Risk and reward. 2018 will see the intermingled fields of privacy, data protection and electronic direct marketing face dramatic and comprehensive change.
While the General Data Protection Regulation (GDPR) has enjoyed fairly thorough coverage in both the legal and popular press, the closely connected ePrivacy Regulation (ePR) has, by contrast, remained in relative obscurity. Both Regulations are on course for implementation in May next year, and for marketing professionals, both represent a significant shift in compliance obligations, particularly in relation to the form, nature and management of consent to electronic direct marketing.
Surprising few in the marketing community, a recent DMA report valued the contribution of direct marketing at almost a quarter of total average UK business turnover. With email, social media and search advertising continuing to lead aggressive growth, the relevance of this sector has never been greater. As the recent Honda and Flybe cases however demonstrate, public and regulatory scrutiny has, in recent years, sharpened significantly, and tolerance for mistakes has never been lower. In response, some have taken drastic action, most notably the pub chain Wetherspoons, which in summer 2017 made the decision to delete its entire email marketing list. In 2018, greater than ever potential for marketing development seems likely to be met by greater than ever risk, both financial and reputational.
This two part series will address the changes to marketing consent the GDPR and ePR represent, and discuss practical steps for organisations to take now. Part 1 of this guide provides both background and context and considers impacts for consent management.
A tale of two (Regulations)
While the GDPR regulates the processing and sharing of personal information (PI), the ePR addresses the rules organisations must follow when sending electronic direct marketing (EDM), and using tracking technologies such as cookies. Whilst individually discrete, like a regulatory Venn diagram, a distinct area of overlap has developed and flourished between the two, in which advertising and the use of PI coalesce. For marketing, understanding the (sometimes complex) interplay between both Regulations is key to getting compliance right.
Given the obvious complexity here, perhaps the most straightforward approach is to ask a straightforward question, how can we ensure our electronic direct marketing is legally compliant in May 2018? At the risk of answering one question with another (or three), a pragmatic response raises the following:
- What is 'consent', why do I need it, and how do I obtain it for EDM?
- What form should our consent capture take?
- What does active consent management look like, and why is it important?
Internal v. External
Before examining what makes consent valid, it's important to draw a distinction between consent obtained as a grounds for processing PI, for EDM purposes under the GDPR, and consent obtained under the ePR in order to actually send EDM.
Processing PI, for any reason, under the GDPR requires a valid legal grounds to be in place. Whilst consent is one of a number of potentially valid grounds, others are also available, including processing PI for a legitimate interest and on the grounds of contractual necessity.
In the context of EDM specifically, a further important distinction should be made between 'internal' PI related EDM activities - e.g. using customer's personal information to plan and design advertising campaigns, and "external" EDM activities - e.g. the actual sending of direct marketing to recipients. The former falls within the GDPR remit, and, as a result, use of the legitimate interest grounds, instead of consent, is much more likely to be appropriate. ICO guidance in this area has always regarded internal use of PI for direct marketing purposes as potentially within the legitimate interest of an organisation. By contrast, the ePR requires consent in order for sending EDM to be legally compliant.
Planning designing and creating EDM, using PI internally (i.e. 'selection processing') is likely a legitimate business interest, and is therefore unlikely to require an individual's consent under the GDPR provided it is not overridden by the rights and freedoms of the individual. The more compelling the organisation's interest, the more likely that it will be a legitimate business interest. Actually sending (i.e. 'communication consent') the EDM created through this process to recipients will require consent, under ePR.
Valid consent - when is a 'yes' not a 'yes'
The GDPR fundamentally changes the definition of consent in all contexts in which it is relied upon. For consent to be valid under the GDPR, it must be freely given, specific, informed and unambiguous. The ePR imports this definition.
The practical impact is that if an organisation is to rely on consent under the GDPR and/or ePR, then anything other than definitive, clear and critically opt-in consent to EDM is unlikely to be valid. Silence, pre-ticked boxes and opt-out consent (whereby a user must take an active step to say 'no' rather than 'yes' to EDM) are now therefore, almost guaranteed to be invalid.
The current draft of the ePR retains the very specific 'soft opt-in' exemption but only in the context of commercial marketing in connection with the sale of goods or services, where the organisation has obtained the individual's details in the course of such a sale. The draft ePR has, in relation to soft opt-in, removed the reference to 'negotiations' for a sale, and is therefore potentially, even more restrictive in scope. Any EDM sent under soft opt-in consent must be limited to marketing similar products or services of the specific entity to which the consent relates (e.g. not another group company). Organisations must take care to ensure the scope of materials sent under this consent is limited to their own closely related products/services. In addition, recipients must be given a simple opportunity, in each EDM correspondence to withdraw consent.
Notice requirements - tell me what you want (what you really, really want)
In addition to the significant definitional change, the GDPR mandates a much more granular approach to consent collection. Practically this will likely require consent collection which specifies the channels through which an individual will be contacted (email, SMS, social media etc.) and specificity regarding from whom the EDM will come (the organisation itself and/or third parties).
Organisations should start considering now how technically, and organisationally, obtaining granular consent can be achieved. Organisations also need to review and consider their current grounds for selection processing and how this needs to be modified, whether by means of GDPR compliant consent re-permissioning and/or update of information notices.
Consent management - here today (gone tomorrow?)
Whilst addressing changes to consent collection will likely pose a significant compliance burden, organisations must also consider how they will manage that consent post-collection. The GDPR provides that in order for consent to be valid it must be granular (as above) and easily revocable. For marketing, this presents a challenge under the ePR, both day-to-day in managing which channels and from which third parties a recipient is happy to receive EDM and in altering those consents in the event of consent withdrawal.
Maintaining a robust consent and/or customer identity management system in place across the business will be key to ensuring consent itself, and request for withdrawal are appropriately managed. This may be a particular challenge when considered in the context of the now 30 day time limit for compliance.
Talking points - Part 1
- Ensure legal requirements for valid consent are understood, across the organisation.
- Review approach to consent management, including mechanisms for obtaining valid consent.
- Start to consider commercial value vs. compliance risk of current EDM lists.
In Part 2 of this guide we will address the challenge of re-permissioning consent, ahead of 2018.