Using consumers’ data for marketing – Consent and legitimate interest

Sep 24th '20

If you haven’t received consent from a consumer, you don’t have a valid ‘legitimate interest’ for using their data and you don’t have another legal basis to rely on, you’re likely to breach the rules in Section 10 of the Committee of Advertising Practice (CAP) Code if you send them a marketing communication.


This guidance explains the rules and how to make sure you don’t break them.


Consent or legitimate interest?

When collecting and using consumers’ data for marketing, the most common legal basis is either ‘consent’ or ‘legitimate interest’.  Other narrow grounds for processing or limited exemptions set out in the regulations (General Data Protection Regulation (GDPR)) may be available to marketers, but if you want to rely on them you would need to be able to readily explain to the Advertising Standards Authority (ASA) how they are applicable.  Since these rules are based on legislation, you could also face enforcement action from the Information Commissioner’s Office (ICO) if you break them.


What counts as consent?

There are several criteria that need to be met if you’re using people’s data on the basis of consent (these are outlined in the‘Definitions’ in Section 10);


  • First, the consent needs to have been freely given.  If you offer something (e.g. a prize, or entry into a promotion) in exchange for consent, or if consumers are prevented from accessing a product or opportunity unless they give their consent, the ASA is unlikely to accept that it was ‘freely given.
  • Consent also needs to be specific, informed and unambiguous.  If consent to receive advertising messages is bundled in with other T&Cs, or is explained in a vague way, it’s unlikely to count as genuine consent.  So it needs to be separated and clearly explained.
  • Finally, consent needs to be given through a clear affirmative action.  This means that you should give consumers a means of giving consent through a positive action such as clicking a ‘tick box’.  As explained above, this ‘tick box’ (or equivalent) should relate specifically to consent to receive marketing communications, rather than this being bundled in with other T&Cs.  If consent isn’t given through an active gesture (e.g. if the ‘tick box’ is pre-ticked, so that consumers would have to actively un-tick it to withdraw their consent), this is unlikely to comply with the rules in Section 10.


When processing the data of under-13s for marketing purposes, marketers are likely to need the consent of a parent or guardian, and should hold some form of evidence to verify that they’ve received it (Code rule 10.15).


When can you use your ‘legitimate interest’?

If you’re intending to use the data to send messages by “electronic mail”, you can’t rely on legitimate interest – you need consent or to have obtained the contact details from a previous sale and be marketing a similar product.  ‘Electronic mail’ doesn’t just mean e-mail. It could be any type of text, voice, sound or image message sent over electronic media.  If you’re unsure whether your marketing message counts as electronic mail, we advise consulting this guidance from the ICO or seeking legal advice.


If the ads won’t be sent through “electronic mail”, data can also be processed if the marketer has a ‘legitimate interest’ in doing so.  Advertisers should seek legal advice to make sure their data-processing is based on a valid ‘legitimate interest’ (Code rule 10.2.3).  If it is, it’s important to remember that ‘legitimate interests’ don’t override consumers’ right to privacy, and they need to be given the opportunity to object to their data being used (10.5).  They should be informed of their right to do so when they are first contacted, and this should be stated clearly and separately from any other material in the message (10.13).


For further guidance on this topic, marketers are encouraged to contact the ICO for advice.

Source: CAP


How can we help!

At LS Consultancy, we provide a cost-effective and timely pre-publication advice to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose. We also provide GDPR Compliance Services for Small Businesses.


We are experts in Marketing and Compliance, and work with a range of firms to assist with improving their documents, processes and systems to mitigate any risk.


Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.


Explore our full range today.


Contact us