The European Union’s new privacy law, the General Data Protection Regulation (GDPR), comes into effect on May 25, 2018 and has many ramifications for any organization doing business in the EU. Essentially, the regulation defines how businesses collect and store information on their customers and other private citizens. GDPR goes beyond the current standard of the EU Privacy Directive with regulations that are both stricter and more specific.
One of the major changes for companies engaging in email marketing is how they collect and store consent. The definition of consent in Article 4(11) of the GDPR is similar to the old Data Protection Directive definition but adds some detail on how consent should be given.
The current Data Protection Directive defines consent as:
“…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
For example, when a customer frequents a coffee shop and drops her business card into a glass bowl advertising a chance to win free coffee for a year, she is consenting for her personal information to be used in order to be entered into the contest.
In the GDPR, the key elements of the consent definition remain—it must be freely given, specific, informed and there must be an indication signifying agreement. However, the GDPR goes further by requiring that affirmative consent must also be “unambiguous and involve a clear informative action.”
However, this definition is only the starting point for the GDPR’s new standard of consent. For example, the essence of Article 7 states that there is a greater emphasis in the GDPR on individuals having clear granular choices upfront and ongoing control over their consent. The new GDPR standards don’t only apply to consent given after May 25th; it applies to all existing EU subscribers on a company’s email list.
For example, if a company has a database of 100,000 email addresses that were all obtained when individuals filled out a form where an opt-in box was pre-checked, those records are not valid under GDPR. Customer inaction cannot be used as an assumption of consent.
The Information Commissioner’s Office (ICO) of the United Kingdom has issued a guide on consent under the GDPR. The guide offers a consent checklist for helping companies ensure they have taken the appropriate steps for meeting GDPR standards.
Email marketers know that the new EU GDPR regulation significantly changes the marketing landscape, however, it shouldn’t make accomplishing marketing objectives impossible or overly burdensome. Companies should start by auditing their current database and understanding where their contacts are geographically located and whether an audit trail of consent was captured. It’s important for organizations to know whom their contacts are, how they were acquired and if proper consent policies were followed when the data were collected. This might require enacting a re-permission initiative, which contacts subscribers and in no uncertain terms asks the subscriber to confirm that they would still like to receive emails by clicking a confirmation link in the email. This is an effective way of refreshing consent to be compliant with GDPR or removing subscribers from the mailing list.