Marketing Your Business Under GDPR

One of the more frequent questions we get asked at Alexander Business & Law Solutions relates to marketing. There can be confusion around the regulations affecting marketing and data processing and that is hardly surprising! 

As we are all aware now, the General Data Policy Regulations (GDPR) created higher standards for consent for businesses processing and sharing personal data of EU data subjects.

When processing personal data under the GDPR, consent must be freely given, specific, informed, and unambiguous. 

There is more because the GDPR require positive opt in by the user, forcing them to manually “check/click” opt-in boxes or give some other positive affirmation. This removes the potential for “implied consent” where in the past, the consent box was already “checked/clicked” for users; under that practice the user gave “implied consent” unless the box was manually “unchecked” (withdrawing their consent). This won’t run any longer.

At Alexander Business & Law Solutions we often find that people confuse two separate things. While the GDPR governs the processing and sharing of personal data, a second set of regulations has already been regulating electronic direct marketing (EDM) since 2003. The Privacy and Electronic Communications Regulations (PECR) sets rules that businesses must follow when sending EDM. As a result, when organisations process personal data for use in EDM campaigns, there must be compliance with both the GDPR and PECR.

We find that businesses are now confused as to where they stand even though PECR has been around since 2003. So here is the key fundamental to direct marketing: 

The marketing material must be directed to a specific person. Any form of indiscriminate blanket advertising (e.g. leaflets, advertisements shown to every viewer of a website, etc.) will not fall within the definition of direct marketing and will not be subject to these regulations.

This is what PECR regulates:

• Direct marketing by electronic means (e.g. phone calls, texts, emails, fax);
• The use of cookies or technology which tracks information regarding users online history and website access;
• Security of public electronic communications services; and
• Privacy of customers using communications networks or services regarding traffic and location data, itemized billing, line identification services, and directory listings.

In general, the PECR will apply the new GDPR standard of consent. What this means and as mentioned above, consent requires positive affirmative action or opt in, removing the ability of businesses and organisations to pre-check their consent communications.

Also, consent under the new GDPR requires a “granular” approach. This means that consent statements must clearly set out the distinct processing operations, asking for users to agree to each individual operation. This granular approach also requires consent to be separate from other terms and conditions and cannot be included as a precondition of signing up for a particular service. 

We are often asked to draw up bespoke Privacy Policies and also review and update Terms and Conditions. They must be kept separate and not be combined as a lot of businesses think (quite rightly) that there is too much “legalese.” We are in favour of keeping the writing to a minimum, but some things must be set out in order to “inform”.

 
Lastly, with every EDM communication, users must be given the ability to withdraw their consent and provided with an easy means to do so and so they must be told they can unsubscribe and told how.

When managing consent, especially under the context of EDM, recordkeeping of when and how consent is obtained is critical. It is also important to record exactly what was said to the user when consent was obtained.Whilst the PECR does allow for a “Soft Opt-in” unless you can show by producing records that they were informed at the beginning of their right to unsubscribe and on all subsequent times and also that they consented to be sent marketing materials at the beginning then businesses should refresh the consent.

Refreshing valid consent is also necessary given that the duration of the consent is often unclear in a number of circumstances.Managing consent under the GDPR and PECR is difficult, but the ICO’s checklist we set out below (Information Commissioner’s Office) is helpful to keep organisations’ consent procedures fresh:

• Regularly review consents to check that the relationship, the processing, and the purposes have not changed.
• Have processes in place to refresh consent at appropriate intervals, including any parental consents.
• Consider using privacy dashboards or other preference-management tools as a matter of good practice.
• Make it easy for individuals to withdraw their consent at any time and publicise how to do so.
• Act on withdrawals of consent as soon as possible.
• Don’t penalise individuals who wish to withdraw consent.

Consent is the cornerstone of the GDPR and PECR. While each govern different aspects and transmissions of data, both sets of regulations apply to certain situations. It is important for business to stay alert to these laws and the changes made to them.

The PECR will be undergoing changes to fall in line with the new GDPR at some point in the future the Regulations are being worked on now. Something to look forward to!

The new EU ePrivacy Regulation (ePR) will be revealed and implemented in 2019. With limited discussion surrounding the specifics of the new ePR, it is unclear what changes will be made and how such changes will tie into the GDPR. For now, the PECR is still the applicable law.

For updates and advice stay tuned to Alexander Business & Law Solutions