Thinking of Inviting Existing Customers to Reaffirm their Marketing Preferences ahead of the GDPR? Think carefully, read on…
There are many clients who are rightly looking at how they can explicitly confirm that existing customers either want to receive marketing emails, general contact, etc. ahead of the GDPR coming into force. This is a nice idea but fraught with potential hazards if they do not consider their approaches to using existing personal data in line with current expressed wishes.
Remember, under the GDPR there are 6 Lawful Basis for processing (collecting, storing, handling, using, etc.) personal data: 1) Consent; 2) Contractual Obligation; 3) Legal Obligation; 4) Vital Interest; 5) Public Interest; and 6) Legitimate Interest.
A company may have entered into a Contractual Obligation in selling a product or providing a service to a customer however, that doesn’t mean that going forward they could rely on any ‘Legitimate Interest’ in keeping in touch with their customer for marketing purposes or any contact at all. Consent to be contacted would still be required even to receive emails that were not marketing related although this is unlikely to block contact on the grounds of ‘Vital Interest’ say, when a product needs a recall where a risk to life or the person has been identified.
If you have a marketing database where you are currently relying on Consent alone to email or post marketing or other communications, you need to investigate how consent was obtained originally. Under the GDPR consent must be explicitly and freely given, and the ‘opt-in’ must be exactly that. The prospect has had to put a tick in the box to explicitly say ‘Yes’, not been opted-in because the box was already ticked for them. Also, was the privacy notice in force at the time their personal data was collected, enough to satisfy the GDPR? (Remember, under the GDPR the privacy notice for a bought list of personal data is different to that required for personal data collected directly from the Data Subject). If the basis that consent was given is in line with the requirements of the GDPR then you are unlikely to need to reaffirm consent but going forward, prospects should be given the option to opt-out.
Now, what to do about existing customers?
Hopefully, with your customer list, each customer had been given the opportunity to indicate what their contact preferences were i.e., for marketing, for newsletters, etc. and whether they wanted to receive contact at all by email or any other means.
So, you decide to email every customer on your list to invite them to ‘update their preferences’. Your email has no marketing in it, you are simply making them aware of the GDPR and asking them to revisit their contact choices.
The issue is, if any of your customers had indicated previously that they ‘did not want contact’ from you and, you include them in the invitation to ‘update their preferences’ and your email contains no marketing at all, you would likely breach the law. To quote the ICO’s Head of Enforcement (Information Commissioner’s Office – the UK’s Regulator), “you cannot breach one law to prevent a breach of another”.
In 2017, the ICO found that an airline had deliberately sent some 3.3 million emails to people who had told them they did not want to receive marketing emails from them. The emails, sent in August 2016, with the title ‘Are your details correct?’ advised recipients to amend any out of date information and update any marketing preferences. The email also said that by updating their preferences, people may be entered into a prize draw.
In another case, the ICO found that a motor company had sent 289,790 emails to clarify certain customers’ choices for receiving marketing. The company believed the emails were not classed as marketing but customer service emails to help the company comply with data protection law. The company was unable to provide evidence that the customers had ever given their consent to receive this type of email.
The total of fines across the two companies was £83,000 (These fines were under PECR/DPA, would they be higher under the GDPR? Probably).
Steve Eckersley, ICO Head of Enforcement, said: “Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.”“In [the airline’s] case, the company deliberately contacted people who had already opted out of emails from them.”
He warned: “Businesses must understand they can’t break one law to get ready for another.”
It is important that companies take advice when trying to ensure consent is in compliance with the GDPR – don’t get caught out.