Business Law & Compliance
When a GDPR consent email isn’t compliant with the new rules
5 min read
08 May 2018
Writing for Real Business, CEO and founder of personal data governance company PORT.im, Julian Saunders, discusses the mistakes SMEs are making in their GDPR opt-in emails.
If Alanis Morissette was writing the song ‘Ironic’ today, she might have included a lyric about how it’s like sending a GDPR-mandated consent email which breaches GDPR rules.
Of course, doing so would probably have ruined the song and wrecked her career. Nevertheless, there are few greater ironies than the deluge of consent and compliance emails companies have sent to their customers over the past few weeks which plainly breach GDPR.
This trend is impacting companies both large and small. Recently, I’ve received emails that bundle consent to receive marketing emails with other offers, some that demand my compliance least I see a reduction in service, others that ask for blanket approval, and some that even prepopulate consent.
If you were being cynical, you would say that these firms are seeing how far they can bend the rules ahead of the GDPR compliance deadline on 25 May. Indeed, from the less than clear language that is used in a lot of these messages, it’s fairly apparent that a number of companies are, at the very least, not adhering to the spirit of GDPR.
However, my view is rather more straightforward – they still don’t understand GDPR. Despite the reams of material online, armies of paid-up consultants touting their wares, and the deluge of publicity on data privacy following the Cambridge Analytica scandal, businesses have still not got their head around the sheer scale of GDPR.
In some ways, this is understandable. If you cast your mind back a few years to the ‘Cookie Directive’ there was a lot of huffing and puffing before it came into force. As it transpired, complying with the directive consisted of a website pop-up for users to click ‘yes’ to.
My suspicion is that many business owners and senior managers are underestimating GDPR due to this experience. They seek to pay lip service to the legislation without truly understanding what it actually says or are in denial that the ICO will actually do anything to enforce it.
The reality is that getting your customer base to legally consent to receiving marketing messages in a post-GDPR world is critical, and can’t be treated like any other communication campaign.
The starting points are that companies must gain affirmative consent, classified as: ‘freely given, specific, informed and unambiguous’, to be compliant. ‘Silence, pre-ticked boxes or inactivity should not constitute consent’, and finally – ‘the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.’
That last bit is a little complicated, but it basically means you must keep consent requests separate from other terms and conditions or services. Put simply, the EU Commission is wise to all the tricks companies could use to game this process – something many companies have not yet realised.
All in all, the ICO has written a 32-page guide on consent. It covers issues such as how emails must have a clear and easy unsubscribe button, any unnecessary hurdles to revoking consent such as logging in must be removed and guidance on how you should include a link to your updated privacy terms and conditions. The thoroughness of the guidance basically acts as a template for how these consent campaigns should operate.
Naturally, if you’re a business owner there’s a temptation to either do the bare minimum and see how GDPR plays out or do whatever it takes to gain consent to maintain your customer marketing database. Both tactics are incredibly short sighted.
Ask yourself, why wouldn’t you want your customers to know that you adhere to the highest data privacy standards? Similarly, what is the point of tricking customers into continuing to receive marketing messages from you?
Viewing GDPR as an inconvenience is to completely miss its point. By empowering your customers and giving them control over what they receive from your company you can build trust. This is a much more powerful commodity then simply retaining data on a database.
A poorly executed GDPR compliance campaign is, at best, a waste of time and money as it’ll be found to be in breach and you’ll have to run it again, and, at worst, a mechanism for completely undermining consumer confidence in your brand.