The introduction of the General Data Protection Regulation (GDPR) in 2018 is going to have a significant impact on all businesses and how they use customer data for marketing.
Recently the information Commissioner’s Office (ICO) released a 12-point checklist for businesses to follow in preparation for when the GDPR comes into force. However, it touches only briefly on the finer details of each point.
This article aims to help you better understand the implications the GDPR will have to customer consent and it goes without saying now is the time to start reviewing how you seek, obtain and record consent.
Without an individual’s consent, marketers cannot send any of their communications by text or email, automate calls, nor send those details to other companies. Under the new laws, which will inform the Privacy and Electronic Communication Regulations (PECR), being unable to demonstrate valid consent could lead to enforcement action. In other words, a hefty fine.
So, here are seven questions that marketers need to ask:
1. How is consent considered valid?
According to the ICO’s guidelines for Direct Marketing it must be:
- Freely given, without coercion, undue incentives or a penalty for refusal. Where consent is a condition of a subscription, consent must be demonstrable.
- Specific to the type of communication in question and the organisation sending it.
- Displayed clearly and easy to understand so the person knows what they are agreeing to.
- Show a positive expression of choice, with a prominent statement signifying agreement. Opting in cannot be inferred by silence, pre-ticked boxes or inactivity.
The PECR has also set out stricter rules for email communications, including the need for consent from the organisation sending the marketing (rather than consent given to a third party that may have provided the data), as well as indicate the consent is ongoing beyond the message sent and specific to a certain form of communication.
2. Are there alternatives to explicit consent?
While explicit consent has not been stipulated by the PECR, obtaining it is considered best practice. That said, implied consent – a situation where the person could easily conclude they have consented to marketing, even if not said in as many words – could be considered valid. Of course, your organisation would still need to be able to demonstrate consent was given freely. If anything, acquiring explicit consent would be easier.
3. What are approved methods for obtaining consent?
There are several legitimate ways to obtain consent, but the clearest method is to ask your customers to tick an opt-in box to confirm they wish to receive marketing messages, and document the specific channels you wish to use (post, email, phonecalls etc). Other methods (including clicking an icon, sending an email, subscribing to a service or oral confirmation) can be used, but the important things to consider are that:
- The customer must understand that they have consent, and what they have consent to, without any important details hidden with ‘small print’.
- Organisations cannot email or text to ask for consent as the message itself constitutes a direct marketing message.
- There needs to be a simple method for opting-out.
4. Are there rules relating to opt-in and opt out boxes?
Best practise is to have opt-ins that require a box to be ticked, rather than unticked. A pre-ticked box will not be considered enough to demonstrate consent. Mixing ticked and unticked boxes will also make it harder to prove consent was given. To comply with PECR, there will also need to be specific boxes for each type of communication, or analysis, you hope to use.
5. I use marketing lists provided by third parties. How will this affect consent?
Many marketing departments rely on data supplied by third party list brokers and the ICO refers to this as ‘indirect consent’. Although providing third party consent is quite common, as customers have not told these organisations directly this may not be sufficient for the PECR guidelines relating to electronic messages, where specific consent would be required.
That said, there are some concessions, suggesting that consent might be valid when specific third party organisations or tightly defined groups have been named (although not when presented with a long, exhaustive list or general categories).
6. Is there a time limit to consent?
Although there is no fixed time limit where consent expires, context is important and it should be assumed that it does not remain valid forever. An important thing to note is that a person’s most recent indication of consent is paramount – if a customer agrees to marketing on three previous occasions but opts out the fourth time, it is this last decision that sticks.
Even when consent has not been explicitly withdrawn, PECR vaguely considers consent to last ‘for the time being’. ICO interprets that as until a time where there could be a significant change in circumstances. For example, agreeing to hear more about a new product launch is not a clear indication to receive ongoing communications at a later date. Should a subscription to a service be cancelled, consent is likely to expire, too.
7. Will my organisation need to provide proof of consent?
It is an organisation’s responsibility to demonstrate valid consent, else it could be at risk of enforcement action. Clear records will need to show a date of consent, what has been consented to, the method of consent and who obtained it, and these may be needed as records of evidence in the event of a complaint.
Hopefully, all of you have a code of conduct in place to ensure you already adhere to these guidelines. If not, it’s better for you and your marketing department to take a second look at what you’re doing now, before the ICO come knocking your door asking questions.
The General Data Protection Regulation
A Practical Guide for Businesses
This White Paper, created by data protection specialists Opt-4, provides a thorough look at how GDPR will change existing laws, and offers suggestions for what you can do now to prepare for GDPR.
This White Paper also covers:
- The global scope of GDPR
- How GDPR will change consent, processing and profiling
- The new rights for data subject
- Guidelines for Data Protection Officers
- Liabilities, penalties and enforcements