Marketing Consent in the GDPR

N.B. This article is a transcript of TheGDPRGuy Podcast Episode 8 – Marketing Consent in the GDPR from April 2018.

In THIS episode I’m going to talk about the eMarketing rules under the GDPR and the various options you have for getting compliant.

If there’s one arena where the GDPR is giving people a massive kick up the arse, it’s the world of marketing. And there’s a lot of reasons for that, but mainly it’s that marketers are finally becoming aware of the laws that regulate them and recognising that it’s time to get their house in order.

So what’s going on?

Well, the first thing that everyone knows about the GDPR is that it’s all about consent right? Well…. no. Consent is in there, but depending on your perspective of the world it’s actual relevance will vary massively. So we need to talk about what consent is, where it’s going and what you really need, to do your marketing.

Let’s start with what laws are currently in play right now, as of April 2018, a month before GDPR. For Data Protection we have the Data Protection Directive across the EU, and this is implemented as acts of law in each country. In the UK we have the Data Protection Act of 1998 and that currently regulates data protection for us Brits. But the Data Protection Directive has a lesser know sibling, the ePrivacy Directive, which again is implemented separately in each country. In the UK, the ePrivacy Directive is implemented as the Privacy and Electronic Communications Regulations, or PECR for short. PECR works alongside the Data Protection Act to regulate electronic communications, such as websites’ use of cookies and cold calling and email marketing.

So we have two sets of laws to be complying with now, the Data Protection Act AND PECR.

As we know, the EU is replacing the Data Protection Directive with the GDPR from May 25th 2018. And the EU’s plan was to also replace the ePrivacy laws at the same time with the ePrivacy Regulation. But somewhat frustratingly and unsurprisingly, this regulation has been massively delayed and doesn’t look like it’ll go live until late 2019 or 2020.

The upshot of all this for anyone involved in online communications, which is pretty much every marketer, and pretty much anyone else, is that we have four sets of rules to be thinking about, and then from May, that drops down to three with the arrival of GDPR.

Taking a slight tangent for a second, one of the most fascinating aspects of the GDPR is the wave of publicity that has surrounded it. Now you could call this hype rather than publicity, but in some circles, such as the Marketing industry, it has attracted everyone’s attention and exposed widespread bad practice and non-compliance with existing laws. It is amazing to see how many marketers are now learning about laws they should have understood a decade ago. It’s easy to look at this negatively, and throw shade on marketers for this, but we are where we are, and I’m seeing a massive step change in marketers getting on top of their legal obligations, which is great to see.

As marketers now learn about GDPR and in turn about existing regulations such as PECR, everyone is spotting the huge gap they need to fill before GDPR arrives. For many, GDPR requires a lawful basis for marketing that they don’t currently have. This usually boils down to two scenarios, either they have no lawful basis right now, or they have somewhat of a lawful basis right now but not enough for the GDPR. Before we get to those, let’s discuss how you can actually send Direct Marketing legally under these laws.

Starting with the Data Protection laws, so that’s the Data Protection Act and GDPR, they’re very similar, in that they say you can send Direct Marketing using Consent OR Legitimate Interest as your lawful basis. One crucial difference is that GDPR arguably requires a much tighter version of consent. I say arguably because it’s not as clear cut as many people think. Under the Data Protection Directive, Consent was defined as meaning “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” Note that the word “unambiguous” doesn’t appear in that definition. Under the GDPR, consent is defined as meaning “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” GDPR is clearly saying that consent itself must be unambiguous. But, and there is big butt, and I cannot lie, the Data Protection Directive states in article 7 that consent can only be used lawfully if it is unambiguously given. So whilst it’s technically correct to say that the definition of consent did change for the GDPR to become unambiguous, this was already covered by the Directive elsewhere, so it’s really a moot point.

A key difference in wording however is the addition of “affirmative action”, so essentially for consent to be valid in the GDPR, you have to actively DO something to indicate your consent. Silence or inactivity can’t be counted as consent.

And if we bring PECR back to the table, that says that prior consent can be used for Business to Consumer (also known as B2C) email Direct Marketing if it matches up with the current Data Protection laws.

All this matters because it means that some consent that is valid now, pre-GDPR, will not be valid post-GDPR.

But remember I said that Consent is not the only choice for Direct Marketing? Legitimate Interest is also on the table too. As with the pre-GDPR laws, GDPR creates a general principle of permitting Direct Marketing if the Legitimate Interest is shown to be valid, such as there is a reasonable expectation from the recipient, and is essentially fair. At this point PECR rears its head again and tightens up exactly how Legitimate Interest can be used in some situations. For email, we have to rely on the commonly known “Soft Opt-In” mechanism.

Let’s take a pause here. Soft Opt-in is NOT consent. I’ll repeat that. Soft Opt-In is NOT consent. And it’s not a loophole either. It is the explicitly stated technique in the ePrivacy Directive of how to lawfully contact certain uses with Direct Marketing under Legitimate Interest.

The general principle of Soft Opt-In is that if someone purchases from you, you can auto enrol them into marketing. But this has some tight restrictions I’ll spell out.

  • You obtained the recipient’s details in the course of a sale. In the UK PECR widens this to include negotiations of a sale, such as adding an item to a basket or asking for a quotation.
  • You offered them an opt-out when you collected their details. Note I said opt-OUT here. Because you’re looking to auto-enol these people, the tables are turned and you need to give them the ability to opt OUT of this opting-in process.
  • The direct marketing is for similar products and services to what they bought and are from the same company. So that means you can’t share Soft Opt-In enrolment with a sister company in the same group of companies, and can’t send marketing for a finance product when they only bought some groceries off you. The marketing has to be similar to their known relationship with you.
  • You have to offer an unsubscribe in all direct marketing you send them.

Soft Opt-in sounds great at first, but there are some major issues, including the lack of engagement you get from people that were auto-enrolled into a marketing list and also the narrow scope of offerings you can promote. The Royal Mail is an example of an organisation that is currently using Soft Opt-in for its marketing and looks like it will continue to do so for GDPR.

Soft Opt-in is spelled out in the ePrivacy Directive Article 13 and in PECR Section 22. But with the replacement on its way, the ePrivacy Regulation, eyes are turning to what that is saying about Soft Opt-in. Fortunately it doesn’t look like much is changing. There have been a lot of drafts so far with a very many changes, but the Soft Opt-in section keeps remaining almost unscathed. In one draft, charities were included in the rule, but that was subsequently removed and the rule reverted back to only applying to commercial organisations. Article 16 of the ePrivacy Regulation details the Soft Opt-In rule, currently looking almost identical to the current ePrivacy Directive. So it looks like Soft Opt-in isn’t going anywhere.

However, since this is an EU regulation and not a directive, it will likely apply verbatim to every country, including the UK. This means that the current UK PECR tweak of permitting “negotiations of sale”, rather than the EU default of only purchases, will likely disappear. This could have serious consequences for marketers relying on using Soft Opt-in for abandoned basket notification emails. But the new regulation is at least a year away, with many more changes expected, so we’ll park that possibility for now.

Okay, let’s get back to those two scenarios that many marketers are finding themselves in.

Firstly, over the years, many organisations have been building up marketing lists based on dodgy third party data, probably acquired down a car boot sale from “Honest John’s Lead Company” or through their own badly managed channels such as a web form asking for an email address for a newsletter and no other information provided. The UK pub chain JD Wetherspoons fell into this situation in 2017 where they had a very large email newsletter subscriber list and recognised they had no current lawful basis to process it. They hadn’t captured valid consent due to the wording they had used on the website, for instance, not stating that the newsletter could contain marketing or referencing a privacy policy. So they had to stop using that list for marketing. But even worse, because they couldn’t email their subscribers about marketing, they couldn’t even email them to ASK for consent for marketing, because that in itself would be marketing. Honda got fined by the ICO for doing exactly that, asking for permission for marketing to people they had no current permission to market to.

So Wetherspoons were pretty stuck. They had a massive list of email addresses they couldn’t use for anything, especially marketing. In turn, they had no legal basis to keep the data. And so they did the only thing they could, and emailed all 650,000 subscribers advising they were deleting the whole database. I’m sure a few marketing people were drowning their sorrows in Wetherspoons that day.

The summary here is that if you don’t have a lawful basis to send direct marketing to people now, pre-GDPR, then you can’t legally send a repermissioning email asking for consent for the GDPR.

The second scenario that marketers are in is quite common, and that’s where organisations have got some permission to market now, but it doesn’t meet the requirements of the GDPR. This often happens where people have gained consent in a form that involved a pre-ticked tickbox or an opt-out tickbox, alongside a good explanation of what they were being signed up to. The GDPR requires affirmative consent and so any existing subscribers that were signed up in this fashion would be classed as not consented. So the existing consent needs to be “upgraded” to GDPR consent. And this repermissioning upgrade is perfectly lawful to send out by email because you have current consent, but not for long. And many marketers are discovering that sending out emails asking for consent doesn’t have a very high success rate. After about three emails asking for consent, I’m seeing success rates of about 10%, which is terrible.

So to recap, repermissioning emails are perfectly legal, pre-GDPR, if the sender has got CURRENTLY lawful permission to send Direct Marketing. Now we all know that some will be “doing a Honda” and sending repermissioning emails unlawfully, whether that be by mistake or deliberately in the hope of not getting caught. I fully expect to see some complaints being investigated by the ICO after the dust settles of all these email campaigns.

Jumping back to Soft Opt-in for a minute, GDPR doesn’t change anything here, since it’s not based on consent, so if you have valid Soft Opt-In right now, you’re probably perfectly fine to carry on with Soft Opt-in for GDPR. You don’t necessarily need to ask for consent, since you’re relying on Legitimate Interest. However you may take the view that moving to consent is a good idea since it creates a better user engagement. But repermissioning emails themselves are notoriously ineffective, so an in-app or website based repermissioning may be a better move.

So where does this leave you?

Firstly, you need to check if your marketing lists comply with the GDPR, whether that be for the consent rules, valid Legitimate Interest or having a solid audit trail of gaining that permission. If you’ve got gaps, which many will, find out the value of those gaps. All marketing lists have different cohorts of value, such as highly engaged users that open every email and are repeat buyers, to those that will never come back and put your marketing emails into their spam folder. Assess which users are worth keeping and in turn what budget you have if you need to repermissioning them. It sounds crazy, but phoning people or posting letters may be a viable and cost effective method to get people onto your GDPR subscriber list.

Secondly, execute your strategy quickly and boldly. Time is running out, and for many of you listening to this in June, that time is already gone. If it’s past May 25th and you’re wondering what to do with these lost email subscribers, well the very first thing is to unsubscribe them from any direct marketing. And then look at a plan B. Maybe that’s phoning them, maybe it’s advertising or maybe it’s a case of waiting for them to return to your website and then forcing a consent question upon them.

All of this may sound pretty painful, and for many it is a bitter pill to swallow. The world of marketing has been obsessed with its own metrics and size of subscriber lists for far too long, only seeing the top of the marketing funnel and losing sight of how many engaged users were converting into transacting customers – that’s the real objective here, turning all this into sales. Those marketers that have moved from a large subscriber low-value database to a small subscriber high-conversion database are generally pleased with the end result. Sales are better and the marketing communications can be much more focused.

And as a Data Protection Officer, having much less data to watch over is no bad thing.

Images in this post have been kindly provided by:

unsplash-logoCampaign Creators

Carl Gottlieb

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.