There has been some rather heated debate in the compliance arena as to whether you can rely on legitimate interests for fundraising. I recently read an interesting article by Tim Turner, of 2040, which debates this exact issue.
The thing is, I’m not sure why we’re still talking about this!
The Information Commissioner’s Office (ICO) has made their position perfectly clear: you need consent. There might be times when you want, and should, argue with the regulator. They aren’t infallible. However, on this issue, their interpretation of the law is absolutely correct. Also, if the ICO says “this is what we expect”, and they have already fined people for lack of transparency, lack of consent… It seems ludicrous to test them further.
Not convinced? Ok, let’s break it down.
Consent and legitimate interests are two of what we call (in the biz) “legitimising conditions”. That means, conditions under which it is legal to do something with personal data. For example, another legitimising condition would be “in line with another legal obligation”, which means you can use information about people to ensure you comply with Health & Safety, or equal opportunities law, for example.
“Legitimate interests” means something you want to do with personal data is in the legitimate interests of your business; therefore you don’t need the consent of the individual to use their data. And yes, it is in a charity’s best interest, their legitimate interests as an organisation, to raise money or promote their cause. Ok. We’ve established that might apply.
However, the Data Protection Act and GDPR says that the legitimate interests clause has to be balanced against the rights of the individual. Is the thing you’re doing likely to annoy, adversely affect, or disadvantage, the data subject? I think we can all agree that receiving calls, emails, and texts from organisations asking for money, or telling you all about their worthy cause, can be annoying. It might interrupt your quiet evening, take up a lot of your time, or clog up your inbox. You might even feel a little harassed if you got a lot of those sorts of communications from one, or a number, of organisations.
I don’t believe, and this is an opinion, that your interest as an organisation in asking people for money, or promoting your cause, outweighs an individual’s right to decide whether they want to receive those communications. Because those communications are, for most people, inherently annoying. Yes, your cause is very important. Yes, you’re helping people. That’s great. But you cannot trample all over my right to privacy in order to do so.
And there’s another, much better, reason why I don’t believe legitimate interests can ever apply.
The Privacy & Electronic Communications Regulation 2003 (PECR) sets out rules for, amongst other things, direct marketing. PECR clearly says that direct marketing requires consent.
Setting aside, for a moment, the murky land of consent mechanisms: how you get consent, what is good consent, when you need to renew it…
What we can therefore establish from PECR, is that we already had a law which says you need consent for direct marketing. This is not new.
The question then becomes, is fundraising a form of direct marketing? Because, if it is, we already have a law that says you must have consent (and therefore cannot rely on legitimate interests because you must have consent).
Here’s how the ICO defines direct marketing in their guidance:
Direct marketing is defined in section 11(3) of the Data Protection Act as: “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. This covers all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity or political party campaigning for support or funds.
Now, at no point will any legislation say “just FYI, this also applies to charity fundraising”. But the ICO interpret the Data Protection Act and PECR to mean that it does. So, are they right? Is fundraising the same thing as direct marketing?
Yes. Yes it is. And here’s how we know: the ICO’s definition has been challenged legally, and it has been upheld.
In 2005, the Scottish National Party appealed an Enforcement Notice from the ICO on the grounds of their definition of direct marketing. They said that direct marketing was not applicable to a political party, because they’re a not-for-profit organisation. That direct marketing rules only applied to commercial organisations. The Information Tribunal (like a court for information law) heard all the arguments, and sided with the Information Commissioner. The Tribunal said that the promotional activities (such as fundraising or communications) of a not-for-profit (charities, political parties) are direct marketing.
In their summation:
The Tribunal, in effect, prefers the legal arguments of the Respondent [Information Commissioner] in making this finding, in particular that the 2002 Privacy Directive, the DPA and the 2003 Regulations do not exclude from regulation the direct marketing of not for profit organisations such as political parties. [Tribunal Decision]
So, to recap: in order to undertake any sort of direct marketing activity, you need consent. Charity fundraising has been legally defined as a direct marketing activity. Therefore, you need consent. If you need consent, you cannot therefore rely on legitimate interests.
Why are even still arguing about this?