[GDPR] Marketing and Mailing List Consent

Marketing and GDPR

Consent – Such a simple word that under GDPR has been the archnemesis of global businesses. In the lead up to GDPR and in the post-GDPR world one of the biggest questions I have been asked relates to old marketing lists, current customer lists and who can you legally contact or market to.

The biggest confusion with GDPR and consent – is that businesses think consent is required in every circumstance for you to provide direct marketing to someone in your list and that if you don’t have this consent then you either had to chase them to give you consent in the lead up to May 25th or that you’d be in breach if you used them afterwards.

The idea of using consent as the rationale is an amazing thing and I certainly want to push for this open, transparent and privacy first future. This is because your customers should have the ability where you use consent as the method for collection (as opposed to ‘Contract’ or to Legitimate interest) in an informed and freely given process. No more getting signed up to SPAM just because a business has bought your email or just the extension of being able to remove consent other mailing or marketing lists that you may well wish to continue dealing with.

Should you adopt Sketch?

In the lead up to the introduction of GDPR in 2018 – If you market to your existing customer base, customers who you are currently ‘negotiating’ with where you’ve given them the chance not to receive marketing (Very important that they previously had the option to decline) or visitors that have signed up to your mailing list by choice in the past then you don’t need to get a fresh set of consent from them post GDPR to be compliant – This is along as your reason for contacting them stays the same (e.g. If you were a Car specialist you couldn’t suddenly start marketing pianos to them). The reason you don’t have to get fresh consent under GDPR is that this communication is actually covered under the Privacy & Electronic Communications Regulation 2003 (PECR), in particular, section 22 which says;

22.—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.

(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b)the direct marketing is in respect of that person’s similar products and services only; and

(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

(4) A subscriber shall not permit his line to be used in contravention of paragraph (2). 

The introduction of GDPR does not take away from this. PECR still stands as a legal defence for the direct marketing of your customers as long as you continue to give your customers in every communication the ability to unsubscribe and that you respect that for all marketing and contact going forward.

What should be mentioned however is that if all you’ve done is export your customer list from your sales platform or CRM and at no point in the customer’s journey were they told that they would receive marketing and for which you can defend and evidence under other GDPR purpose defences (such as legitimate interest) then you are in breach.

The other part to mention is that if you then choose to switch to a consent model instead of using PECR as your defence then you need to respect that customers need to opt-in for you to use their data for marketing. You can’t pick and choose your defence dependent on who is asking.

I personally feel that the best option for being transparent with your customers and to give you a much easier process to manage, protect and defend from a privacy perspective is Consent. We shouldn’t forget why GDPR is coming into effect. The idea is to give customers that choice for what happens with their data, for companies to stop assuming that they can market or do as they wish and remove the blackhat trickery that comes with handling personal data in the past. Switching from using PECR to a completely GDPR opt-in consent basis is a lot of work and many will see it as a pointless end ever where they already have the ‘permission’ to market but just remember the big picture is more than the immediate. Build your company to put it’s customers and privacy first and they’ll reward you with loyalty and growth.