Are some businesses killing their ability to communicate with customers due to GDPR?
GDPR has certainly kicked up a storm in the last few months within the EU. If you haven’t heard about it, or do not know what it is at this time, then I would either be surprised or worried. The concern to act within the law to stay compliant with GDPR has caused us all to receive a barrage of emails often desperately asking us to re-consent to receiving emails.
For businesses who are still considering whether they need to do this before or after the magical compliance date of 25th May 2018, in this article, I’m exploring if some businesses have got this wrong and have damaged their commercial opportunities since they won’t be able to mail as many people in future. For fuller details on compliance, premium members can read our GDPR best practices guide.
Is gaining re-consent essential for compliance with GDPR?
Consent is one of the most important GDPR concepts. Gaining consent has prompted a deluge of emails from businesses into our inboxes asking “Do you want to keep hearing from us?”. Often they end with a call-to-action of “Click here to confirm that you want to continue receiving emails”. But is this really needed. Take this example sent to a Hilton customer. You can see it asks for opt-in, yet this is to an existing customer who has already given consent when they joined the loyalty programme.
As our best practices briefing explains this is unnecessary, under The Privacy and Electronic Communications Regulation (i.e. PECR 2003, updated 2011) which co-exists with GDPR and is in the process of being updated as part of the EU Privacy Initiative. This states that if permission has been gained “during the course of or during negotiation for sale”, permission isn’t required from existing customers. Perhaps Hilton’s systems don’t have evidence of this original opt-in or hotel stays, which could require re-consent, but I’d be surprised if that was the case.
Let’s take another, you could say more pragmatic example or the other extreme – it doesn’t reference GDPR or even offer an unsubscribe option which is already a requirement of GDPR. We wouldn’t recommend this approach since it doesn’t acknowledge GDPR which most consumers are now aware of, or give an unsubscribe option, which has been required by PECR since 2003…
Is auto opting out the best thing do for customers that have not given consent?
One would hope that a business (at some point in time) gained written or verbal permission from a customer to receive emails. This notion is in no way new to B2C emailing as is the unsubscribe feature to email marketing. Now GDPR is coming in, there is no changes being made to the permission structure in and around if you can or cannot email a customer. Seeing as I love analogies, If someone’s inbox is their home then as it has always been, you have to be invited in or ask permission to be let in. Never in history has it been allowed to just barge in to someone’s house and start shouting things you want the owners/residents to hear. The same applies to email in the past, present and future.
So what are the requirements for consent during the GDPR changeover?
When dealing with GDPR and its structure, then there is no better place to check than the official ruling around consent than the ICO.
The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms.
The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
You must keep clear records to demonstrate consent.
GDPR isn’t reinventing the wheel on privacy law, instead it is telling us how to obtain consent correctly and safely. This means that transparency and control is one of its main features. The majority of companies have been in line with the 2003 PECR law whereas others have been waltzing around in a relatively unregulated email marketing wonderland. GDPR is turning up to organise the chaos. Further that, it is putting the power of data back in the hands of customers and welcoming some decorum in to the landscape of B2C electronic mailing.
So where in the rules does it say I need to gain re-consent?
Put simply, It doesn’t. In no way does GDPR require businesses to gain re-consent from a customer they have lawfully subscribed to their emailing list. Now this may (IS) a little late to be bringing up this information but it has been there for us all to see and it seems some (A LOT) of businesses have misunderstood. The number of customers removed from mailing, incorrectly, will be astronomical.
Steve Wood, the Deputy Commissioner for Policy at the ICO states (with caveats) in a blog on the 9th May 2018,
“You do not need to automatically refresh all existing consents in preparation for the new law”.
Earlier clarification would have been helpful, but it is useful to see this clarification.
Why is it not the right thing to do?
The fact that it is unnecessary to remove customers after they have not re-consented is not breaking any GDPR compliance. No rules are being broken and no tears are being shed, or are they? Most likely, yes. Where? In the potential earnings of your business. With this knee jerk and reactionary activity that has plagued our emails, the general murmurings is
that people are either opting out or just ignoring the emails. People are tired of being asked and it has led to a general feeling of being overwhelmed. The only outcome is that these people are removed from your mailing list. This is part of your revenue stream and with every customer lost, that revenue stream is being depleted. Customers are becoming indifferent and disengaged, others are becoming superheroes at the saying no.