Can you send personal messages to your LinkedIn connections inviting them to follow your business page?

Our founder, Mark Roebuck, recently undertook an exercise to systematically go through his followers to find people who he felt might be interested in following the ProvePrivacy company page. 

Jess Pembroke, from our friends over at Naomi Korn Associates raised the above question following the receipt of feedback from the ICO’s chat service.

So lets take a look at the issues.

Assuming that we are discussing data privacy concerns then both GDPR and PECR (Privacy and Electronic Communications Regulations) would apply to this exercise.

For GDPR it is possible to rely upon legitimate interest, however before this, a legitimate interest assessment should be carried out to balance the necessity and the risk.  Reasonable actions to mitigate risk are:

GDPR

• Take reasonable steps to ensure that the people receiving the message might be interested in your company page
  • Select people with Data Protection or Privacy within their profile.
• Respect individuals requests to ‘opt-out’ of similar communications.
  • LinkedIn messaging offers no way to achieve this, therefore I elected to remove people who objected from my personal connections, which achieves the same result.

PECR

You should be aware that PECR may apply, particularly if your message is considered marketing.

PECR applies to electronic marketing communications, including emails, texts, and some direct messages on social media. Whether PECR restricts your LinkedIn messages depends on:

1. Who are you messaging – If you’re messaging individuals (rather than companies), PECR’s marketing rules may apply.
2. The nature of your message – If the message is purely about inviting them to follow your business page without a sales pitch, it’s less likely to be restricted.

Who are you Messaging

LinkedIn is seen by many as a Business to Business platform and so it would be an easy mistake to assume that this would be a B2B communication and therefore fall outside of PECR.  You cannot be certain of this though as many partnerships and sole traders use the platform and PECR would still apply to these.

It could be possible to manually review each profile and determine if the relationship is B2B, but even this might be deemed unreliable.  For example, if the individual logs into LinkedIn with a personal email, would this person then be B2B?

So on the face of it, we cannot rely upon who we are messaging to be the enabler for our messages.

The Nature of the Message

PECR requires consent only for unsolicited marketing communications sent to individuals via electronic means (e.g., email, SMS, and some direct messages). The nature of the message matters because not all messages are considered “marketing” under PECR.

• If your message is purely informational (e.g., “We’ve launched a LinkedIn page, feel free to follow us”), it’s less likely to be classed as marketing.
• If it promotes products, services, or commercial interests (e.g., “Follow our page for exclusive deals and updates on our services”), it is marketing and requires consent.

It is important to note that the boundary between informational and promotional is not clearly defined, so an element of risk appetite is required to determine if your message is outside of PECR.

Conclusion

As with most Privacy Impact Assessments any activity being undertaken should be viewed from the perspective of both the data subject and the organisations purpose, where legitimate interest is the lawful basis, then this balancing test is a requirement under GDPR.

Since there is no certainty that the individuals being messaged are business to business relationships, then PECR is likely to apply to at least some of the individuals.  Which means we should not use LinkedIn messaging for marketing messages.

Keeping on the right side of PECR your LinkedIn unsolicited messages should not directly promote your services.

Regardless of your final decision, you should always ensure that you can evidence your decision as this is the basic purpose of the Accountability principle.

Best Practices

• Keep the message informational rather than promotional.
• Only send messages to relevant individuals
• Respect their right to object to messaging
• Avoid sending duplicate messages that might be seen as spam.
• Ensure that your impact assessments are documented.

If you would like to learn more about how the ProvePrivacy compliance platform helps you to manage and evidence your privacy impact assessments and legitimate interest assessments book a demo.

End Note

Equally, the lawful basis for the use of tools such as ‘Sales Negotiator’ which are designed to assist with marketing messages does not support the purpose of the service provided by LinkedIn.  We would welcome comments and thoughts on this.