GDPR is changing e-privacy and electronic marketing – stay on the right side of the law
Email marketing regulations state that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their consent. This guiding principle is not expected to change. However, the scope of privacy regulations is likely to extend to include Business 2 Business (B2C) as well as Business 2 Consumer (B2C) because of changes to the definition of personal data.
This is because Privacy and Electronic Communications Regulations (PECR) that govern electronic marketing are in the process of being updated in line with the new General Data Protection Regulation (GDPR.)
Before GDPR the rules about emails for individuals didn’t apply to emails sent to organisations. In May next year GDPR’s wider definition of personal data will include data relating to a person at their business. This means there will be no distinction between B2B personal data and B2C data. When sending marketing emails to businesses you will now need to use the consent principle or ‘soft opt in’ principle in the same way that you do with individuals. Giving businesses an ‘opt out’ option will no longer be sufficient.
Everyone sending marketing communications needs to understand the rules around consent which are stricter in line with GDPR. You will need to provide comprehensive information (specific, informed) about what the person is consenting to, as well as ensuring they wouldn’t be disadvantaged if they didn’t consent (freely given). There must also be no doubt as to what they are consenting to (unambiguous) and no doubt as to whether they have actually given consent (clear affirmative action.)
Exceptions to the consent rule still fall under the ‘soft opt in’ which means sending an opt in email. It is allowed if the following three conditions are met: 1) when the buyer gives you contact details while making a purchase or negotiating a sale, 2) you are marketing a similar product or service and 3) there is a simple unsubscribe option at the bottom of each email so that a potential buyer can refuse marketing at any point.
GDPR regards opt in emails or other soft opt in measures as a legitimate interest which is the legal basis for sending direct marketing electronically. It covers email, SMS, social media and instant messaging apps. But you need to be clear from the start when collecting personal data which electronic channel you will be using and make sure your marketing communications are relevant.
Legitimate interest may arise where consent is not viable or not preferred, although the organisations will still need to show that there is a balance of interests – their own and those of the person receiving the marketing. With electronic communications an unsubscribe link is simple to implement in cases of soft opt in by known customers.
When you send an electronic marketing message, you must identify yourself and provide a valid contact address. You must also have a complaints process in place.
If you are uncertain about how to make sure you have got valid consent, use an opt-in box on the email rather than an opt-out one.
You must then keep a list of people who have opted-out and screen lists to make sure you do not email them in future.
At the moment the Information Commissioner’s Office will consider issuing a fine of up to £500,000, where an organisation persistently ignores individuals’ objections to marketing.
However breaches of the new e-Privacy Regulation may attract fines of up to 4% of annual worldwide turnover, just like GDPR. It is not clear when the new regulation will take effect: a target date was set of May 2018 in line with GDPR but this is likely to slip into early 2019, giving you a little more time to prepare.