In recent weeks many companies have been bombarding their customers with emails asking for consent to keep them on a mailing list or even to contact them ever again. We even received one from our regular printer!
Such emails, saying things like “Let’s not say goodbye” or “Don’t leave me this way”, are a misguided attempt at complying with the General Data Protection Regulation (GDPR), which becomes enforceable next Friday (25thMay). The irony is that by trying to comply with one law companies could be falling foul of another.
It’s a myth, which has been busted by the Information Commissioner, that the introduction of GDPR means that the only legal basis for personal data processing (including for marketing) is consent. There are an additional five legal bases set out in Article 6:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
GDPR does not fundamentally change the position set out in the current Data Protection Act 1998 (DPA). A similar list to the one above can be found in schedule 2 of the DPA.
Consequently there is no need to send consent e-mails to regular contacts and existing customers whether or not they are on a mailing list. Often companies will be able to rely on the legitimate interest condition (explained above) to continue to make use of such data even for marketing purposes, subject to compliance with PECR (see later).
Where personal data for marketing purposes has been gathered through consent there is no need to automatically refresh permission in preparation for the GDPR. But it is important to check that existing permissions meet the higher GDPR consent standard.
The GDPR states that consent must be freely given, specific, informed, and there must be an indication signifying agreement. Opt out boxes and pre-ticked opt-in boxes will no longer do. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
Only where existing permissions do not meet GDPR’s higher standards or are poorly documented, will companies need to seek fresh consent, or identify a different lawful basis for processing. (See also the A29WP29 Guidelines on consent and our blog post here.)
But another equally important law has to be carefully considered. Where organisations are processing personal data to send out direct marketing, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) may also apply. PECR is 15 years old yet many organisations still fall foul of it. Failure to comply could lead to a fine of up to £500,000. When the E Privacy Regulation eventually replaces PECR, the fines will be in line with the GDPR i.e. up to 4% of gross annual turnover or EUR 20,000,000 which ever is higher.
PECR sets out the rules for sending direct unsolicited marketing to individuals and organisations using telephone, text, fax and email. Where such marketing is sent to individual subscribers, companies must get their consent (unless they rely on the so called “soft opt in”, namely that they collect an email address in the course of a sale of goods or services, and give the person the right to opt out of marketing emails at the time and in future communications). There is no such restriction when marketing to corporate subscribers i.e. a company e-mail address, even if it belongs to an individual.
The definition of marketing is very wide under PECR. Even sending an email asking someone to opt-in to receive emails or checking their marketing preferences is in itself a marketing email.
In 2017 Honda was fined £13,000 after the ICO found that it had sent 289,790 emails aiming to clarify customers’ choices for receiving marketing. The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldn’t provide evidence that the customers’ had ever given consent to receive this type of email, which is a breach of PECR. Flybe was fined £70,000 after it sent an email to 3 million individuals titled “Are your details correct? ” advising them to amend any out of date information and update any marketing preferences.
Personal information on marketing databases and mailing lists is of two types. That which has been gathered through regular contact or consent with the individual and that which as been gathered by other means (including information scraped from the internet or bought). In each case the lawful basis for processing such data under GDPR has to be considered and, where it is being used for direct marketing, the PECR rules have to be complied with. Just firing off emails using standard wording may cause more problems than they will solve.
The final word to Steve, the deputy Information Commissioner:
“We’ve heard stories of email in-boxes bursting with long emails from organisations asking people if they’re still happy to hear from them. Think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.”
Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.
We have just launched our GDPR helpline.