Debunking GDPR Myths: What Exactly Does ‘Refreshing Consent’ Mean?

You may have been getting a lot of emails recently; likely from recruitment companies and retailers detailing that they have you as opted in on their marketing systems and that they would like to keep marketing to you, but you’ll need to let them know you are still happy for them to. These are examples of organisations ‘refreshing’ consent, or uplifting their 'consents' to meet GDPR compliance levels. You may need to use the same approach for some of your contacts, however don’t worry– you likely won’t need to do it for all contacts. The below discussion is for 'BAU' marketing only, i.e. consent to receiving all marketing communications.

This uplift is being spurred on by GDPR, as although the Privacy and Electronic Communications Regulations (PECR) are the main legislation for electronic marketing, you also have to comply with GDPR. PECR does not specifically say you need a positive indication like a tick box for consent, and neither did the DPA. However, with a few exceptions for legitimate interests (and as the ICO has stated, only to be used sparingly), GDPR states that consent needs to be shown with an affirmative action. This means no more soft-opt ins in BAU marketing, or 'implied' consent. 
 
Do I need to do it for everything?
No – just your 'soft opt ins', or things for which you don’t know if you asked a GDPR compliant question. As the Article 29 Working Party have noted: ‘Consent which has been obtained to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR’. This is where good records management practices will pay dividends, because if you have details of all the questions you have asked to gain your consent, and they are GDPR compliant (as per my last blog post) then you are good to go. No refreshing needed here! However, this is also where not so good records management practices are going to sting you. You’ll need to hunt around your approvals or web design records to try and find the questions, and the manner that they were asked (no pre-ticked boxes!). If you can’t find any, or you have found them and none of the questions are compliant (they are all opt out, or have pre-ticked boxes for example) then you'll need to refresh all of your data. As discussed in the first of the GDPR debunking blog posts, you don’t actually need consent to contact customers in a lot of circumstances, only for marketing.
 
Isn’t asking people if they want to be marketed to considered marketing?
Before the 25th May asking people who you market to compliantly under the DPA whether they still want to receive communications is fine, as we are still operating under that legislation. Afterwards, it will likely be seen as very similar to the Honda situation, where you are asking borderline or grey area contacts whether they want to be marketed to. This is not viewed lightly by the ICO, and is likely to get you a fine. The fine Honda received was £13,000 of a possible £500,000. This tells us that it was not seen as a particularly severe breach of PECR, but a breach all the same. If you want to do it right, and risk free, it is advised that you do it before the 25th May.
 
What about refreshing consent to keep it up to date?
This guidance is from draft GDPR guidance on consent from the ICO and isn’t necessarily in the GDPR. The background to it is explored in detail in my previous blog post. The time limited aspect is mentioned in PECR – as it is implied you can’t keep the consent indefinitely. How long the consent is kept for will depend on your relationship with a customer, client, or supporter. If a person has consented to marketing and is using a continuous service such as water or electricity, or they are a registered supporter who has a longstanding monthly donation for a charity, this will need to be treated differently than a person who consented to marketing when they made a one off purchase, such as at an online retailer. It is likely a safe bet to assume that if a customer has consented to marketing at the start of a relationship, and that relationship is ongoing, that the consent doesn’t need to be refreshed until after that relationship is over.
 
Next week, RiverWolf will be looking at GDPR Mania in the run-up to GDPR implementation on the 25th May.