GDPR: Double Opt-In May Not Be Required!

Paul Mackenzie of Ember Group introduces an new interpretation of the new GDPR compliance regulations which come into force in May.

Last week I read an interesting opinion piece, which explained that the much-discussed ‘double opt-in’ may not be required for those operating in a business-to-business capacity.

This appears to shine a new light on the matter, and it isn’t just any old ‘expert’ opinion either… it is based on a Queen’s Counsel interpretation of the regulations (as of 1st February 2018), obtained by CommuniGator, a leading marketing automation software provider.

In an attempt to add certainty and clarity for their customers, they tackle six of the key aspects of the regulation that appear to be causing the most debate.

Their answer to the double opt-in question, “Can I email data where I have no provable double opt-in statement?” makes for an interesting read, and I quote below, in summary format for brevity, from their document.

The Data Controller must be able to justify the sending of marketing email by reference to one of the “lawful processing conditions” set out in Article 6(1) GDPR.

Processing shall be lawful only if and to the extent that, at least one of the 6 reasons in Article 6(1) GDPR applies.

Point One (a) in the list: The data subject has given consent. (The proven methodology for demonstrating consent is running a (Double) Opt-In Process.)

However, for clients who have been using soft Opt-In and Opt-Out rules, we would like to draw your attention to Point 6 (f) in the list – Legitimate Interest.

A lawful processing condition for a Data Controller is that processing is necessary for the legitimate interests pursued by the Data Controller.

According to this Queen’s Counsel opinion, it is clear from article 6 that while consent is one basis on which the processing of personal data can be justified, it is not the only basis.

As regards the sending of direct marketing emails, the relevant processing condition could be either 6(1)(a) (consent) or condition 6(1)(f) (legitimate interest).

The GDPR expressly acknowledges that this is permissible. The last sentence of Recital 47 GDPR says:

“The processing of personal data for direct marketing purposes may be carried out for a legitimate interest.”

This appears to provide some welcome relief if you are struggling with the mechanics of obtaining a double opt-in from your database.

It doesn’t remove the overall need or logic to ensure those that you market to are opted in and are keen and willing to hear from you.