hundreds, possibly thousands of people like Sam. I could compile a list of decision makers at similar companies myself but I was introduced to an agency called SoPro, which facilitates direct email marketing at scale. It sounded like a great idea but would I be breaking the law?
More about legitimate interests
To rely on ‘legitimate interests’ I know I have to balance my interest in making money with the rights and freedoms of Sam and people like her. I need to be able to demonstrate that sending such an email to Sam is within her reasonable expectations and that it would not have an unacceptable privacy impact on her.
The Information Commissioner’s Office (ICO) recommends I apply a three part test:
1. Purpose test – why is Sam’s email address being processed, who benefits from that processing and why are those benefits important? Her email address is being processed so that I can send her direct marketing. My company benefits from that. I believe society benefits because by using my product, organisations are able to build, maintain and demonstrate a culture of continuous privacy compliance. Finally, the GDPR itself has what are called ‘recitals’, which state that direct marketing could be a legitimate interest.
2. Necessity test – is sending Sam an email necessary for direct marketing? I believe so. I could try and call her if I had her number or send her a letter, but I think that is more intrusive.
3. Balancing test – does the impact on Sam (potentially, she gets an email she is not interested in) override what I believe to be my legitimate interest in asking her whether she is interested in my product? I don’t think so. I am only sending emails to people like Sam who expect to be marketed to. Her work email address is not sensitive information, or private. Sending her an email has no significant impact on her and does not prevent her from exercising any of her rights. And I will mitigate any potential privacy impact by including an opt-out in my email.
How I show I have complied with the law
The GDPR states it is no longer enough for companies like mine to say we comply with the law. We have to demonstrate it.
I did this in two ways:
1. I carried out a ‘legitimate interests assessment’ based upon the template provided by the ICO on their website, which I saved in my Privacy Compliance Hub in case anybody ever wanted to see our level of compliance. I concluded I do have a legitimate interest in sending direct marketing emails and therefore a lawful basis for doing so.
2. I completed a screening questionnaire to establish whether a Data Protection Impact Assessment (DPIA) was necessary. I used the template we make available to clients of The Privacy Compliance Hub.
I decided that, taking a conservative, risk-averse view, we should complete a DPIA and that it would be good practice anyway. I stored it in my Privacy Compliance Hub and concluded that there was a very low risk to the rights and freedoms of individuals in carrying out the direct marketing campaign. We had also put in place all necessary protections.
What happened next?
The emails were sent out. Out of the 2,250 emails, we got two complaints. I’m not telling you how many customers we got, but suffice to say we learned a lot about direct marketing – both what works, as well as what doesn’t! And I feel confident that we can try it again in the future, without the risk of breaking the law.
If you’d like advice on staying on the right side of privacy regulators, get in touch.