Marketing lists can be compiled in different ways, and vary widely in quality. A good marketing list will be up to date, accurate, and reliably record specific consent for marketing. However, other lists may be out of date, inaccurate, and contain details of people who have not consented to their information being used or disclosed for marketing purposes. Using such a list is likely to result in a breach of both the GDPR and the e-Privacy Directive.
There are a wide range of sources for marketing leads. These might include public directories, previous customers and people who have sent an email, registered on a website, subscribed to offers or alerts, downloaded a mobile app, entered a competition, used a price-comparison site to get a quote, or provided their details in any other way. An organisation may be able to legitimately use these sources, but must ensure that it complies with the GDPR – and in particular that it acts fairly and lawfully – whenever and however it collects personal data. This also applies to list brokers and lead generation firms. Whether an organisation is collecting personal data for its own use, or to sell marketing leads on to others, it must always act fairly and lawfully.
If collecting contact details directly from individuals, an organisation should provide a privacy notice explaining clearly that it intends to use those details for marketing purposes. Organisations must not conceal or misrepresent their purpose (e.g. as a survey or competition entry) if they also intend to use the details for marketing purposes. And if they intend to sell or disclose the details to other organisations, the privacy notice should make this very clear, and get the person’s specific consent for this. Organisations should also get specific consent at this stage for any marketing texts, emails or automated calls.
Organisations cannot escape their obligations by asking existing contacts to provide contact details for their friends and family. Organisations must still act fairly and lawfully, and cannot assume that the contact will act in the other person’s best interests – especially if there are incentives for providing the information. There is strong advice against this type of viral marketing, as it will be difficult to be sure there is the necessary consent to comply with obligations under the GDPR.
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018