GDPR, marketing lists and the road to nowhere
Following a large number of questions on the topic, Senior Associate Ed Boal offers some advice on the flurry of emails landing in our inboxes in anticipation of the GDPR coming into force on 25 May 2018.
You’ve read those emails…
I am willing to bet that if you check your inbox right now, there will be at least a handful of emails more or less saying the following:
“On 25 May 2018, data protection law is changing. Sadly, this means that if you do not confirm that you want to continue receiving emails from us before then, we will not be able to do so. Please click the button below to confirm that you would still like to receive our awesome emails.”
The senders of these emails have either read one of a myriad of misguided articles about the GDPR and email marketing or, worse still, have been advised by someone purporting to be an expert that embarking upon these so-called ‘re-consenting’, ‘re-permissioning’ or ‘permission passing’ campaigns is both necessary and legal.
Tight for time? Then the gist of this article is that embarking upon a re-consenting campaign is almost certainly going to be a bad idea.
But this goes against everything we’ve been told…
You’ve probably read/been told that because the GDPR significantly raises the bar for consent, you will need to upgrade the consent you hold to bring it ‘up to standard’ and therefore be able to rely on it for marketing on and from 25 May 2018.
The GDPR does not raise the bar for consent significantly, if it raises the bar at all. Even though the GDPR now expressly states that consent must be ‘unambiguous’, given by a ‘statement or by a clear affirmative action’ and capable of being evidenced – is this really anything new? Did the Data Protection Act 1998 require anything less than this standard of consent? Is the problem perhaps that if you thought you were relying on consent (opt-in), you cannot prove this?
It goes without saying that you cannot ask someone to ‘refresh’ their consent if they never gave their consent in the first place. And if you cannot point towards evidence that they gave their consent, they never gave it.
The GDPR does not say anything about email marketing – other than the fact that if you want to do anything with personal data (regardless of whether an email address is B2B or B2C), you need to have a lawful basis for doing so. The most common lawful basis relied upon for direct marketing is ‘legitimate interests’. However even if you have a legitimate interest for direct marketing purposes under the GDPR, there is a further hurdle to overcome – you must satisfy the rules set out in the Privacy & Electronic Communications Regulations (‘PECR‘ or ‘pecker’ for short) before you can send marketing communications to individuals, sole traders and partnerships by email or other electronic means.
Under PECR, you have two options:
- Ask for opt-in consent (there is no reason why a simple subscription box with a field for an email address and a ‘subscribe’ button is not good enough, as long as your email marketing tool can record that consent was obtained on a particular date using that method and you only use the email address to send emails about whatever you said you were going to send emails about); or
- Something called the ‘soft opt-in rule’ which is essentially an opt-out (i.e. not consent, because consent requires a positive action). In order to rely on soft opt-in, you must have obtained an email address in the course of selling your goods or services to someone and given them the opportunity to opt-out at the time of obtaining it.
Most re-permissioning campaigns, therefore, are trying to obtain consent in the first place! This has proven to be a dangerous practice, as Honda found out last year when it was fined £13,000 for sending nearly 290,000 emails to its customers asking them to clarify their marketing preferences. Honda, like most organisations it seems, had no idea whether the contacts in its database had opted-in or opt-ed out. The ICO did not accept Honda’s argument that their emails were not marketing emails, but rather emails asking people to confirm their marketing preferences in accordance with Honda’s obligations under the 1998 Act – same thing, the ICO concluded.
So, if you were properly using soft opt-in to acquire email addresses, you do not need to embark on a re-permissioning campaign because soft opt-in is not consent. If you thought you were using soft opt-in properly but now you are not so sure, then your email marketing has not complied with PECR since 2003 and embarking on a re-permissioning campaign is not going to square that circle for you.
Yeah, but can’t we take a risk-based approach?
Sure you can. You may decide to purge your mailing list of ‘lapsed subscribers’ (those that have not opened any of your emails for, say, the past 12 months – they are clearly disinterested) and send an email to subscribers who appear to be engaged with your marketing campaigns in recent times, asking them to update their marketing preferences.
But the rub with any risk-based approach is that it can back-fire: in Honda’s case, it only took one of 290,000 recipients to complain and trigger a fine. And in any case, suggesting that your subscribers must give their consent before 25 May or risk dropping off your list because of GDPR is both legally inaccurate and (some might say) disingenuous.
Perhaps the best advice is to tidy up your marketing lists, make it easy for users to update their preferences, make sure your marketing emails contain clear unsubscribe links and respect those who click them. It might just save you from the embarrassment, hassle and costs of dealing with the ICO.