Marketers know that running contests and competitions are a great way to capture the data of individuals who have shown an interest in their products or services. You offer the chance to win a prize and in exchange you get their personal details and the opportunity to communicate with them. That seems like a fair swap, right?
But how will new data protection laws affect the way you conduct a competition?
Promotional marketing is already regulated by the Advertising Standards Agency (ASA) and Committee of Advertising Practice (CAP). The CAP guidelines outline comprehensive rules relating to competition wordings, terms and conditions, method of entry and so on. Yet new data protection legislation mean marketers need to be even more dutiful.
Earlier in August, the government announced its UK Data Protection Bill, our equivalent of the EU’s General Data Protection Regulation (GDPR). Both of which will come into force May 25, 2018 and both sets of laws will bring changes that organisations who use promotional marketing need to consider.
Contravening the UK Data Protection Bill comes with severe fines. Currently, the regulator responsible for monitoring data protection, the Information Commissioner’s Office (ICO), can issue fines of up to £500,000. After May 25, 2018, the top level fines can be as much as £17m, or 4% of a business’s global annual turnover – whichever is the larger amount.
AUDITING PERSONAL DATA
WHY: What are you collecting the data for and how do you plan to use it, e.g. direct marketing activities, for third parties, for marketing lists, profiling, etc?
WHO: Whose personal data are you processing? Children under the age of 13, for example, will not be able to consent to their data being processed. Who else will the data be disclosed with?
WHAT: What types of personal data are you collecting (name, address finances, IP address, etc.)? What was the source (such a competition, newsletter, or from a purchase)?
WHEN: At what point did you obtain the personal data and how long have you retained it for?
Being able to answer these questions will prove useful should your marketing practices be investigated, as well as for processing data subject access requests.
New laws with consent (an agreement from an individual to having personal data about them processed) may require businesses to make big changes to their current approach. Under GDPR/UK Data Protection Bill laws, for consent to be considered valid, it must be:
- Freely given, without coercion, undue incentives or a penalty for refusal. Where consent is a condition of a subscription, consent must be demonstrable.
- Specific to the type of communication in question and the organization sending it.
- Displayed clearly and easy to understand so the person knows what they are agreeing to.
- Show a positive expression of choice, with a prominent statement signifying agreement. Opting in cannot be inferred by silence, pre-ticked boxes or inactivity.
COMPETITIONS AND GIVEAWAYS CONSENT EXAMPLES
To see how organisations currently approach consent, we thought we’d do some research with competitions running in August 2017. How would some of these real-world examples fare under new data protection laws?
Here, consent has not been freely given (by entering the competition, you are automatically subscribed to a marketing newsletter). Although you can unsubscribe, refusing consent means you cannot enter the competition.EXAMPLE #2
Again, consent has not been freely given. Certifying your age, agreeing to the T&Cs and agreeing to marketing should be 'unbundled' as separate choices. Mixing ticked and unticked boxes makes it harder to prove consent was freely given.
While these example gives each choice its own tick box, it mixes pre-ticked and unticked boxes, which do not demonstrate "positive expression of choice".
Here is another example where consent is not freely given. In this instance, without agreeing to receive marketing material, you cannot submit the competition entry.
These two examples also fail to adhere to GDPR requirements. In the example on the left, opting in could be agreed with inactivity. You must agree to opt in, not request to opt out. The example on the right is another instance where a pre-ticked box has automatically opted users in.
Thank you Mumsnet, for a clear demonstration of the ability to give consent for marketing. An unticked box demanding positive action to opt in, along with a reassuring message about personal data privacy and an easy link to the competition T&Cs.