Regardless of Brexit, the UK government has confirmed that UK law will continue to mirror EU law in this area therefore GDPR is, and will remain to be, relevant to UK organisations processing personal data.
Generally organisations will have to consider what steps it needs to take to become GDPR compliant and one key area of interest for most is its marketing activity and how it can ensure it can continue to benefit from its marketing database under the GDPR regime.
It is well established by law that generally (except for the narrow situations where organisations can rely on the so-called soft opt-in basis i.e. where there is a business relationship, the individual had the opportunity to object at the time of data collection and in every communication thereafter) organisations who wish to send direct marketing to consumers by electronic means e.g. emails or text, must have consent and this is set to continue. However what will change is the meaning of consent. What GDPR considers as valid consent is different from what is currently acceptable. Indeed, the GDPR has completely revamped the concept of “consent”, with Article 4 stating that consent must be freely given, specific, informed and unambiguous. It will no longer be acceptable for organisations to rely on pre-ticked boxes or to make access to a service subject to receiving customers consent to marketing. In addition, the GDPR will require all organisations to record the consent obtained for marketing purposes and make it easy for someone to opt out of the emails at any time.
As the GDPR will apply to existing marketing databases, organisations ought to review their own marketing databases and the basis upon which it legitimises sending electronic marketing to consumers.
It is becoming a common problem for organisations across various sectors to recognise that they do not have GDPR compliant consent where needed for many or all of their contacts in their database, nor has the consent been properly recorded. They are then left with the problem of how they can refresh consent to make it GDPR compliant before the 25 May. If organisations have a legitimate basis to send e-marketing materials under the current regime, the next natural step may be to email those individuals seeking to obtain GDPR consent to allow them to continue to send direct e-marketing. The problem arises where organisations find they are using a marketing database to send e-marketing communications without any legal basis to do so.
Faced with this problem, in order to try and comply with the GDPR, some organisations have sent blanket emails to their whole database, asking them to “opt-in” to marketing emails, so the proper consent can be obtained and recorded. However, the Information Commissioner’s Office (ICO) has concluded that this in itself is a marketing email and violates the rules on how an individual’s personal information should be treated when sending marketing emails.
Last year, the ICO fined Honda Motor Europe Ltd £13,000 for sending a mass email entitled, “would you like to hear from Honda?”. Their database had no information on whether the individuals had opted in or out to receive marketing information. This was due to information coming in from various dealerships and no working software in place to properly record consent.
Even though Honda believed that the email was a “service” email (a communication that is sent to an individual that facilitates or completes a transaction, whether that is for the sale of goods or services), the ICO held that it was a direct marketing email. Due to Honda being unable to show evidence that every recipient had consented to receipt of the messages, it was held that they had breached the Privacy and Electronic Communications Regulations (PECR) by acting negligently and sending unsolicited communications by email to individual subscribers without consent or a valid reliance on the soft opt-in.
England-based airline Flybe was also fined by the ICO for sending more than 3.3 million emails to individuals on their database with the title “Are your details correct?”. It asked for customers to check that their information was up to date and requested that they update their marketing preferences. Entry into a prize draw was offered as an incentive. In this case, Flybe used a third party agent to distribute bulk emails. They held a database and maintained lists of opt in and opt out for direct marketing. In this instance, Flybe asked the agent to send the email to the “opt in” list as well as the “opt out”, when the normal procedure was to only send marketing to opt in individuals. The two buttons within the email were to opt in and opt out, both with automatic entry into the competition.
The ICO concluded that Flybe had also breached PECR, as you cannot send an email asking to consent to future marketing messages to individuals that have opted out, as that email itself is direct marketing. In addition, Flybe did not have evidence of valid consent. It was their responsibility to ensure that the agent obtained valid consent before sending any marketing emails. Flybe acted deliberately by asking the agent to send the email to both lists and due to this, were fined £70,000.
The ICO Head of Enforcement, Steve Eckersley, has stated that “sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law… Businesses must understand they can’t break one law to get ready for another.” This “catch-22” scenario has left many organisations confused by how to become GDPR compliant before May, with different approaches being taken to try and overcome this issue.
Pub giant JD Wetherspoons has taken a drastic approach and completely erased its entire customer email database, after deciding that email marketing was too intrusive. The company suggested that most of its customers follow Wetherspoons on social media platforms and that the erasure of the database was to eradicate any risk of a data breach.
Manchester United came up with a clever way to inform fans of the change in the law, without actually contacting each individual directly. The football team released pitch side advertising which launched their “Stay United” campaign. A video has been released on the team’s website which explains that the law is changing and uses the team’s top players to explain the benefits of opting in to their email marketing. It requests that people log in and re-subscribe online at the preference centre, with entry into a prize draw offered as an incentive to anyone who does this before 31 January 2018. The video confirms that there will be emails from official sponsors and partners with “occasional great offers” and the website has a dedicated page to the campaign with a link to the opt-in information sheet.
If you find yourself unsure of what to do with your organisation’s marketing database (or whether you have GDPR compliant consent) then our advice would be to consider your approach very carefully. We understand how valuable marketing databases can be and the desire to keep hold of these post-GDPR. However, serious fines can be imposed for sending direct e-marketing to consumers without consent therefore organisations should tread carefully and seek legal advice. There are many ways that organisations can encourage individuals to refresh consent without emailing them, with examples including posts on social media (n.b. not by direct messenger), leaflets sent out through the post, articles on websites, phone calls (after screening with the Telephone Preference Service) or even messages displayed on internal intranets. Unfortunately, there is no silver bullet and each organisation’s approach will no doubt be underpinned by its individual circumstances including size, budget and resources.
While some may view GDPR as a barrier to marketing, a more positive standpoint is to view it as a useful opportunity to refresh your organisation’s marketing database. It may involve losing some contacts off the marketing list, however a smaller marketing database of individuals that have expressed a clear interest in hearing from you is arguably more valuable than a large database of contacts that has been amassed over time and contains individuals who are not interested in your business. Time for a clear out!
If you need assistance with getting GDPR ready and becoming GDPR compliant, please contact Loretta Maxfield within our specialist IP and Data Management Team on 01382 229111