By now, you have probably started receiving emails from companies asking you to update your marketing preferences. If not, then watch this space – repermissioning is coming.
Chances are that you will need to do the same.
Yes, this is another GDPR thing, arising from the fact that over time companies have collected personal data records without adequate consent to satisfy what we expect to see from the changing data protection requirements.
The alternative is to remove customers whose consent you cannot demonstrate from your customer database completely.
Perhaps go the whole hog like Wetherspoon’s and delete the lot. The pub chain clearly felt that preferable to risking the swingeing headline fines.
We're expecting to have final guidance from the Information Commissioner's Office (ICO) in regards to consent in December. In the meantime, it would be prudent to get the ball rolling for your repermissioning strategy...
How do you know if your organization needs to repermission its customers for consent?
The answer to this is simple: Are your pre-existing consents compliant with GDPR? As in, do you have an audit trail and a record to demonstrate when and where (and for what channels) the customers in your database gave consent to marketing? If you do, that’s great and you can stop reading now.
If not, you cannot 'grandfather' across consent. You'll need to get it again. Which is why repermissioning is going to be such a big thing between now and May 25th, 2018.
So, I have some following suggestions to help you with your repermissioning process.
1. Clean your data
Data cleansing will essentially get you to square one. It will rid your database of duplicates or inaccurate addresses (you don’t want to send a repermission email twice, or to an address that simply bounces), as well as update your suppressions and goneaways for your marketing channels. There's no point making a big task more difficult than it needs to be.
2. Find your best customers, who deserve a more personal approach to repermissioning
I’ve found Pareto’s principal rings true – around 80% of your business often comes from just 20% of your customers. If you plan on keeping the business of this precious 20%, it is critical you take great care to seek their consent. You wouldn’t gamble on securing their consent with an impersonal automated email if you knew they were worth a lot of money to you.
3. Only repermission those who have previously given you consent!
In the B2C world, sending a repermission email to an individual who has opted out (or once subscribed but has since opted out) is already a breach of existing rules. As the likes of Honda and Flybe learned – it’s not a good idea to repermission someone who has not given consent to marketing with what is a marketing email.
However, under current laws you can approach B2B customers and prospects for consent as long as:
a) They have not previously opted out.
b) They are not a sole trader, whose email needs to be treated under B2C rules.
4. Identify who you can market to using legitimate interest
Currently, under PECR, B2B marketers are able to send emails using legitimate interest. However, the latest changes to the still-to-be-confirmed ePrivacy Regulation (which will replace PECR and should arrive at the same time as GDPR) suggests that B2B marketers will not be able to rely on legitimate interest instead of consent.
For other forms of marketing (like post), legitimate interest is currently a viable approach. For example, if someone had unsubscribed from email, you may be able to target them through a channel like direct mail if they had not opted out.
5. Refresh your data collection methods
It will be a legal requirement to provide it if asked, so ensure you have records to prove how you gained consent for future marketing. This will apply to all the marketing channels that you use.
6. Make your subscription options granular
You should be doing this for GDPR anyway (i.e. unbundled consent), so think about giving people preferences for all your marketing channels rather than a single 'unsubscribe' option. While someone might object to phone calls and emails, they might accept SMS, for example.
7. Consider deleting if in doubt.
You might not have to go to the same lengths as Wetherspoon’s, but (in a marketing context at least) you can’t be punished for data you don’t hold. It will make responding to a subject access request easier, too!
Don't get too trigger happy with data erasure though - some you'll need to keep hold of, for example data needed for legal claims or taxation purposes.
What about soft opt-ins?
The short answer is, as soft opt-in only provides temporary consent to receive marketing messages, you will not have to repermission them. As for the long answer…
Currently many marketers send messages without explicit consent, using ‘soft opt-in’. This enables brands to send existing customers marketing messages if the following criteria is met:
- You only use the contact method (email, SMS, etc.) that were provided during negotiations for the sale
- Customers are given a clear, easy opportunity to opt-out of marketing communications at the time of data collection, and in every subsequent message
- Communications must relate to similar products or services to their purchase
The ability to use soft opt-in is possible under the ePrivacy Regulation (otherwise known as PECR, which sets out rules for sending electronic communications) and customer data can be processed under the grounds of legitimate interest to satisfy GDPR.
However, note that the updated PECR (at least, the draft version, which is currently undergoing ratification) has slightly altered the wording for the use of soft opt-in, as it can only be used during ‘negotiations of sale’, with contact limited to the ‘context of the sale of a product or service’.
Again, you’ll want to keep records to demonstrate this, should you be asked for a subject access request, or to satisfy ICO.
It's unavoidable that GDPR and repermissioning will see your customer database shrink. The positive news is that many of those you will lose were not engaged with you anyway and unlikely to be so again.