New client data gathering from your website - what's legal?

In the past, it was commonplace to put information on your website which you knew people would want to have access to (for example, “top tips”, information about promotions you’re going to run or special offers, pet health resources, or whatever), and then ask for people’s email addresses, names, or in extreme cases phone number and address, before granting them access. Technically speaking, this is child’s play on a well-designed website - the user enters their email address, and once it’s accepted, the page opens to the material they want to read.

Thus, the public get “free” access to a valued resource, while the business gets to build their marketing database. Indeed, some businesses (even some veterinary practices) use similar techniques today. However, this becomes legally much more complex in the age of GDPR, as your data subjects have many more rights. While allowing people to sign up for a practice newsletter is fine, as soon as you start making anything conditional on them giving you their data, you’re in much trickier territory.

First, what is your legal basis for processing this data?

Under the GDPR you need to decide what your legal basis is for any data processing (we looked at this in this blog). For any direct marketing - which is, of course, the reason you’re gathering this data - it boils down to legitimate interest or consent. For emailing existing clients, legitimate interest is probably the best bet (see here for why).

However, if you’re asking for data in exchange for something you’re offering to the client, it is likely to be hard to justify the use of “legitimate interest” in the case of new potential customers. Not only will you struggle to pass the Three Part Test, but under Legitimate Interests, according to the PECR direct marketing is only permitted under certain, very limited conditions (that you obtained the details as part of a business negotiation, that you are marketing similar services or products, and that they have the opportunity to decline), which essentially negates the use of this strategy for lead generation.

For new client data gathering, consent bypasses this issue.

Consent

So, assuming you want to go down this route, you must ensure that the consent you’re getting is what you think it is - and that it is legal! Under the GDPR, consent must be:

  • Freely given

  • Obviously given

  • Given as a opt-in

  • Specific to the type of processing under consideration

  • Able to be freely revoked at any time

  • Unconnected from any other terms and conditions

It is this final point that is the issue. Recital 43 of the GDPR states that:

“Consent is presumed not to be freely given… if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”.

This means that consent must be granular - a data subject must be able to “refuse consent without detriment” and give granular options for different types of processing (ICO) - so a client could opt-in to receive your newsletter, but not to receiving invitations to events, for example.

In this context, it means it is likely to be unlawful to require consent to marketing in exchange for access to particular pages on a website, a document or special offer code, for instance.

There are some theoretical situations where this would be legal; however, this appears to depend upon the incentive offered being a “side issue” not the primary reason for giving consent. This is a very fine line to walk!

In addition, it is a strict requirement when operating under Consent that the data subject can revoke that consent at any time - and this must be made clear to them at the time when they give consent. Such information must be in easily-understood language, and should not be hidden away deep within impenetrable terms and conditions.

Summary:

This is a legal minefield, and as yet there is no real case law. We would advise that you tread very cautiously and seek independent legal advice before going live with any service predicated upon exchanging personal data for access.

As experts in digital marketing, the team at VetHelpDirect can help you with your online campaigns, ensuring your marketing communications effective as well as compliant.