One of the main areas affected by the new GDPR and upcoming e-Privacy is Marketing – specifically business to customer marketing. The legislation in this area have indisputably gotten a lot stricter, a lot less vague, with more dire consequences if ignored, however there are quite a few alternative facts spreading that we will look at in detail below, namely:
You cannot contact customers about their product without opt-in consent
As discussed in a previous blog post, consent isn’t the only legitimate reason for contacting customers. In all of the relevant privacy legislation (GDPR, PECR, e-Privacy, etc.) stricter consent rules regarding business to customer marketing only refers to ‘direct marketing’, and so communications regarding a product the customer is on would not count. An organisation can happily contact a customer regarding changes to their product, that their product will expire soon (it’s worth noting that there are a significant number of scenarios such as in the finance and energy sector where you must inform a customer they are reaching the end of a cheaper/current deal and let them know the alternatives), or general service details around their product or service.
For now, under GDPR consent is not technically always needed for direct marketing, as you can send direct marketing for ‘legitimate interests’. This would be in very rare circumstances, for example in the instance where a customer is on a considerably worse product and an organisation wants to contact them to move them across. This ‘loophole’ if misused will not be viewed kindly by the ICO and so I would not recommend using it for ‘business as usual’ marketing, as that was not the intention of its inclusion. This is also likely to be overwritten by direct marketing rules under the new e-Privacy regulations so it will be a short lived loophole.
All of your current marketing data is invalid or will need updating
This marketing myth is based in some truth, all consent for direct marketing obtained pre GDPR will need to be checked to ensure they meet the GDPR standard. The Article 29 Working Party have stated that “controllers that currently process data on the basis of consent in compliance with national data protection law are not automatically required to completely refresh all existing consent relations with data subjects in preparation for the GDPR. Consent which has been obtained to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR”. For this organisations will have to have kept good records in the past to ensure they know what questions were asked to customers and specifically that they were opt-in with no pre-ticked boxes, and the question was specific and granular. Depending on your organisational record keeping this could be a very straightforward task or will take a lot of digging around. If you can’t find any evidence of what questions were asked to obtain the marketing consents then it does unfortunately mean all consent will have to be ‘refreshed’ or the processing stopped.
Marketing data will need to be updated every two years, no matter what
The GDPR does not mention that consent needs to be time limited, however both the GDPR and the DPA state that information cannot be held for longer than necessary, and so the ‘time limited’ aspect of the ICO guidance is likely an interpretation of this in association with the PECR wording ‘[the data subject] has given consent for the time being to such communications being sent by, or at the instigation of, the sender’. It isn’t only direct marketing consents which are time limited, all data types should have a relevant retention period in order for organisations to meet data minimisation requirements, and also to help with businesses not over-spending on storage they don’t need.
In the ICOs draft consent guidance they suggested that if a company was in doubt of when to delete or refresh data every two years is a good idea “You should also consider whether to automatically refresh consent at appropriate intervals. How often it’s appropriate to do so will depend on the particular context, including people’s expectations, whether you are in regular contact, and how disruptive repeated consent requests would be to the individual. If in doubt, we recommend you consider refreshing consent every two years – but you may be able to justify a longer period, or need to refresh more regularly to ensure good levels of trust and engagement.” However this did not go down too well in most circles, as trying to put a best practice figure on how long consent lasts is impossible and will only lead to confusion. It can only be based on the context of the relationship with the individual and the service being provided. As noted above neither the GDPR or PECR set a specific time limit for consent, and if you are marketing to existing customers the time for ‘refreshing’ is likely after they are no longer a customer, as long as an easy opt out is provided on each communication.
Mythbusting conclusion: None of the three myths above are correct, although they do have roots in accurate guidance and legislation. Although these three are not technically accurate the rules around marketing have gotten significantly stricter, and will be getting stricter still when the e-Privacy Regulation comes into force.
Next week RiverWolf will be publishing ‘Debunking GDPR: What Exactly Does ‘Refreshing Consent’ Mean?’ taking a close look at a vague phrase which has considerable implications.
Marketing is a necessary part of the business world, and is essential for getting word out about what your business does, normally to selected groups of people or businesses who have been identified as possibly being interested in a product or service. Despite the essential nature of marketing it does have a bad reputation, as some organisations have mistreated the spirit of legitimate pathways (looking at you soft-opt in) to marketing in the past, and due to this those pathways which were in the Data Protection Act have not made it into the General Data Protection Regulations. However there are still ways organisations can legitimately speak and sell to their customers and stakeholders – old or new. This week RiverWolf will specifically be looking at business to business marketing, which have much softer rules than business to customer.
Marketing in privacy legislation only refers to ‘direct marketing’ which is defined as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”, and we will look at the words ‘direct’ and ‘marketing’ separately, as they are important to understand the full meaning. To be ‘direct’, the communication needs to be aimed at a specific individual. In practice all electronic messages such as calls, emails, text messages fall into this definition, however two major areas of marketing – unaddressed physical mailshots and most online semi-targeted adverts don’t come under this purview. The second word ‘marketing’ is important, as service correspondence, follow up conversations, and all other further correspondence with a prospective client wouldn’t count. For example if a coffee shop asked a website design company to design them a website, the follow up emails would not constitute direct marketing, despite the website company largely ‘selling’ a product and telling the coffee shop what they can do, this would be information or correspondence necessary to enter a contract. A further example would be if a coffee shop were to be on a preferential rate with the website company for 6 months, and were about to come to the end of their preferential rate and onto a normal higher rate, sending them details of other rates would not constitute direct marketing either as this would be ‘service correspondence’.
PECR and GDPR’s rules go much lighter when the marketing is business to business. You can email or text any corporate body (not including sole traders, but including companies, Scottish partnerships, LLPs, or government bodies) with marketing as long as you identify yourself and provide contact details. The recipients still have rights – especially if the address has the individuals details such as firstname.lastname@example.org. Specifically the rights the individual staff members and businesses have is the right to object to marketing, so an unsubscribe function is essential, and it is essential that it is easy to find and use (no rabbit hole link after link, register to unsubscribe, or dragon slaying to unsubscribe!). Although you do need to provide an opt-out on all communication, you do not need to specifically rely on opt in consent as you do with business to customer. You must however, keep an unsubscribed list and ensure you do not contact these people with marketing in the future.
Mythbusting conclusion: You can market to organisations without explicit opt in consent, as it is treated differently to personal contact details. However you will have to ensure you stick to the following checklist for B2B marketing:
Next week RiverWolf will be publishing Debunking GDPR Myths: Business to Customer Marketing which will take a look at B2C marketing myths. Subscribe to ensure you get the news first.
A prevailing myth of both the Data Protection Act and more recently, the GDPR is that you can only use a person’s personal data with their consent, and a subset of this belief is that although you can use personal data without gaining consent first, that this practice it is frowned upon. This belief has been repeated by many quite reputable sources, and is something heard regularly when running Data Protection training sessions. Fortunately for both consumers, organisations, and humans in general, all processing of personal data does not need consent. Not only is consent not needed it is also not the preferred method, as noted by the ICO who have stated “no single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual”.
All processing of personal information must be fair and legal, and to be legal it needs to fit into a ‘condition for processing’. There are six conditions for processing which can legitimise your activity and these can be summaried as:
It is important to take note of the word ‘necessary’ here, and not try and legitimise processing which is surplus to requirements of the core processing through an incorrect condition. Activities should fit neatly into one of the above, and if it doesn’t that is the point where consent is considered and a clear way of capturing consent in a freely given way is set out to the individual. Consent should not be chosen as the condition for processing if the processing could cause detriment to a person, or if it isn’t a real choice. For example- if a person is buying a cup of coffee the coffee shop would not ask them if they consent to their payment details being processed in order to pay, as if the customer declined they would not be able to buy a cup of coffee, hence it is not a real choice. The coffee shop would be providing a service and so this processing would fit under the ‘contract’ provision. Although it can seem like a paper exercise, picking the incorrect condition for processing can lead to serious issues later on if you need to reuse the information for any purpose, or if a person wants to exercise their right to erasure, objection (or withdrawal of consent), or portability based on what condition for processing you have given, and finds out they are not eligible for the right. For example, if the coffee shop had asked the customer for their consent to process their payment information, in the future the customer would have the right for the shop to delete that information, which would put them in a tricky situation with either just the ICO or the tax man and the ICO depending on how they handled it.
The only hard and fast rule (which isn’t always necessarily clear cut, as we’ll discuss next week), is that direct marketing to individuals needs to have explicit consent in order to be legal under GDPR (and the Personal Electronic Communications Regulations). This was not necessarily always the case, as previously organisations could rely on ‘soft opt in’, a practice where if a person had already shown they were interested by enquiring or previously purchasing from an organisation, it could be assumed they wanted to hear from them in the future. This is now not the case, and a clear indication that the person wants to be marketed to separate to (for example) wanting to go ahead with a purchase or other service, must now be collected. In other words, the coffee shop can’t assume that the customer wants emails about their coffee offers because they bought coffee from their shop.
A significant amount of confusion seems to stem from the need to tell people how you are using their data. With a few exceptions, all organisations need to tell people what they are doing with their information in the form of a ‘privacy notice’, which is given on collection of the data. Some privacy notices do ask for consent, as privacy notices are given at the start of a relationship with an individual and this is the best time to gain consent. However most notices are for information only and are necessary in order for organisations to be transparent and open about what happens with individual’s personal data, not for collecting consent. Not using consent doesn’t exempt an organisation from giving notice, but giving a notice doesn’t mean you need a tick box for a person to agree with it either.
As with the Data Protection Act, the GDPR has an addition set of conditions for processing for ‘sensitive personal data’, also now known as ‘special categories’ (the name changes are no doubt to keep us all on our toes!). There are 10 conditions for processing for sensitive personal data, but these come with more caveats (which are not listed) than conditions for non-sensitive personal data:
For most organisations which are not a public body or a not for profit, this means that they almost definitely will need explicit consent to process sensitive personal information. For some types of data, this is a vague area of the legislation, for example, some browsing history could be considered sensitive personal data (if you were to search ‘how to get rid of a migraine’ or ‘gout symptom checker’), yet these have traditionally not been caught by the much stricter provisions for sensitive personal data. However, most data which comes under the definition of sensitive personal data will be quite clear cut and the ICO does not take lightly to it being processed without a clear legal basis.
Mythbusting conclusion: Your organisation has many more conditions for processing to rely on other than consent for most personal data, however you mustn’t (generally speaking) use a person’s data without their knowledge, and if you want to start processing sensitive personal data you are likely going to have to use explicit consent.
Next week RiverWolf takes a close look at GDPR and Marketing.
The last few weeks have been tough on US data processors, specifically the tech giants Google and Facebook. The Cambridge Analytica saga has caused a ripple effect where US tech giant’s privacy practices have come under scrutiny. Issues such as Facebook tracking phone calls on Android phones without the users knowledge, saving of draft videos, and further scandal over the third party usage of data have been in the media spot light, and in the background the discussion of transatlantic processing has come to the forefront. As discussed in Part One the US-EU privacy relationship has quite often been projected upon, and broken by Facebook’s practices and reputation.
The Safe Harbor Agreement was initially the US’ way of getting an adequacy decision from the EU to make it easier for US companies to do business with European companies. It allowed companies to self-certify that it would protect data when on US shores, preventing the need to set up individual Model Contract Clauses with each client. In principle it’s a great idea, the EU and the US have a lot of data transfers, and a significant amount of prominent tech companies are based in the US. However, this became the centre of controversy when Max Schrems took Facebook to court and argued that the Safe Harbor Agreement did not give adequate protection to EU citizens. In a David and Goliath moment Yves Bot, the European court of justice’s advocate general agreed with Schrems and Safe Harbor was no more. Far from the easy one-stop-shop tool it was supposed to be, it was now a spot light, shining global news on US privacy practices, adding fuel to the fire of the PRISM and NSA scandal. For nearly a year there was no easy mechanism for transatlantic data processing, with organisations largely unsure of whether they were still allowed to use US companies (as Model Contract Clauses are not particularly well known even now), and shying away from contracts with these companies until the more formal go ahead was given by the EU. Relations with US companies still haven’t recovered, with procurement departments still not sure whether they are allowed to select US companies.
Privacy Shield was born out of the ashes of Safe Harbor 10 months after Safe Harbor was declared invalid, although it took a little longer for US companies to self-certify and for many companies to be on there. There is still a take up issue with many companies disregarding it, currently there are only 2786 organisations signed up, which are a fraction of the organisations who process EU data in the US. This makes procurement department’s reservations about appointing US companies more understandable. Arguably the differences between Safe Harbor and Privacy Shield are subtle at best, and do not solve the issues which lead to the dissolving of Safe Harbor (that European citizen’s data was being used for mass surveillance, and that there was no recourse to enforce privacy rights) in the first place. The differences which did make it through were the insertion of key definitions, mechanisms to ensure the oversight of the Privacy Shield list, and the mandatory external and internal reviews of compliance. The latter of these two in the November 2017 review of Privacy Shield didn’t seem to be working as safeguards particularly well. The last review, which was November 2017, before the Cambridge Analytic/Facebook debacle was lukewarm at best calling for “an increased oversight and supervision of compliance with the Principles of the Privacy Shield through namely, ex-officio investigations and continuous monitoring of certified companies” and was no less critical of the public authority side as security apparatus are still processing EU citizen data for mass surveillance purposes. Both privacy campaigners and certain EU officials aren’t placated by the safeguards put in by Privacy Shield, and this latest development could kill or strengthen it.
Considering the issues the US are having with their privacy reputation it does need to be asserted that there are no blacklisted countries, companies can still do business with any other business in any country as long as there are appropriate safeguards in place– however the US is currently the most difficult country to do business with privacy wise. This is bad news for all US businesses, but especially the tech giants who will be missing out on the large EU market. The US can either change their privacy laws ala Canada and gain an adequacy decision, continue with Privacy Shield and try and get it more widely adopted by US companies – making transfers and contract negotiations more smooth, or Privacy Shield could be quashed and replaced with something slightly more robust (… and hopefully something slightly more compulsory).
There have already been some immediate consequences of the focus on US privacy. The CEO of Cambridge Analytica has been suspended, there are calls for Zuckerberg’s resignation, and the EU have reiterated that they are unhappy with US privacy practices. There are also signs that it will have a positive effect, Facebook are wanting to roll GDPR-esque compliance out worldwide (although only ‘in spirit’), it has brought attention to the fact that GDPR applies to all EU citizens and residents even if you are processing it in the US, and hopefully it is a wake-up call to tech giants and other organisations that people take their privacy seriously. The previous cold start ‘wait and see’ approach to GDPR implementation and working towards good privacy practice in general may just be heating up.