In this blog, we break down the essentials of GDPR compliance for lead generation, focusing on what North American businesses need to know when targeting or engaging with individuals in the EU and UK. Whether your lead generation is managed in-house or through a third-party provider, understanding your obligations under European and UK data privacy laws is critical. Any personal data you collect from these regions must be processed lawfully, transparently, and securely.
Since the General Data Protection Regulation (GDPR) came into effect in 2018, marketing strategies have undergone a significant transformation, with a definite shift toward inbound methodologies. Attracting engagement from customers, rather than pursuing prospects directly has become the modern standard. Outdated tactics such as buying prospect lists, cold calling, and sending unsolicited emails have been replaced by a focus on creating valuable, engaging content, and tailored experiences.
For the purposes of our discussion, we consider the EU GDPR and the UK GDPR under the same umbrella, focussing on the common aspects for businesses operating in both or either the EU and the UK. There are specific differences and nuances in the legislations that are not covered here and may be applicable to your organization. For further advice, please speak to your Privacy Officer/Data Protection Officer.
Establishing a lawful basis under the GDPR
The General Data Protection Regulation (GDPR) provides the legal framework for the collection, processing, and storage of personal data of individuals in the EU (with the UK GDPR applying to individuals in the UK).
North American organizations must establish an appropriate lawful basis for processing personal data of EU and UK individuals. This means that before collecting any personal data, you must first identify and document the lawful basis for doing so.
There are six lawful bases under the GDPR:
Consent – where an individual has given consent for their personal data to be processed
Legitimate Interests – where the processing of an individual’s personal data is necessary for the legitimate interests of a business or organization, unless there is a good reason to protect the individual’s personal data, which then overrides those legitimate interests
Contract – where the processing is necessary for the performance of a contract a business or organization has with an individual
Legal Obligation – where the processing is necessary for a business or organization to comply with the law
Vital Interests – where the processing is necessary to protect someone’s life
Public Task – where the processing is necessary for the performance of a task in the public interest or for official functions, and the task or function has a clear basis in the law
After determining a lawful basis, you must document it and ensure the information is clearly stated in your privacy policy and privacy notice.
Choosing the most appropriate lawful basis is essential, as it is difficult to change later without good reason. The lawful bases commonly used for processing personal data for marketing and lead generation purposes are consent and legitimate interests. For certain types of marketing activities, consent is the only appropriate lawful basis to use. A data privacy officer (DPO) can provide guidance on the most suitable lawful basis for your personal data processing.
ePrivacy Directive and PECR
In addition to the GDPR, North American businesses undertaking digital marketing and lead generation activities in the EU and/or UK must also comply with regulations governing electronic communications, cookies, and tracking technologies.
The EU’s ePrivacy Directive, often referred to as the ‘cookie law’, covers key areas related to electronic communications and privacy, including consent for cookies and marketing communications.
The UK’s Privacy and Electronic Communications Regulations (PECR) sets out the rules and requirements for electronic communications and privacy within the UK. The legislation is the UK’s implementation of the EU’s ePrivacy Directive, and it sits alongside the UK GDPR.
Privacy rules for electronic communications
The ePrivacy Directive and PECR have specific standards that apply when processing the personal data of individuals in the EU and UK through electronic communications and other marketing tactics.
You must:
- Obtain consent before collecting an individual’s personal data
- Provide clear and transparent information about how the personal data will be used
- Collect only the personal data that is necessary
- Obtain consent before placing non-essential cookies on a user’s device
- Provide an easy way to opt-out
Understanding consent
Consent is a fundamental aspect of data privacy law. The GDPR defines consent as:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. – Article 4(11)
In certain situations, or for specific processing activities, consent is the only lawful basis that can be used.
Consent is also mandated by the ePrivacy Directive and PECR, where the use of cookies, tracking pixels, web beacons, and other similar technologies are used to collect personal data for online advertising and targeting.
Consider this example: How CompanyX reaches potential customers
CompanyX wants to connect with website visitors who have not yet made a purchase. A tracking pixel from a social media provider is integrated onto their website. The pixel tracks users after they have left the site, allowing CompanyX to display targeted ads for their products when that user visits other websites.
This strategy falls under the ePrivacy Directive and PECR and requires consent. Both use the definition of consent found within the GDPR (above).
How to obtain consent
Under the GDPR, organizations must obtain explicit consent from customers before collecting their personal data. Lead generation tactics, such as pre-ticked boxes, implied consent, or bundling consent in with other actions, are no longer allowed.
Here is a breakdown of the factors required for obtaining consent under the GDPR:
Freely given: Consent must be given voluntarily, without coercion or manipulation. It should be a genuine choice for the individual, not forced.
Specific: Consent must be tied to the exact purpose. Individuals should be informed what their personal data will be used for, and their agreement limited to that specific use. When processing has multiple purposes, consent must be obtained for all of them.
Informed: Individuals must be given information about the processing of their personal data before giving consent. This includes knowing what data will be collected, who is collecting it, why, how long it will be kept, and any other relevant details.
Unambiguous: Consent should be clear and easy to understand.
Indication of wishes: Consent must be given through an affirmative action, including written, electronic, and oral statements. For example, a tick box on a website or a written consent form. Pre-ticked boxes or inactivity do not constitute consent.
Withdrawable: Individuals who change their mind have the right to withdraw their consent at any time. The withdrawal process must be as easy as giving consent.
How to collect, record and manage consent
In line with the GDPR’s accountability principle, which states that organizations must take responsibility for what they do with personal data, there is a requirement to evidence the process of obtaining consent.
This means that in addition to securing permission from an individual to process their data, you also need to keep records and evidence the process.
Let’s look at the critical aspects of consent management a little closer and the details you should document:
Who consented: The name of the individual or other identifier (e.g. online username, session ID).
When they consented: A dated document or online records with a timestamp. For oral consent, a note with the time and date of the conversation.
What they were told at the time: A master copy of a document or data capture form containing their consent statement and a copy of the privacy notice or other privacy information, including version numbers and dates that match the date consent was given. For oral consent, your records should include a copy of the script used at that time.
How they consented: A copy of the relevant document or data capture form. For online consent, your records should include the data submitted and a timestamp to link it to the relevant data capture form. For oral consent, the whole conversation does not need to be recorded, only a note of the time the conversation took place.
Whether they have withdrawn consent: If so, when?
Review and refresh the consent process if anything changes. It is recommended that you consider updating consent every two years.
Relying on Legitimate Interests
The GDPR states that the processing of personal data for direct marketing purposes may be considered a valid reason or legitimate interest (GDPR Recital 47). However, as marketing is generally in the interests of the business, the validity of using legitimate interests as a lawful basis for processing data must be carefully considered, balancing any possible consequences for the individual.
A Legitimate Interests Assessment (LIA) is a useful tool that can be used to identify and consider this lawful basis as a possible justification for processing personal data under the GDPR.
An LIA is comprised of the following three-part tests:
- The purpose test (identify the legitimate interest)
- The necessity test (consider if the processing is necessary)
- The balancing test (consider the individual’s interests)
Using legitimate interests as a lawful basis will only be permissible if it does not affect the fundamental rights and freedoms of individuals, which always take precedence. This means that while using legitimate interests as a lawful basis, the focus is not on preventing every negative outcome or consequence but on ensuring that any potential negative consequences are not excessive or out of proportion compared to the intended benefits or purposes. It’s about maintaining balance.
Consider this example: How CompanyX delivers personalised ads
When PersonA became a customer of CompanyX a year ago, they provided their email address for communication purposes. During the first communication, CompanyX informed PersonA of two key points: (i) their email address would be used to advertise similar CompanyX products on social media, and (ii) they had the right to object to this processing at any time.
CompanyX then added PersonA’s email address to its customer database and shared it with a social media provider. This collaboration allowed CompanyX to match its list of customer email addresses with those held by the social media provider. As a result, CompanyX gained the ability to precisely target and market similar products to PersonA via their social media feed.
This strategy falls under the GDPR and can rely on the lawful basis of legitimate interests.
Working with lead generation providers
Lead generation companies use a variety of marketing strategies to provide qualified leads that can potentially be turned into customers.
However, it is important to note that your data processing responsibilities remain and must be upheld, regardless of the use of a third-party service.
The GDPR makes a distinction between organizations and third parties by using the terms ‘data controller’ and ‘data processor’.
Data controller: This is a person or organization that decides how and why personal data is collected and used. Controllers have overall control over the data, therefore, the highest level of compliance responsibility.
Data processor: This is a person or organization that handles personal data on behalf of the controller. Processors are responsible for ensuring the data processing is in line with the instructions of the controller, in addition to other legal obligations, including notifying the controller in the event of a data breach.
Is your lead generation partner meeting GDPR requirements?
As a controller, it is important that you conduct due diligence on any third-party company you plan on using. You need to confirm the third-party’s compliance with the GDPR and any other relevant data privacy laws, such as the ePrivacy Directive and PECR, as detailed above.
It is vital that you ensure the outsourced lead generation company has sufficient technical and organizational measures in place to protect the personal data they are processing on your behalf.
For more detailed information about conducting due diligence on your data processors, read
Vendor due diligence and GDPR compliance with 5 practical steps.
Summary
Lead generation is an important aspect of business growth, but it must be conducted in line with the relevant data privacy laws. For North American organizations handling the personal data of EU and UK individuals, these include the EU GDPR, UK GDPR, ePrivacy Directive, and PECR.
Before undertaking a lead generation strategy, it is essential that the correct measures are in place, including assigning the most appropriate lawful basis and ensuring the obligations and responsibilities as a data controller are understood and implemented.
By understanding and adhering to the relevant regulations, organizations can prevent any future non-compliance issues as well as strengthening customer trust, confidence, and engagement.
Confident customers lead to increased loyalty, which translates into becoming a more successful and sustainable business.
Contact us to find out how an outsourced data privacy service can support you in maximising marketing ROI while staying compliant with EU and UK data privacy laws.
Visit The DPO Centre to find out how an outsourced data privacy service can support you in maximising marketing ROI while staying compliant with EU and UK data privacy laws.
Alternatively, you can get in touch by filling in the form below.
____________________________________________________________________________________________________________
In case you missed it…
- EU AI Act Compliance: What North American organizations need to know
- Data retention strategies for GDPR compliance
- How GDPR territorial scope impacts North American businesses
____________________________________________________________________________________________________________
Don’t miss out on the latest data protection updates – stay informed with our fortnightly newsletter, The DPIA
