“Active consent is not required under GDPR to communicate with customers,” argues Axel Tandberg, Sweden’s foremost digital privacy expert. “It’s even recommended not to classify customer communication under such category. Rather iGaming operators should rely on the Legitimate Interest legal ground, and adjust T&C’s and Privacy Policies accordingly.”
As May is approaching many, if not all, companies in the iGaming industry are working towards GDPR compliance. Enteractive is taking Data Privacy very seriously and has for the past year worked relentlessly to ensure that we fulfil all requirements as a Data Processor.
During that process we’ve discovered that there is a widespread divergence in opinion in what GDPR means for communication with customers. Some, even legal professionals, argue that GDPR means that all iGaming operators (acting as Data Controllers) needs to ask their end customers for active consent in order to send promotional e-mails, text messages or even call their customers over phone, for 1:1 conversations. Some Operators also seem to prepare to do this not only for newly registered customers, but for their entire existing customer base, which in GDPR lingo is called “re-permissioning”.
Since player communication and retention is at the heart of what we do at Enteractive, we were surprised to see this development, especially since it was in contrast to our own research on the topic, and also what we’re seeing in other online industries. Therefore, we discussed this with some of the top leading privacy authorities and decided to publish our findings. First out is a PM written by Axel Tandberg, one of Sweden’s foremost digital privacy experts.
Legal basis for processing of personal data for marketing purposes in accordance with the GDPR
There is an incorrect belief that consent is required when processing all personal data in GDPR. This belief arose due to the fact that the original GDPR proposal was drafted by the EU Commission, whilst consent for processing was the preferred legal basis for processing data in the European Parliament. However, this has since been changed and is evident in the final draft of the GDPR. According to the final draft, there are six legal bases that are applicable. You will find them all in Article 6.1 of the GDPR and are as follows:
- Performance of a contract;
- Compliance with a legal obligation;
- Protecting the vital interests of the data subject;
- Performance of a task carried out in the public interest or in the exercise of official authority; and
- Legitimate Interest
All legal bases have the same “weight”, which means no one is given a higher priority than the other.
The first legal basis, Consent, has quite a few material risks and challenges associated with it:
The meaning of the legal basis Consent, has actually been modified when comparing how consent was defined in the Data Protection Directive (unambiguously given). In Article 4 (11) of the GDPR, consent is defined as a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear confirmatory act, signifies agreement to the processing of personal data relating to him or her.
As an example of the meaning “specific”, the Article 29 Working Party (the Data Protection Authorities within the EU) has stated that a controller needs to specify the names of all third parties that you might want to share the data with.
Furthermore, Article 7 of the GDPR states that if an agreement is collected in writing which concerns other matters, the request of consent needs to be distinguished and set separately from the other matters. Consent may also not be made dependent upon the performance of an agreement or the provision of a service.
Finally, if consent should be withdrawn from the data subject for some reason, you may not use the data at all or even use the data in accordance with an other legal ground.
Due to these circumstances, consent is rather clumsy in legal basis and it should therefore only be used very selectively and only when it is clearly required. And since there is no way for a controller to revoke data processing that has deemed the need for consent, the commercial risks of choosing consent can be significant, especially since it is at this point unclear exactly how authorities will interpret and apply the new regulations.
There are only four articles in the GDPR that require consent for the processing of personal data. These are articles 8-10 and 22 of the GDPR:
- Article 8 concerns consent of children using information society services
- Article 9 relates to the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership of trade unions and treatment of genetic data, biometric data to uniquely identify a natural person, health data or data on the sexual life of a natural person or sexual orientation.
- Article 10 concerns data relating to convictions.
- Article 22 declares that consent is needed if a decision is based solely on automated processing that produces a legal effect for the data subject.
So, there is no legal requirement in GDPR for the use of consent for the processing of personal data for marketing purposes.
When it comes to the processing of personal data for marketing or customer care purposes, such as product or campaign promotion, offerings or commercial customer communication through appropriate channels (e.g. email, phone or SMS), it is better to use Legitimate Interest as the legal ground for processing. Legitimate interest is the legal basis that allows an organization to use personal data as long as it has clearly informed the individual about what it intends to do with the data and who’s legitimate interest the organization pursues (its own).
This information may be a part of general terms and conditions as long as they are easily found, under a heading of its own and not as the last paragraph. The legitimate interest as part of the terms and condition can also be mandatory to accept in order to use your services, as long as a data subject can object to the use of his/her personal data for marketing purposes.
Furthermore, in Recital 47 of the GDPR it is stated that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
But then again one might argue that there is a need for consent in order to send commercial information via e-mail. That is true, but that is not regulated in the GDPR, but in the e-Privacy Directive. However, the e-Privacy Directive also states that you have the right to send commercial information via e-mail to subjects from whom you have obtained their personal data in the context of a sale, also known as “Soft opt-in”. The requirements for the “soft opt-in” are that the data subject has been clearly informed that the personal data may be used for marketing purposes and that they have been given the chance to object from this use – which is very similar to the requirements that is found in the GDPR concerning the use of the legal basis legitimate interest.
As long as an organization clearly informs the data subject about how it intends to use the personal data it collects from a data subject, organisations should avoid using Consent as a legal basis. Instead the use of Legitimate Interests is recommended, as it will simplify matters for both the data subject and the organization regarding the handling of personal data, especially for marketing and sales purposes.
Senior Advisor – PrivacyWorks
Stockholm March 28, 2018
Prior to joining PrivacyWorks Axel Tandberg worked as Head of Governmental Affairs for FEDMA (the pan European Direct and Interactive Marketing Association) for five years (2000 – 2005) and Head of Legal Affairs at SWEDMA (the Swedish Direct and Data driven Marketing Association) for 12 years (2005 – 2017). Axel is as of 2017 a member of the Board of FEDMA.