Many of us are on LinkedIn and have, over the years, built a strong network of contacts there. Wouldn’t it be nice to make use of those contacts by using them to grow our email marketing list? It certainly would, as your list could grow by hundreds within minutes. That process is called ‘data scraping’.
But is it legal? After all, the personal data on LinkedIn is public, there for all to see. An American court of law last year ruled that, yes, it is indeed legal to scrape data from LinkedIn – in the United States.
But is it legal within the European Union? It turns out it isn’t. Under the General Data Protection Regulation (GDPR) rules introduced in 2018, we need to have one of 5 legal reasons to store personal data. When it comes to email marketing lists, the ones that usually apply are either Consent or Legitimate Interest. If you have consent, that is bulletproof, and you are compliant. If you use Legitimate Interest, you may be able to get away with it. You could use Legitimate Interest as the legal basis to put your clients on your list, but it may be thin ice if you are adding anyone who has enquired with you (but didn’t become a client, or not yet). You would assume that someone who has inquired about working with you has ‘legitimate interest’ in a free newsletter containing information about diet, health and well-being, but if they complained with the ICO, it is not as solid ground for you to stand on as consent would be.
Also, under GDPR, we are only allowed to collect and store data for a specific purpose and then keep it only for as long as that purpose requires us to. If, for example, you have a list of email addresses of people who want to attend your next talk, you collected it for that purpose and will need to hang on to it until after the talk. You may use it to send a reminder or directions the day before or perhaps a handout the day after. After the event, however, you are obliged to delete their contact data. If you have a list of your client data (and are a member of BANT), then you are going to have to hang on to the data for eight years after the client’s last appointment. After that time has elapsed, you are obliged to dispose of it safely. (GDPR does not determine this retention time, but in our case BANT does. The Information Commissioner’s Office (ICO) has left the decision of how long retention should be to the individual professional bodies, so if you are not a member of BANT, check with yours.)
What do those rules mean when it comes to LinkedIn data scraping?
I am not a lawyer, and to be sure you may want to ask one, but as far as I can see, data scraping is in breach of GDPR, even if we were to pick up our contacts’ email addresses. We have access to our LinkedIn contacts because they chose to connect. That does not mean that they decided to join our mailing list, so you do not have consent, unless you ask them all individually. Can you assume legitimate interest? I think not. They may have chosen to connect with you for all sorts of reasons that are not an interest in nutrition or nutritional therapy.
Can you use scraped data for business-to-business email marketing?
GDPR is about personal data, not business data. You, therefore, can contact another business whichever way you like. However, there is still something to consider here: If the data you are ‘scraping’ and then storing is personal data – even if it is a business email address – you are still in breach of GDPR.
Say, for example, you want to use the email address of amy.johnson@companyA.co.uk that is personal data. There is just one Amy Johnson at that company, and that makes her identifiable and her email address personal data. So even if you are talking to a business, perhaps a sole trader, depending on what email address they chose for their business, you are in breach of GDPR if you add them to your list.
Email addresses you can use are those that do not identify a person, such as enquiries@, info@, helpdesk@, sales@ etc. These are not allocated to a specific person and are okay to be contacted, even if they do belong to a sole trader and you know there is just the one person at the other end. It still doesn’t count as personal data.