Experian have been hit with a massive GDPR fine UK regulators after their primary line of defence, that they had a “legitimate interest” in contacting people who had not given their consent, crumbled.
Mailing lists are a great thing for marketers. A properly targeted, properly timed, well written email can deliver a big response from customers. Regular emailing can also help brands remain “top of mind” with consumers and analysis of responses to emails can be enormously informative.
What’s not to love, right?
Well, people don’t love having their inboxes stuffed daily with marketing messages and for every great email marketing campaign there are a hundred bad ones. Some email marketers simply work on bulk; sending lots of emails to a big list will almost inevitably bring some results, even if those results come at the cost of some unsubscribes from less interested customers.
It’s this “big list” approach that led to GDPR. Private contact details were being bought and sold online, through legitimate and illegitimate means, and any business could get into the email marketing game just by buying a list of people to contact.
Of course, sometimes there are very good reasons that a company might need to contact an individual without that individual being on their mailing list or having given their explicit consent to be contacted. You don’t, for example, have to give your explicit consent to receive an order confirmation email from a website that you order from. This is legitimate interest. You do have to give your consent if that same website wants to send you some special offers at a later date though because there’s no legitimate interest here.
Legitimate interest is subjective and flexible, but easily understood. If the data subject should reasonably expect their data to be used in that way, then you have legitimate interest. Fairly easy to understand, right?
Despite this, businesses of all sizes have been hiding behind legitimate interest like kids watching their first episode of Doctor Who, peeping out only to send larges amounts of email to people they claim to have a legitimate interest in contacting.
Experian is the first big scalp taken by the UK regulators as they seek to tidy up the interpretation of GDPR legislation and give it the teeth it was meant to have in cracking down on people misusing personal data.