The EU General Data Protection Regulation (GDPR) has been controversial and distracting for marketers in the UK, even before it came into force in May of this year. But could it also be an opportunity? And is there a more positive way to approach our marketing strategies under it, especially when running webinars?
Webinars represent a unique way to engage with your audience, and for many businesses this allows a different approach to be used when meeting GDPR requirements.
Within the GDPR guidelines, there are numerous valid lawful basises under which we’re allowed to process data (basically the regulation lays out the permitted instances in which businesses are allowed to collect and use contact data). However, in the world of webinars - particularly B2B - there are two main reasons we see our customers use consistently:
- legitimate interest
In this piece (as well as in our recent webinar) I want to outline why we can use legitimate interest when both running webinars and sending post-webinar marketing communications, and how consent can be used to expand your communications remit.
What are legitimate interest and consent?
The Information Commissioner's summary of when each of these reasons are appropriate is:
“You can rely on legitimate interests for marketing activities if you can show the way you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing – but only if you don’t need consent under PECR.
“Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.”
For your specific organisation other reasons for collecting data may apply, but for our purposes we only want to share the areas in which we have real, tangible experience.
Note, we are a webinar platform provider and cannot advise you legally. The purpose of this blog is to share the practices we see used and to point you to what could be the right GDPR footing for your organisation’s webinar program. Only you will know the specific nuances of your business and therefore if this advice is appropriate.
Who attends your webinars and why?
Most webinars are run for business-to-business (B2B) communication and marketing. Therefore, the intended audience at the webinar is an employee of a business who wishes to gain industry knowledge and have the opportunity to interact with subject matter experts.
Let’s take look at this registration page. It clearly expresses the subject area that will be explored and what the knowledge that will be gained by attending the webinar. It’s also clear from that this is a B2B event.
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights, and freedoms.
Again, every webinar is different but, in general, most will meet these criteria. This is important because businesses and marketing teams run webinars in some part to generate leads or at least stimulate leads. Being able to follow-up with additional emails after the webinar will likely also be a key goal.
Let’s run this test on a typical webinar scenario.
- Identifying a legitimate interest: the registrant completed a detailed registration form with information about the event, speakers, and subject. Given this page outlines the subject area of the webinar, then the registrant clearly has an interest.
- Show that the processing is necessary to achieve it:
- The attendee needs information to attend the webinar including scheduling information in their calendar. Basically, they can’t reliably attend the event without this, so processing is necessary.
- Future use of the data is more subjective, but typically we’ve seen with our customers, that as long communications remain on subject then legitimate interest can also apply. E.g. if I attend a webinar on, say, apples then I have a legitimate interest in that subject and email marketing material on a range of apple related subjects would be appropriate.
- Balance it against the individual’s interests, rights and freedoms: So in this scenario, we believe the webinar registrant works for a business, so it is their business email address we communicate with. This is a part of their job basically. We also have to consider that we have a full unsubscribe option which allows contacts to easily opt-out. And, importantly, we have a strict a time limit in place, so if they take no additional action we will remove them from all future communications.
Given this decision making process, legitimate interest does seem like an appropriate basis for data collection and communication. So, generally speaking, businesses that run webinars for their own communication and marketing purposes (this includes running B2B webinars and providing follow-up and future email and text marketing on relevant subject matter) use legitimate interest appropriately.
This chart from the ICO backs up these assumptions.
The full ICO Legitimate Interest information can be found here.
Make sure you pay particular attention to the checklist and ensure that it’s appropriate for your business needs. A couple of points to note from this document are:
- The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- You must balance your interests against the individual’s. If they would not reasonably expect the processing of their data, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
- Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
It’s important to make sure your rationale for using legitimate interest is documented and updated for every webinar you run. If you subsequently use the data gathered from webinars, then add a reference to this and outline what rationale you are applying.
For example, if I run a webinar about apple production, then have a sale of apple harvesting equipment, I can reason that the attendee is interested in apple production and they would reasonably expect me to share further information about apple production.
However, if I diversified into orange production, then I would have to consider the rationale carefully and identify that a legitimate interest in fruit production is appropriate. Again, probably OK if you clearly document your thinking and the justification that may be reasonable.
One additional area we see relates to post event email marketing by ‘sponsors’. I won’t go into too much detail here, as it is very specific to the type of customer. However, we do see regular use of legitimate interest where a sponsor is also a speaker. The reasoning for this is that the attendee registered to hear to the speaker talk about a subject/product. Therefore, it’s appropriate to use B2B email marketing from the speaker’s company where it relates to the product discussed in the webinar.
The legitimate interest can be for a business (you) or for a 3rd party (the speakers company) if all the other criteria are also met.
When is consent needed?
We often see consent used in conjunction with legitimate interest. For example, legitimate interest may apply for the reasons above, but the organisation is large and has many products across a broad spectrum of subjects or business areas about which you would like to communicate to your contacts. In this case, a number of opt-in consent questions would generally need to be added to the registration form. So if you want to market your amazing carrot production techniques to the attendees at the apple webinar, you may need to get consent.
Consent is also important if your business wants to share the data with a 3rd party who may not be directly involved in the webinar. You shouldn’t do this without clearly and easily allowing your contacts to consent.
The great thing is, consent questions can be added easily to most webinar platforms (but remember, these should not be a requirement to attend the webinar and should, by default, be unchecked).
If your webinars are not focused on B2B then consent is also probably the most appropriate option. We see some use of consent questions on consumer related subjects, where the webinars are generally information sharing events. Here, consent is given by almost 100% of attendees.
They want to attend the webinar because of their personal interest in the subject. For this same reason, we can conclude that they want additional information that could be provided on similar subjects.
While legitimate interest is an appropriate lawful basises for communication for many B2B webinars, relying on it still comes with responsibilities for your organisation. Make sure you review the information commissioner's information fully (see references below) and understand your business’ use of the data.
You should also ensure you use a webinar provider (the processor) that does not use registrant data in any way other than to help the registrant access the webinar.
I’d recommend reviewing the information commissioners checklist fully. These points below are are those that I consider critical:
- Make sure you are a clear unsubscribe process for all email marketing.
- Maintain a rationale for any legitimate interest use you apply.
- Follow the 3 part test for any use of legitimate interest:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
- If you use consent ensure that the questions are unchecked and not required to attend the webinar.
Finally, most webinar attendees see webinars as a ‘fair’ form of communication. It’s a way for them to engage in a subject or product discussion without being heavily sold to. The best webinars avoid the temptation to sell and instead try to inform the attendee - they get to decide whether to be passive or actively engage with the speakers.
This approach gets to the heart of GDPR. Letting the attendee drive their level of engagement is surely one of the goals of the GDPR legislation.
For your reference