Confused about GDPR? You’re not the only one. You could probably paper your office walls with the amount of articles, white papers and blog posts that have been written about the forthcoming changes. And here’s another one!
GDPR – or General Data Protection Regulation – comes into force on May 25th 2018. It’s designed to harmonise EU data regulations and give individuals a greater say over what happens to the data they provide to third parties. Businesses can theoretically be fined up to 4% of their annual turnover if they infringe the regulations – so it’s not something to be taken lightly.
GDPR affects how organisations store, process and use customer data. In this blog I’m focusing on just one aspect of the new regulation: how it affects e-marketing and the databases you hold – specifically with regards to the requirement for opt-in.
Opting in can be defined as ‘choosing to participate’ – people making an active decision that they want to receive marketing emails from a specific organisation. This means your business has the consent of the people on your database to send them emails.
I’m not taking here about ‘process’ emails you send as part of everyday activity such as, ‘Please can you approve this?’ or, ‘Where’s my money?’ – but emails designed to market or sell to them, or inform them on a regular or irregular basis about new product or company developments. These are often sent using email marketing software such as MailChimp or Constant Contact, but apply equally to plain text emails sent from your own email account.
GDPR applies to all these emails, but there is a difference in the type of consent you need to gain depending on whether the recipient is a personal contact or a business contact.
Legally speaking, personal or B2C (business-to-consumer) contacts will have email addresses ending in @gmail, @hotmail, @aol, @yahoo or similar, even when someone uses those domains as their business email address.
Business or B2B contacts are role-based emails, i.e. emails relating to the person’s business activity. So ‘firstname.lastname@example.org’ would be a business email.
But it’s not as simple as that. Ha! did you think it would be? Hello – this is EU legislation we’re talking about here!
Sole traders, partnerships, unincorporated trusts, partnerships and foundations and their staff – on the face of it, business contacts – come under the rules of the Privacy and Electronic Communications Regulations (PECR) which are already in force and will run alongside GDPR from May 25th.
This means the rules for these types of business are the same as the rules for B2C communications to personal contacts, regardless of the fact that they are businesses.
Marketing emails to B2B contacts from limited companies, PLCs, incorporated partnerships, trusts and foundations, local authority and government institutions are not subject to PECR regulations. UNLESS, that is, you are emailing them about something personal, such as inviting them to a golf day or other freebie.
Still with me?
Most GDPR papers I’ve seen argue that ‘consent’ means that recipients must at some stage have ticked a box to say, ‘Yes! I agree to you mailing me about (whatever)’.
However, while you must have a legal basis to email both B2C and B2B recipients, this can take two forms: consent, and legitimate business interest.
Consent has to be freely given and recordable. So this could be ticking a box online or on paper which says, “Yes, I agree to you sending me emails”. It cannot be part of some other consent, such as using their email address for paperless billing, for example.
Consent has to be unambiguous as to the intention, and cannot include unticking pre-ticked boxes. Under consent, silence, or failure to opt out, is not the same as opting in.
Consent should be the basis of any marketing to B2C recipients, including the organisations listed above which come under PECR regulations. So that is fairly straightforward.
Legitimate interest can apply when the B2B recipient could reasonably expect to receive marketing emails from you as part of your normal business activity. Say they buy a product or service from you, and give their email address as part of the purchase process, and you send them a welcome email which says you will email them from time to time about other or your products which may be of interest.
This is legitimate interest and does not require specific consent. However, you must make it clear why you are contacting them (for example they have become a new customer and you believe they’d like to find out more). You must give them a clear way to opt out and, if they do, you must delete them from your database for future emails.
If you send emails to your clients, or on behalf of your clients (i.e. if, like me, you are their marketing consultant), here are four scenarios which could be affected:
Business to consumer: You are a financial adviser and you email your clients (who are individuals) about the service you provide, or to give them information that helps them to understand the service you provide.
If they are clients, i.e. if they have had services from you and have not opted out, then you can email them about closely related services under legitimate business interest, though they must always be given the clear option to opt out. This is technically legal, but you would have to argue that there was absolutely no other mechanism to achieve the same result, other than sending an unsolicited (illegal) email – and in an age of sponsored links, social media, print advertising, that would be near impossible to achieve.
However the ‘best practice’ route would be to get them to opt in before you add them to the mailing list, so you have ‘consent’ rather than ‘legitimate interest’ as a reason for emailing.
Business to consumer: You are a consumer brand which has run a Facebook promotion to win a product, which required entrants to provide their email address. You then add them to your database and begin emailing them.
If they are not (yet) clients then, as consumers (B2C) they must have opted in. So either provide a box to tick to that effect on the competition entry form, or make your first email specifically about opting in.
Business to Business: You are an IT company and you have your business clients’ email addresses and use them to send emails about your business, products, services and activities.
If they are clients, i.e. they are businesses who have bought products or services from you and have not opted out, then you can email them about closely related services (not any old stuff) under legitimate business interest, though they must always be given the clear option to opt out.
However, if you email your customers offering them a deal on a home computer for their kids, you are breaching the code unless you have specific consent given for this type of communication.
Business to business: You meet another business person at a networking event and exchange business cards. You email them to introduce your business more fully and add them to your new business mailing list.
Role based emails (to clients or prospects with email@example.com type addresses) must be about services that would benefit anyone in that role within the target organisation; they cannot be to the benefit of the individual. So legitimate interest would cover the scenario described here. However, the classic ‘golf days’ email would fall foul, although I expect few would complain about a freebie, even though, technically, it is a breach of the regulations.
The easy answer is there isn’t an easy answer. The safest thing to do would be to get opt-in consent for everyone on your mailing list.
If they are already clients, this shouldn’t be too hard to do. But build it into your new business communications too. Make sure you can provide evidence of opt-in or legitimate business interest, and you shouldn’t go wrong.
Experts* believe that in practice, most legal challenges under GDPR will come from the B2C market, so if that is where your clients are, make sure you act before May 25th.
NOTE: I’m NOT a GDPR expert, so I’m hugely grateful for the help I’ve received in compiling this post from someone who is: Andrew Stellakis*, managing director at Q2Q. Please do not take action based on the contents of this blog post. It is merely intended to distil information into a form that ordinary non-expert people, like me, could understand. If you have any questions about GDPR, this article from the Direct Marketing Association also proved very helpful to me.