Can Legitimate Interests Ground Justify Web-Scraping of Personal Data for Direct Marketing Purposes under the GDPR?

by Ali Talip Pınarbaşı, LLM

 

WHAT IS DIRECT MARKETING? HOW IS WEB-SCRAPING USED FOR DIRECT MARKETING?

 

As grabbing the attention of the customers became harder by  digital advertising, reaching out to customers directly has become more vital for businesses. Examples of such  direct communication includes cold-calling, cold-emailing, postal mail and point of sale marketing. All these methods constitute direct marketing.

The distinguishing feature of direct marketing is that the prospective customer does not initiate a communication; the first step is taken by the seller and the seller usually calls on the customer to take a certain action such as subscribing to newsletters or making a purchase.

Every direct marketing campaign, be it via email marketing or telemarketing, requires access to vast amounts of contact data of customers such as e-mails and phone numbers.

However, such contact data does not magically appear on the databases of the marketers, so they need to extract such data from various sources including websites and online directories.

This is where the web-scraping methods come into play: web-scraping is a technology used to extract the contact details of individuals from websites and online directories. Following the extraction of these data, the marketers then contact individuals to promote their products/services.

For example, an insurance company may want to advertise its new car insurance product to people who have been in car accidents before. To send e-mails or make calls to those people, the insurance company will have to collect the contact details of these individuals. This company can use web-scraping technology to collect their contact details.

 

LEGITIMATE INTERESTS CAN BE THE LEGAL BASIS FOR SCRAPING OF PERSONAL DATA FROM THE WEB FOR DIRECT MARKETING PURPOSES

When the data-controller extracts personal data from the websites or directories, it is likely that she does not have the consent of the data subjects. Therefore, data controllers must justify their scraping activity under another lawful basis for processing of personal data, which will inevitably be the ‘legitimate interests’ basis.

However, it is quite common to come across an article on the internet which posits that GDPR completely prohibited web-scraping and unless there is consent, the processing is unlawful and will lead to hefty fines.

One recent example supporting this prevalent view is French Data Protection Authority’s(CNIL) guidance which rejected the possibility that legitimate interests can justify scraping of personal data. The reasoning behind this position is that data subjects do not expect to receive direct marketing communications from a third-party data controller when they share their personal data with a data controller.

In other words, the Guidance rejects the reliance on legitimate interests ground to justify we-scraping based on one single criteria: the expectations of the data subject.

However, as will be explained below, legitimate interests assessment cannot be reduced to a single determining criteria because it requires taking into account all factors and circumstances.

The following reasons demonstrate why the legitimate interests ground can be used to justify web-scraping.

 

  1. Scraping of personal data from the web is a separate processing activity subject to GDPR and it is distinct from the direct marketing activity itself.

 

Consider a data controller who scrapes personal data from the web and then use this data for direct marketing purposes such as sending cold e-mails to individuals. In this scenario, both the scraping activity and cold e-mailing are two separate processing activities subject to GDPR, and both have the same purpose: direct marketing.

As the scraping of personal data is done for direct marketing purposes, GDPR’s rules for processing of personal data for direct marketing purposes should apply to this scraping activity.

Recital 47 of GDPR states that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Considering the GDPR’s approach, rejecting the reliance on legitimate interest ground to justify web-scraping for direct-marketing purposes seems like a bizarre result which does not align with the wording of GDPR.

 

  1. Data controller has the discretion to conduct legitimate interest analysis to justify web-scraping, GDPR does not categorically exclude web-scraping of personal data.

 

Stating that the web-scraping can only be justified on the basis of consent makes web-scraping activities completely illegal under the GDPR, as the consent is almost practically impossible to obtain in web-scraping activities. In other words, rejecting the reliance on legitimate interests means prohibiting a data processing activity that the GDPR did not prohibit.

To the contrary, GDPR explicitly states that processing of personal data for direct marketing purposes can be lawful based on legitimate interests. If the purpose of a web-scraping activity is direct marketing, then it does not make sense to say that consent can be the only lawful basis to justify the scraping activity.

Therefore, the data controller should be able to rely on legitimate interests basis to justify its web-scraping activity.

This of course does not guarantee that the web-scraping activity will be considered lawful in every circumstance. Web-scraping activity can still be unlawful if the conditions for legitimate interests are not satisfied.

Since we established that legitimate interests can justify web-scraping, now let’s look at how it would be applied in practice.

 

APPLYING THE LEGITIMATE INTERESTS TEST TO WEB-SCRAPING FOR DIRECT MARKETING

Legitimate interests test requires a balancing exercise where the interests of the data controller will be weighed against the rights and freedoms of the data subjects. While doing this balancing exercise, all factors and circumstances should be taken into account.

This balancing exercise can be exercised by applying a three-step test:

  1. What are the legitimate interests of the data controller ?

In such a competitive business environment, reaching out to potential customers to promote  its products and services are vital for every business.  Therefore, collecting the contact details of individuals to contact them for direct marketing purposes serves the commercial interests of the data controller. Two examples can be given for these commercial interests.

Firstly, web-scraping for direct marketing purposes cost far less compared to traditional marketing methods or running ads on digital media platforms. This is particularly true for small and medium-sized businesses which have a very limited marketing budget and have difficulties in reaching their target customers.

Secondly, web-scraping can be effective in finding a specific group of customers who might be more likely to engage with the business. For instance, web-scraping can help the business market its products/services to a particular group of people who belong a certain age group or who live in a specific region.

  1. Is web-scraping necessary?

This step require investigation into whether there are less intrusive ways to achieve the goal of marketing.

This will vary depending on the particular industry in which the business operates and the availability of other methods to reach customers as well as the impact on the privacy of the data subject.

For instance, if the data controller is planning to promote its farming equipment to farmers by cold e-mail or cold calling after scraping their contact information, this may pass the necessity test because this may be the most convenient way to reach the customer. This may be because it is almost impossible to reach the farmers on traditional media outlets or by running ads on digital platforms.

  1. Does individual’s interest override the interest of the data controller ?

This step requires a balancing exercise between the two sides. Following factors should be considered in this weighing exercise:

-If the potential privacy impact of the web-scraping on the individual is high, this may tip the balance in favor of unlawfulness of the web-scraping,

-Sensitive character of data,

-Reasonable expectations of the customer,

-Degree of intrusion of the processing.

Depending on the specific circumstances of the case, the result of the balancing exercise will differ.

For instance, let’s imagine two different scenarios where the personal data are scraped from the web for direct marketing purposes.

Scenario 1: Company A scrapes the e-mail addresses of thousands of high school students to promote its math course materials to them via cold emailing. However, it takes appropriate security measures on the data such as encryption and pseudonymization and does not share this data with third parties. Furthermore, it does not send spammy e-mails to each person, but it only selects a small number of relevant students to promote its products.

Scenario 2: Company does the same scraping activity as company A, but it does not apply the relevant security measures and shares the scraped data with third parties.

Comparing these two scenarios, it is crystal-clear that the privacy impact of the A’s scraping activity is almost minimal on individuals whereas the B’s scraping is likely to expose the personal data of the data subject to high-risk.

As can be seen, every web-scraping for direct marketing purposes has different implications on individuals and justifying them on the basis of legitimate interests requires a case-by-case analysis.

CONCLUSION

Legitimate interests ground can justify web-scraping of personal data for direct marketing.

While doing the legitimate interests analysis, all factors and circumstances should be taken into account such as privacy impact on the individual, commercial interests of the web-data controller and necessity of web-scraping instead of just focusing on one criteria such as expectations of individuals.

 

About the author

Ali Talip Pınarbaşı is a Legal Consultant based in Istanbul. He provides legal consultancy services on IP Law and Data Protection Law. He completed his LLM Degree in King’s College London, specializing in IP&IT Law.