Can you point to explicit guidance for this (legit. interest as insufficient for electronic mktg)? I'd love to see a reference as we're having this discussion internally.
> You are also likely to need consent under ePrivacy laws for most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices.
You only need consent when legit interests don't apply, so this is basically saying it isn't sufficient.
Also:
(47) … The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Sure. I admit, I simplified things because hackernews can be a rather hostile environment on this topic. It's not that you can't use consent, it's (as you say) that legitimate interest is insufficient as most types of electronic marketing require consent and those where it is possible is made much harder to justify as a long-term strategy.
Also, the ICO has an FAQ on exactly this at https://ico.org.uk/for-organisations/guide-to-the-general-da... . It is the question "Can we use legitimate interests for our marketing activities?". The whole thing is useful, but the bit below the yellow call-out is specifically about electronic marketing, and says:
"If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc) legitimate interests may not always be an appropriate basis for processing. This is because the e-privacy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing. It is the GDPR standard of consent that applies, because of the effect of Article 94 of the GDPR." There's also a helpful table of possibilities below.
There's still the so-called 'soft opt-in', which is for cases where you're emailing someone that you've recently sold something to (or given a quote to) about a similar product or service and that you've given the explicit choice to refuse communications both when you collected the data and every time you've subsequently used it.
It's certainly possible to use legitimate interest for some forms of electronic marketing, but only in very specific circumstances. To give you an idea of it in practice, one of my clients has a marketplace style site. If you try and book a service but the booking falls through, for example because the service provider is unavailable, they'll email you within a couple of days if you don't look for someone new, pushing some suggestions. Then they'll stop emailing. That's legitimate interest through soft opt-in. They also send emails periodically about new service providers in your area, that is not covered by the soft opt-in so requires consent. Same for their general service newsletters.
There is also a PDF guide at https://ico.org.uk/media/1555/direct-marketing-guidance.pdf which has some good info. The header for the electronic marketing section is "General rule: only with consent", which I think is good advice. As others have said, there are other obligations under GDPR, so even if you can stretch the soft opt-in beyond what was intended, you're likely to run up against hurdles when it comes to the balancing test, or your data minimisation obligations. The soft opt-in is specifically for cases where a member of the public would expect to get communications because of the recent sale or enquiry, as time passes that expectation goes away and it starts to become very hard to justify in a GDPR context.
