One of the main areas affected by the new GDPR and upcoming e-Privacy is Marketing – specifically business to customer marketing. The legislation in this area have indisputably gotten a lot stricter, a lot less vague, with more dire consequences if ignored, however there are quite a few alternative facts spreading that we will look at in detail below, namely:
You cannot contact customers about their product without opt-in consent
As discussed in a previous blog post, consent isn’t the only legitimate reason for contacting customers. In all of the relevant privacy legislation (GDPR, PECR, e-Privacy, etc.) stricter consent rules regarding business to customer marketing only refers to ‘direct marketing’, and so communications regarding a product the customer is on would not count. An organisation can happily contact a customer regarding changes to their product, that their product will expire soon (it’s worth noting that there are a significant number of scenarios such as in the finance and energy sector where you must inform a customer they are reaching the end of a cheaper/current deal and let them know the alternatives), or general service details around their product or service.
For now, under GDPR consent is not technically always needed for direct marketing, as you can send direct marketing for ‘legitimate interests’. This would be in very rare circumstances, for example in the instance where a customer is on a considerably worse product and an organisation wants to contact them to move them across. This ‘loophole’ if misused will not be viewed kindly by the ICO and so I would not recommend using it for ‘business as usual’ marketing, as that was not the intention of its inclusion. This is also likely to be overwritten by direct marketing rules under the new e-Privacy regulations so it will be a short lived loophole.
All of your current marketing data is invalid or will need updating
This marketing myth is based in some truth, all consent for direct marketing obtained pre GDPR will need to be checked to ensure they meet the GDPR standard. The Article 29 Working Party have stated that “controllers that currently process data on the basis of consent in compliance with national data protection law are not automatically required to completely refresh all existing consent relations with data subjects in preparation for the GDPR. Consent which has been obtained to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR”. For this organisations will have to have kept good records in the past to ensure they know what questions were asked to customers and specifically that they were opt-in with no pre-ticked boxes, and the question was specific and granular. Depending on your organisational record keeping this could be a very straightforward task or will take a lot of digging around. If you can’t find any evidence of what questions were asked to obtain the marketing consents then it does unfortunately mean all consent will have to be ‘refreshed’ or the processing stopped.
Marketing data will need to be updated every two years, no matter what
The GDPR does not mention that consent needs to be time limited, however both the GDPR and the DPA state that information cannot be held for longer than necessary, and so the ‘time limited’ aspect of the ICO guidance is likely an interpretation of this in association with the PECR wording ‘[the data subject] has given consent for the time being to such communications being sent by, or at the instigation of, the sender’. It isn’t only direct marketing consents which are time limited, all data types should have a relevant retention period in order for organisations to meet data minimisation requirements, and also to help with businesses not over-spending on storage they don’t need.
In the ICOs draft consent guidance they suggested that if a company was in doubt of when to delete or refresh data every two years is a good idea “You should also consider whether to automatically refresh consent at appropriate intervals. How often it’s appropriate to do so will depend on the particular context, including people’s expectations, whether you are in regular contact, and how disruptive repeated consent requests would be to the individual. If in doubt, we recommend you consider refreshing consent every two years – but you may be able to justify a longer period, or need to refresh more regularly to ensure good levels of trust and engagement.” However this did not go down too well in most circles, as trying to put a best practice figure on how long consent lasts is impossible and will only lead to confusion. It can only be based on the context of the relationship with the individual and the service being provided. As noted above neither the GDPR or PECR set a specific time limit for consent, and if you are marketing to existing customers the time for ‘refreshing’ is likely after they are no longer a customer, as long as an easy opt out is provided on each communication.
Mythbusting conclusion: None of the three myths above are correct, although they do have roots in accurate guidance and legislation. Although these three are not technically accurate the rules around marketing have gotten significantly stricter, and will be getting stricter still when the e-Privacy Regulation comes into force.
Next week RiverWolf will be publishing ‘Debunking GDPR: What Exactly Does ‘Refreshing Consent’ Mean?’ taking a close look at a vague phrase which has considerable implications.