Are some businesses killing their ability to communicate with customers due to GDPR?
GDPR has certainly kicked up a storm in the last few months within the EU. If you haven’t heard about it, or do not know what it is, then I would either be surprised or worried. The concern to act within the law to stay compliant with GDPR has caused us all to receive a barrage of emails often desperately asking us to re-consent to receiving emails.
For businesses who are still considering whether they need to do this before or after the magical compliance date of 25th May 2018, in this article, I'm exploring if some businesses have got this wrong and have damaged their commercial opportunities since they won’t be able to mail as many people in future. For fuller details on compliance, premium members can read our GDPR best practices guide.
Is gaining re-consent essential for compliance with GDPR?
Consent is one of the most important GDPR concepts. Gaining consent has prompted a deluge of emails from businesses into our inboxes asking “Do you want to keep hearing from us?”. Often they end with a call-to-action of “Click here to confirm that you want to continue receiving emails". But is this really needed? Take this example sent to a Hilton customer. You can see it asks for opt-in, yet this is to an existing customer who has already given consent when they joined the loyalty programme.
As our best practices briefing explains this may be unnecessary, since emailing existing customers is covered under The Privacy and Electronic Communications Regulation (i.e. PECR 2003, updated 2011) which co-exists with GDPR and is in the process of being updated as part of the EU Privacy Initiative. This states that if permission has been gained "during the course of or during negotiation for sale", permission isn't required from existing customers. Perhaps Hilton's systems don't have evidence of this original opt-in or hotel stays, which could require re-consent, but I'd be surprised if that was the case.
Let's take another example at the other extreme - this doesn't ask for re-consent and it doesn’t reference GDPR or even offer an unsubscribe option which is already a requirement of GDPR and PECR. We wouldn't recommend this approach since it doesn't acknowledge GDPR which most consumers are now aware of, or give an unsubscribe option, which has been required by PECR since 2003...
Is auto opting out the best thing do for customers that have not given consent?
Ultimately, the decision as to whether reconsent is required hinges on whether a business (at some point in time) has gained online, written or verbal permission from a customer to receive emails and has recorded this. Since I love analogies, it's as if someone’s inbox is their home as it has always been and you have to be invited in or ask permission to be let in. Never in history has it been allowed to just barge into someone’s house and start shouting things you want the owners/residents to hear. The same applies to email in the past, present and future.
So what are the requirements for consent during the GDPR changeover?
When dealing with GDPR and actions required to comply, then there is no better place to check than the official ruling around consent from the ICO.
The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms.
The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
You must keep clear records to demonstrate consent.
GDPR isn’t reinventing the wheel on privacy law, instead it is telling us how to obtain consent clearly, correctly and safely. This means that transparency and control is one of its main features. GDPR is putting the power of data back in the hands of customers and welcoming some decorum into the landscape of B2C electronic mailing.
So where in the rules does it say I need to gain re-consent?
Put simply, It doesn’t. In no way does GDPR require businesses to gain re-consent from a customer that has lawfully subscribed to their emailing list. Now this may (IS) a little late to be bringing up this information but it has been there for us all to see and it seems some (A LOT) of businesses have misunderstood. The number of customers removed from mailing, incorrectly, will be astronomical.
Steve Wood, the Deputy Commissioner for Policy at the ICO states (with caveats) in a blog on the 9th May 2018,
“You do not need to automatically refresh all existing consents in preparation for the new law”.
Earlier clarification would have been helpful, but it is still useful to see this clarification for those who are still considering their approach.