GDPR and email marketing consent

GDPR – Think twice before sending a re-permissioning email campaign

GDPR compliance is not an option – it’s the law. If you are new to GDPR then read our overview and get to grips with what your legal duties and responsibilities are.

What is re-permissioning?

Re-permissioning is the process of asking people to re-confirm their consent and is a term that marketers use when they run email campaigns to update people’s preferences.

Do you need to re-permission your database?

No. As per the ICO tweet below, this is a myth.

However, in some cases you may choose to seek fresh consent, but you won’t be able to make an informed decision until you have carried out a data audit and considered all your options.

What to consider before sending a re-permissioning email campaign

There are two questions to address:

1. Will you be breaking the law?

If you email people without having a legal basis, then you will be breaking the law.

As the ICO Head of Enforcement warned in his commentary about the Flybe and Honda cases:

Businesses must understand they can’t break one law to get ready for another.
Steve EckersleyICO Head of Enforcement

If your current permissions do not meet the higher GDPR standard of consent, then it stands to reason that you cannot lawfully process personal data on the basis of consent. If you do so, then you will be breaking the law now and, after 25 May 2018, you will also risk being fined.

However, consent is just one of six legal bases for holding and processing personal data. You may have a different legal basis for emailing someone e.g. performance of a contract or legitimate interest. In some cases, legitimate interest may be available as a legal basis for email marketing in which case, you need to consider point 2 below.

2. Is it necessary?

If your legal basis for emailing people is legitimate interest, then you do not need consent.

In addition, the ICO has stated that:

Using this basis for processing that is expected and has a low privacy impact may help you avoid bombarding people with unnecessary consent requests and can help avoid ‘consent fatigue’.

This extract can be found on the ICO website in the last paragraph of the section titled “What are the benefits of choosing legitimate interests?”

Why ask people to refresh their consent?

Good question! There are two reasons why you may choose to do so.

  • The first is where you want to change your legal basis from legitimate interest to consent. If you rely on legitimate interest as your legal basis then you take on extra responsibility for ensuring people’s rights and interests are fully considered and protected. As the onus is on you to ensure – and demonstrate – that your interests are balanced with the individual, consent may be the easier option. In addition, it may be easier to manage your email marketing if you have just one list where your legal basis is consent.
  • The second reason may be where you already have consent, but you want to update and ‘clean’ your database.

Are there any pitfalls?

Yes. If you run a campaign asking people to re-consent and they do not, then you will need to remove them from your database. This is a risky approach because many people, who would potentially be happy to continue engaging with you, may simply miss your email, forget to reply or decide they don’t have time to go through the process of re-consenting. In addition you risk annoying people by sending them an email which is (i) not strictly necessary and (ii) going to take up their time if they want to remain on your email marketing list.

Can everyone use legitimate interest as their legal basis for email marketing?

No. Legitimate interest is only appropriate for email marketing in two circumstances as highlighted in the table below (source: ICO website).

Table showing when legitimate interest is appropriate for different marketing activities
Table showing when legitimate interest is available for marketing activities

Source: ICO website

The first scenario is where you have previously gained consent which was compliant under the Data Protection Act and PECR (Privacy and Electronic Communications Regulations) but is not compliant under the higher GDPR standard of consent. This type of consent is frequently referred to as ‘soft opt-in’ consent.

The second scenario is where you are emailing business contacts and you can satisfy the three-part test.

If you do choose to use legitimate interest as your legal basis for email marketing, then you must (in each and every marketing email) make it clear how you obtained their personal data (in email campaign tools such as MailChimp, this is referred to as your List Description) and how they can easily opt out of receiving future marketing emails (e.g. by clicking an unsubscribe link).

Using re-permissioning campaigns to update and ‘clean’ your database

As highlighted above, re-permissioning campaigns that only seek to refresh consent are likely to be either unlawful or unnecessary.

However, there are some situations where a re-permissioning campaign might be useful and appropriate to help you comply with keeping only what is necessary, in terms of personal data, and to facilitate implementing your data retention policies. Re-permissioning campaigns should not be sent to everyone; only to those people who you know have not been engaging with you.

Whilst re-permissioning campaigns can be used to help keep personal data up-to-date, a softer approach is recommended whereby you provide gentle prompts or reminders and make it easy for people to update their preferences during their normal engagement and communications with you. For example, ask people to check the accuracy of their data when using pre-filled forms and always provide links in marketing emails so that they can update their preferences easily.

Takeaways

  1. Don’t rely on what other people are doing (including the big companies). Whatever you do, be sure that you are doing it for the right reasons and that it is legal.
  2. If in doubt, refer to the ICO’s guidance to help you to decide what is right for your business.
  3. If you are still unsure about what to do or how to comply, then our team of specialists are here to help with training, consultancy and implementation. Get in touch for a FREE initial consultation.

Do you need help with GDPR compliance?

Tell us about what help you need

We respect your privacy.

If you found this useful, please share.

Menu