The European Union’s new privacy law, the General Data Protection Regulation (GDPR), comes into effect on May 25, 2018 and has many ramifications for any organization doing business in the EU. Essentially, the regulation defines how businesses collect and store information on their customers and other private citizens. GDPR goes beyond the current standard of the EU Privacy Directive with regulations that are both stricter and more specific.
One of the major changes for companies engaging in email marketing is how they collect and store consent. The definition of consent in Article 4(11) of the GDPR is similar to the old Data Protection Directive definition but adds some detail on how consent should be given.
The current Data Protection Directive defines consent as:
“…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
For example, when a customer frequents a coffee shop and drops her business card into a glass bowl advertising a chance to win free coffee for a year, she is consenting for her personal information to be used in order to be entered into the contest.
In the GDPR, the key elements of the consent definition remain—it must be freely given, specific, informed and there must be an indication signifying agreement. However, the GDPR goes further by requiring that affirmative consent must also be “unambiguous and involve a clear informative action.”
However, this definition is only the starting point for the GDPR’s new standard of consent. For example, the essence of Article 7 states that there is a greater emphasis in the GDPR on individuals having clear granular choices upfront and ongoing control over their consent. The new GDPR standards don’t only apply to consent given after May 25th; it applies to all existing EU subscribers on a company’s email list.
For example, if a company has a database of 100,000 email addresses that were all obtained when individuals filled out a form where an opt-in box was pre-checked, those records are not valid under GDPR. Customer inaction cannot be used as an assumption of consent.
The Information Commissioner’s Office (ICO) of the United Kingdom has issued a guide on consent under the GDPR. The guide offers a consent checklist for helping companies ensure they have taken the appropriate steps for meeting GDPR standards.
Following the checklist will ensure that organizations are compliant with key GDPR provisions, including:
- UNBUNDLED TERMS: Consent requests must be separate from other terms and conditions. Consent must not be a precondition of signing up for a service unless it is necessary for that service to be rendered. If subscribing to a newsletter, for example, is a requirement for downloading a white paper then that consent is not freely given. Wherever possible, granular options should be provided to separate consent from other processes or requests.
- ACTIVE OPT-IN: Consent requires a positive opt-in. For consent to be valid under GDPR, a customer must actively confirm their consent, such as by checking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.
- TRANSPARENT AND EASY OPT-OUT: The GDPR specifies that individuals have the right to withdraw their consent at any time and that it must be as easy to withdraw as it was to give consent. All major email laws require brands to give their subscribers the opportunity to stop receiving emails. Each promotional email sent must include a prominent UNSUBSCRIBE option. Most organizations will likely already be compliant with this regulation; however, as the GDPR deadline approaches, it’s a good time to review the company’s policies.
- DOCUMENTATION: GDPR requires that companies keep records that demonstrate exactly what the individual has consented to. This documentation should include: who consented, when they consented, how they consented, what they were told at the time of consent, and whether they have withdrawn consent.
Email marketers know that the new EU GDPR regulation significantly changes the marketing landscape, however, it shouldn’t make accomplishing marketing objectives impossible or overly burdensome. Companies should start by auditing their current database and understanding where their contacts are geographically located and whether an audit trail of consent was captured. It’s important for organizations to know whom their contacts are, how they were acquired and if proper consent policies were followed when the data were collected. This might require enacting a re-permission initiative, which contacts subscribers and in no uncertain terms asks the subscriber to confirm that they would still like to receive emails by clicking a confirmation link in the email. This is an effective way of refreshing consent to be compliant with GDPR or removing subscribers from the mailing list.