Can anyone help me understand the difference between soft-opt in and legitimate interest please?
Is it that soft opt in you must have an existing relationship with the data subject but legitimate interest can be used more widely for marketing purposes?
Thank you.
BlueBottle
While I’m grateful for DP-Pro’s willingness to post an answer, I don’t feel they have satisfied the OP’s query: what is the difference between soft opt-in and legitimate interest?
Under the [UK] GDPR, processing must be lawful, which is to say, it must be covered by one of the lawful bases in Article 6. The legitimate interests of the controller or a third party is the sixth such basis (Art. 6(1)(f)). Consent is the first.
When an organisation’s (or a third party’s) interests, often commercial, are both legitimate (not unlawful, false or deceptive) and compatible with individuals’ rights and freedoms, and where processing personal data by the controller is necessary to further those interests, they may rely on this basis.
The ePrivacy Directive, implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) requires consent for direct marketing by email or SMS in Regulation 22.
(Continued…)
BlueBottle
…But there is an exemption from this where you are marketing your own similar products/services to individuals whose contact details were obtained in the course of a sale or negotiations for a sale, AND where they were given the option to opt out of marketing at that point, AND in every subsequent direct marketing communication. This is the “soft opt-in”.
When you use soft opt-in, you’re not employing consent, so you need another lawful basis. At this point, the lawful basis may very well be legitimate interests. The two, therefore, are not mutually exclusive.
In *any* case where you are direct marketing, the recipient has the right to object to the use of their personal data for this purpose under Art. 21(2) [UK] GDPR, no matter the lawful basis or whether it’s soft opt-in or otherwise.
I hope this goes some way towards answering your question.
DP-Pro
Interesting. LEGITIMATE INTERESTS is one of the prescribed LAWFUL BASES for data processing. and you are right, it has wider uses, including for marketing, but is subject to the Article 21 Right to Object. SOFT OPT-IN sets up a presumed CONSENT-LED basis and can only be used when an existing relationship exists with the data subject through a purchase or enquiries relating to a purchase, and can only relate to your own similar products/services and must offer the opportunity for the data subject to OPT OUT at the outset and at any time thereafter, perhaps on each marketing mail you send. It too is subject to Article 21; Absolutely – no argument, and also, the withdrawal of consent, making that, too, absolute. It becomes more complex when the data subject opts back in, does that, then, become CONSENT or LEGITIMATE INTERESTS processing and do you need to record the different lawful basis for each type of customer engagement?