So by now you’ve probably had hundreds of emails from companies telling you to update your preferences, opt-in (again), or telling you that they have updated their privacy policy.
Similarly, you’ve probably been scared to death by various TV and radio ads, as well as the sudden increase of people with the new job title ‘GDPR Practitioner’ warning you against a potential Armageddon should you not comply.
Perhaps one GDPR practitioner has told you one thing, and another GDPR ‘expert’ has told you something that completely contradicts this.
Alternatively, you could be one of the alarming number of people who still haven’t heard of GDPR.
With the potential threat of huge fines for breaching the new rules – it’s causing panic. And that’s why you’re getting all those emails.
Now, we must be absolutely clear here, that this article, and our opinion, relates to the use of personal data solely from a marketing perspective. If your business handles, stores or processes any sensitive personal data such as financial or medical data then you need to ensure you comply, to the letter. Similarly, we would be remiss in our duties as a digital marketing agency if we didn’t tell you to at least cover your back from a marketing point of view.
“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them,” Steve Wood, the deputy information commissioner for the UK wrote in a blog post earlier last week.
But, as Jon Baines, data protection advisor at law firm Mishcon de Reya explains, this has been the case for over 15 years: “In the UK it has been the law since 2003 that you can only send a marketing email to an individual recipient when they have consented to receive it or you have an existing customer relationship with them and have offered them the opportunity to opt out,”
Baines believes a big reason why these emails are being sent at the moment is because of an “increased awareness around the fact that sending marketing emails requires either the consent of the recipient or an existing customer relationship”. That awareness has been amplified because of the hype around GDPR.
The regulation says companies can be fined up to €20 million or four per cent of their annual global turnover, although in the UK the Information Commissioner has made it clear it won’t be heavy-handed with fines.
But when it comes to email marketing it is actually the Privacy and Electronic Communications (EC Directive) Regulations (PECR) that govern this. These are based upon a European e-privacy Directive and cover everything from emails to text messages.
GDPR doesn’t replace PECR but sits alongside it, with European regulators currently in the process of coming up with a new set of e-privacy rules to replace it.
However, Baines believes the existence of PECR means that many companies may not have needed to send the re-opt-in emails asking (again) for permission to contact you.
“I think a lot of the emails people are receiving are unnecessary, because people have either already consented or are receiving them to business addresses,” said Baines.
Business email addresses – for example, joebloggs@vizulate.com – fall under GDPR as personal data, but for marketing messages consent to receive them may not be needed.
Confused? You should be.
After all, the interpretation of consent is also ‘murky’ to say the least. GDPR states consent has to be unambiguous. So for example, that pre-ticked box at the online checkout stating you are willing to receive marketing emails will not cut it anymore. But a box you have to actively tick does. However, many, ourselves included (mainly out of peer pressure), are employing a double opt-in process whereby if someone ticks the box they will still receive another email asking them to confirm their consent to receive marketing emails. If they don’t click the link in this email then their address will not be added to our mailing list.
The fear of GDPR will see many companies lose subscribers to their mailing lists if a company elects to remove the many thousands of people who have simply not responded either way to the re-opt-in messages being sent. Not to mention those who went down the ‘Unsubscribe’ route.
Ultimately this is not a bad thing. Most companies should take the time to regularly cleanse their marketing data, and if you are one of the many businesses who have run GDPR email campaigns and had a limited response or substantial unsubscribes, fear not. It’s much better to have your marketing messages read by 1,000 people who want to hear about your products and services, than 10,000 people who have no interest and will never likely engage with you.
So with GDPR just around the corner what should you do?
Keep calm and carry on (for now). Both GDPR and PECR are legally complex with numerous caveats and exemptions relating to different scenarios, and even the so called experts have differing opinions on the interpretation of GDPR.
The regulations will continue to evolve and be defined by the legal cases involving the multi-national corporations that will fall foul of the current interpretations of GDPR and be made examples of.
Stay tuned for GDPR v1.1.