GDPR & CASL: When to use “Legitimate Interests” or “Consent” as a lawful base

If you are a Canadian marketer and you send emails to the European Union (E.U.), under GDPR you’ll need to justify why you collect and store data for each of your contacts. And by data, I’m referring to contact information (first name, last name, email address, etc.) and how you use this data (marketing, transactional, etc.).

The lawful bases

Because GDPR governs data security and protection, an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

From a purely marketing perspective, there are two lawful bases that one will cite regularly in their records and documentation: “Legitimate Interests” and “Consent”.

  • “Legitimate Interests” as a lawful base can be relied upon for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
  • “Consent” as a lawful base is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement.

Which lawful base to apply for email marketing purposes…

Knowing that:

  • Under CASL, which governs commercial electronic messages, a consent status needs to be attributed to and documented appropriately for each contact, for you to have the legal right to send them electronic commercial messages. Either “express” or “implied” consent.
  • Under GDPR, which governs data security and protection, a lawful base needs to be attributed to and documented appropriately for each contact, for you to have the legal right to store and use a contact’s information.

Hence as a Canadian marketer (sending marketing messages to the E.U. ) , you must take into consideration and comply with the rules of GDPR -AND- CASL , thus adding a certain complexity.

Despite this complexity, there are totally legitimate, quick, and easy solutions for you to use:

For B2C email marketing

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR.

However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as “implied consent” under GDPR) moving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

This process, not only enables you to comply with GDPR, but also gives you “express” consent under CASL.

For B2B email marketing

Particularly for those in sales, many of our contacts can be filed and recorded as “Implied Consent” under CASL, and as “Legitimate Interests” under GDPR.

You are required, however, to document the Legitimate Interests Assessment for each contact (LIA):

Whoa, that’s a lot to take in and document! But wait… whether you’re marketing B2C or B2B, or both, the arrival of GDPR is a great opportunity and occasion to convert “implied consent” Canadian contacts to “express consent” contacts, and classify E.U. contacts under “Consent” as a lawful base. See this article, “How to Write Emails to Get Consent for GDPR (and CASL)“.


Understandably, different sized organisations and types of messages need to be taken into consideration. Be sure to adapt accordingly to your organisation’s structure, operations, and unique situation.

Applying both CASL and GDPR legislations responsibly and taking the appropriate action is not at all an easy task. There are many details to pay attention to and to follow. It can be a difficult, time-consuming, and frustrating task if you are not completely versed in both legislations. In addition, mistakes can run costly fines for individual executives and companies alike.

If you need help or have questions, you can leave a comment or contact us at any time.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *