Marketing by opt-in, opt-out, consent or legitimate interest?

Consider your ABCs...

Blog If a=b and b=c then it follows that a=c.

So, how does this set of simple equations relate to data protection? Well if direct marketeers, privacy advocates and supervisory authorities recognised that a=c then most of the debate concerning data protection and the marketing purpose would be settled.

Don’t believe me? Just follow the argument under the current Act (DPA) or indeed the General Data Protection Regulation (GDPR).

All across Europe (and especially the UK) there has been a debate about “opt-in” versus “opt-out” and whether “opt-out” properly represents “data subject consent” or not. There is no debate about “opt-in” because if the data subject misses the “opt-in” the default position is “no marketing” and an opt-in requires the data subject to perform an action by ticking the box.

This explains why the UK Commissioner refers to “opt-in consent” in the recent enforcement action against Age International and the British Red Cross (implying that “opt-out consent” is a different species).

This debate is set to continue when the GDPR comes into force. Most Data Protection authorities and privacy activists want “opt-in”; most controllers are very content with “opt-out”. Added to this divergence of views, the GDPR states in Recital 47 that direct marketing can be possible under the “legitimate interest” criteria whilst Recital 32 states that “pre-ticked boxes” cannot constitute data subject consent.

Also Article 7 of the GDPR places the burden of proof on the data controller to show it has obtained valid data subject consent and the definition of consent includes an “unambiguous indication of the data subject wishes”.

What does this mean in practice? I cannot see, for example, how a data subject can give an “unambiguous” indication of consent without being fully informed about the extent of any third party marketing and details about the third parties who are doing such marketing (and perhaps what types of products are being marketed).

This view is supported by the “Optical Express” Tribunal Decision (see references) which concerns third party marketing; it concluded that “when a data subject gives consent they must be informed about the processing to take place, including who by and what for. In no other way can consent be said to be “informed” (para 85).

Anyway, all this debate is redundant if you follow the logic. Big claim! Worth the effort.

Marketing via consent: opt-in and opt-out

The following analysis applies to a data controller who obtains personal data from a data subject for a marketing purpose; it also applies to a third party marketeer who obtains information from a data controller who obtains personal data from the data subject.

Suppose the “b” in the set of equations above represents “data subject consent” (i.e. the Article 6 GDPR [or Schedule 2 DPA] ground normally used to legitimise the processing of personal data for a marketing purpose). I have used the word “normally”, as there are some circumstances where “legitimate interests” can apply as the legal basis for marketing (Recital 47 of the GDPR; I address “legitimate interests” later in the blog).

Suppose set{a} represents the group of actions needed to support the “opt-in” approach to obtaining consent; for example all the requirements that would make “tick the box if you want to be marketed by email [ ]” a valid representation of data subject consent (i.e. fully informed, freely given etc).

Similarly, let the set{c} represents the group of actions associated with the “opt-out” approach to obtaining consent (i.e. tick the box if you do NOT want to be marketed by email [ ]”). The objective of the exercise in this blog is to identify the members of set{c}.

First of all, consider the actions that are contained in the set{a}? How would a controller get a data subject to consent on an application form or website which contained an “opt-in”? Would that “opt-in”:

  • be placed in an unmissable position in any form?
  • be in clear and plain language?
  • be inviting to the data subject in order to encourage agreement?
  • be in a large font size? etc etc

And would the content of the “opt-in” marketing message identify:

  • the mode of marketing (e.g. email, post)?
  • who is doing the marketing?
  • the extent of third party marketing if any?
  • the identity of any third parties (or description off third parties)?
  • How a data subject can withdraw consent? etc etc

I assume the answer to all the above would be “yes”. If so, all the above actions are members of set{a} and represent the valid consent of the data subject.

In a sense this is the a=b; if a data controller delivers on all the actions contained in set{a} it will have obtained valid consent of the data subject.

It could be that further members of set{a} need to be added in due course. For example, the evidence required by Article 7 of the GDPR that consent has been obtained. It does not matter really what these future members of set{a} are, except to say they would be added to the existing set{a} of actions that make up valid data subject consent.

We can now consider the members of set{c} (the “opt-out” approach to consent). What actions have to be undertaken by a controller to arrive at the same legal basis b (the consent of the data subject); this is the c=b.

So if the actions associated with of set{a} definitely equate to valid data subject consent, and the actions associated with of set{c} have to relate to consent, the only way to do that is to equate to the members of set{c} with the members of set{a}.

In other words, the “opt-out” version of consent has to be exactly the same as the “opt-in” version of consent except for the opt-out wording (i.e. “tick the box if you do NOT want to be marketed by email [   ]”).

So when enforcing the data protection rules, all the supervisory authority need to do is ask itself “What are the members of the set{a} that provide valid consent of the data subject via opt-in?” (see above for my provisional list). Having identified the set of actions that constitute an opt-in approach to consent, the same set of actions have to apply to any opt-out version of consent.

If the set of actions do not equate, then it follows that the opt-out approach cannot represent valid consent. In practice there might be minor deviations from the equality between the two sets; but not much in the way in deviation.

This is as simple as abc (i.e. if set{a}=consent and set{c}=consent it follows that set{a}=set{c}).

Marketing via legitimate interests

I now address the “legitimate interests” approach to show that it does not apply or equates to consent when personal data are collected by a controller from the data subject. This conclusion also applies to the circumstances when a third party list provider obtains personal data from a controller who obtains personal data from a data subject.

First, assume the following proposition to be true: a data controller can process personal data collected from a data subject for a marketing purpose and that such processing is “necessary in the legitimate interests of the controller…”.

As is well known, the “legitimate interest” ground requires the controller to take account of “the legitimate interests of the data subject”. As there is an absolute right to object to the processing of personal data for a marketing purpose, this opportunity to object has to be offered at the time of collection when the personal data are being collected from the data subject by the collecting data controller.

This is reinforced by the fair processing requirements which state that the intended marketing purpose has to be identified to the data subject in advance of any processing.

As before, the data subject’s response to the controller’s offer of the right to object to marketing has to be by “opt-in” or “opt-out”.

So what are the members of set{d} which represents the group of actions associated with the “opt-in” approach to respecting the rights of data subject and offering the ability to object to marketing at the time of collection.

Would the that “opt-in” approach to respect the rights of data subjects to object:

  • be placed in an unmissable position in any form?
  • be in clear and plain language?
  • be inviting to the data subject in order to encourage agreement?
  • be in a large font size? Etc etc

It does not take long to see that the members of set{d} are the same as set{a}. However, set{a} is associated with data subject consent and set{d} are associated with legitimate interests and that these are different grounds for the processing.

In mathematical terms this would be a contradiction. This in turn means that the proposition that a data controller can process personal data collected from a data subject and claim that such processing for a marketing purpose is “necessary in the legitimate interests of the controller…” is false.

Alternatively, one can state that in these circumstances (obtaining personal data from the data subject) there is no difference between “legitimate interests” and “consent of the data subject”.

It also follows that the use of the legitimate interests to justify the processing of personal data for a marketing purpose has to apply in rare circumstances (e.g. as in the British Gas Trading Enforcement (see references) where the data controller was in transition from a public sector monopoly to one of many private sector suppliers competing against each other).

Clearly legitimate interests can apply when personal data have not been collected from the data subject (e.g. email addresses placed in the public domain by the data subject). However, before whooping with joy, the PECR rules require prior consent for email marketing from each individual subscriber – so the legitimate interests ground will not apply.

In summary, those who rely on “legitimate interests” to justify marketing will need to demonstrate why the right to object to marketing could not be offered to data subjects at the time of collection of personal data and why data subject consent was inappropriate. If they can do this, any marketing communication also needs to offer the right to object to marketing in order to respect the data subject’s right to object.


Optical Express Tribunal: (PDF)

British Gas Trading Tribunal (under the DPA 1984): (PDF)

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Other stories you might like

  • Running Windows 10? Microsoft is preparing to fire up the update engines

    Winter Windows Is Coming

    It's coming. Microsoft is preparing to start shoveling the latest version of Windows 10 down the throats of refuseniks still clinging to older incarnations.

    The Windows Update team gave the heads-up through its Twitter orifice last week. Windows 10 2004 was already on its last gasp, have had support terminated in December. 20H2, on the other hand, should be good to go until May this year.

    Continue reading
  • Throw away your Ethernet cables* because MediaTek says Wi-Fi 7 will replace them

    *Don't do this

    MediaTek claims to have given the world's first live demo of Wi-Fi 7, and said that the upcoming wireless technology will be able to challenge wired Ethernet for high-bandwidth applications, once available.

    The fabless Taiwanese chip firm said it is currently showcasing two Wi-Fi 7 demos to key customers and industry collaborators, in order to demonstrate the technology's super-fast speeds and low latency transmission.

    Based on the IEEE 802.11be standard, the draft version of which was published last year, Wi-Fi 7 is expected to provide speeds several times faster than Wi-Fi 6 kit, offering connections of at least 30Gbps and possibly up to 40Gbps.

    Continue reading
  • Windows box won't boot? SystemRescue 9 may help

    An ISO image you can burn or drop onto a USB key

    The latest version of an old friend of the jobbing support bod has delivered a new kernel to help with fixing Microsoft's finest.

    It used to be called the System Rescue CD, but who uses CDs any more? Enter SystemRescue, an ISO image that you can burn, or just drop onto your Ventoy USB key, and which may help you to fix a borked Windows box. Or a borked Linux box, come to that.

    SystemRescue 9 includes Linux kernel 5.15 and a minimal Xfce 4.16 desktop (which isn't loaded by default). There is a modest selection of GUI tools: Firefox, VNC and RDP clients and servers, and various connectivity tools – SSH, FTP, IRC. There's also some security-related stuff such as Yubikey setup, KeePass, token management, and so on. The main course is a bunch of the usual Linux tools for partitioning, formatting, copying, and imaging disks. You can check SMART status, mount LVM volumes, rsync files, and other handy stuff.

    Continue reading

Biting the hand that feeds IT © 1998–2022