What do Tennis, Marketing, and Legitimates Interests have in common?
Merry Christmas to those of you who are celebrating.
You might be wondering why I am sending a newsletter today. I'm not. I wrote it a week ago. In the name of consistency, I have decided to send it on schedule. And for all of you who are not celebrating, I know you are jonesing to get this in your inbox, so.... you're welcome.
On today's agenda: a bit of myth-busting.
Every single workshop I run (I'm still waiting for the exception to this rule), the marketing teams have the same answer. Every single time.
Me: What is the legal basis for your various X activity? (no worries, at this point they understand what all that means)
The team - in unison: Consent.
I follow up with something like: Any alternative?
I ask a few more times.
But they are 100% certain: NO!
And this is a problem.
Why?
Because consent is the weakest of legal basis you can use. It's the fall back – not the default.
Let's take a step back.
What is a legal basis?
When processing data (doing anything with the data such as collecting, storing, and anonymizing), you need a few things.
You need:
-> Purpose
-> Legal Basis
Purpose: You need to know your reason for collecting the data. The why?
why do we need this email?
why do we need to collect the credit card?
why do we need to store the sale information?
why do we need to hash the email?
Then, you (or your DPO/legal team) need to determine the legal basis for processing the data. The purpose helps you do this.
There are 6 legal basis you can use:
Consent
Contractual Necessity
Obligated by Law
Vital Interests
Public Interests
Legitimate Interests
Many of these won't apply to you, but consent is by far the weakest. It can be revoked, but it also needs to be obtained. It's a bit of a mess.
Since it's messy people don't like to use it. But most marketers still do as they think it's the only option.
But you have options. Most likely either contractual necessity or legitimate interests.
Legitimate interest is a big one. It can be used a lot and involves less drama than consent does.
It can be used for all sorts of things (but don’t forget you still need to comply with ePrivacy etc):
direct marketing
to prevent fraud
within the context of a client relationship
for network security
etc.
You do need to determine if there is a legitimate interest, but it can be used for a lot. To decide if you can use legitimate interests, you need to do the necessity and balancing test.
Ask yourself things like
Would people expect you to use their details in this way?
What is the potential annoyance factor for unwanted marketing messages?
The effect your chosen method of communication might have on vulnerable individuals?
But let's get back to the Tennis Club.
They were based in The Netherlands. And they shared member data with some of their sponsors using legitimate interests as their legal basis. Now, I'm not going to argue for or against if that was a good idea - nor does the case - let's focus on the drama.
The Dutch DPA claimed they were not allowed to use legitimate interest as their legal basis as they claimed you can not use that when it comes to purely commercial interests. As you can imagine, a lot of people disagreed. But the DPA went full-on ahead with this until it went to the final judgment call at the CJEU. And the CJEU stated pretty clearly:
"...must be interpreted as meaning that the processing of personal data which consists in the disclosure, for consideration, of personal data of the members of a sports federation, in order to satisfy a commercial interest of the controller, may be regarded as necessary for the purposes of the legitimate interests pursued by that controller, within the meaning of that provision, only on condition that that processing is strictly necessary for the purposes of the legitimate interest in question and that, in the light of all the relevant circumstances, the interests or fundamental rights and freedoms of those members do not override that legitimate interest. While that provision does not require that such an interest be determined by law, it requires that the alleged legitimate interest be lawful."
Most in the legal field suspected it would go this way. Legitimate interest is okay (provided you tick all other boxes) for commercial purposes.
So back to my point.
Consent is weak. Yes, there are times you need to use it as it's your only option. But when you are determining, together with your legal team/DPO, what legal basis may be relevant, don't rule out legitimate interests and others.
Related Readings:
The ICO on legitimate interests.
WTF or FTW? (aka Siobhan’s take)
I don’t get the drama about this at all. No where does it say or suggest that legit interest could not be used for commercial reasons or where you could make money. The only thing suggested is that is need to be balanced and necessary. That is different. So let’s get over it and just stick to respecting our customers and treat them, and their data, as we would our own.
And - get passed needing consent for everything. You don’t.
But don’t go putting legitimate interests on consent banners. ok? that’s a different thing. I’ll write about it one day. Sooner if you ask for it.