In our recent phenomenally successful webinar The Path to GDPR: Ask the Experts from Return Path we received a load of questions from both the webinar sign-ups, as well as during the webinar itself. We tried our best to answer as many of them while we were on air but in the end we just ran out of time. There were some really great questions too, so we’ve written up our responses to the questions we were unable to answer into three different categories. In this first post, we will tackle the questions around consent and legitimate interest. We have also provided a load of links so you can read more expert content from the Information Commissioner’s Office (ICO), the Direct Marketing Association (DMA), and of course ourselves (Return Path).
But first—a quick disclaimer!
The materials appearing in this article do not constitute legal advice from Return Path, any of the associations we are members and or reference materials from, and are provided for general information purposes only. It is recommended that you contact your general or legal counsel.
What is the minimum information we would need to have from our customers to comply?The minimum you would need to ask for would be a physical address to truly know whether the customer falls under GDPR’s residency/nationality requirements. A simple drop down will do and you will also want to log this IP address, date, time, and time zone of the opt-in as well. However, using GDPR process across all your clients will make it easier for you to ensure proper privacy practices and also ensure that at a minimum you’ve set the bar well for other countries that also tend to create privacy regulations modeled after the EU
How granular do the options need to be for a UK prospect to opt-in to email marketing? Can marketing email consent include offers for content downloads in addition webinar invitations?
This level of granularity would probably exceed what is being required by GDPR, but it would be best practice (you will notice we took this approach with the webinar sign-up form!). For this, and some of the answers that follow, we also recommend referencing the Consent Guidance that the ICO has published.
How will customers agreement have to be managed for email, SMS, postal, profiling, etc… One checkbox for each?
Yes—this falls under the requirement for consent to be granular and unbundled.
Do we have to unbundle separate social networks consents?
Do we need to implement the double opt-in to be GDPR compliant?
It is a good idea, but double opt-in is not mandatory under the GDPR. The important thing is that you are able to demonstrate proof that consent was obtained.
Do we need to develop specific functions on our email platform to be GDPR compliant? For example, do we need to be able to export encrypted data from our platform?
Yes, this is all about the way you capture your data. You need to ensure your process meets all GDPR requirements (granular, unbundled, explicit, etc.) and you should be requesting country/location data.
Another good practice would be to also use strong validation by including an unticked box and action button for a clear confirmation. This should then be followed by a welcome email.
Another point is GDPR separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. Processors must also take all measures required by Article 32, which delineates the GDPR’s “security of processing” standards. So, yes creating a way to encrypt while exporting data is a requirement.
We have been sending mailers to our customers (who have been using our products) to opt-in, however, we have not received many opt-ins so far. What can we do to avoid losing this data?
If you are mailing to customers who have purchased your products then you meet the soft opt-in definition:
You may send or instigate the sending of electronic mail for marketing purposes to an individual subscriber where: you have obtained the contact details of the recipient in the course of a sale or negotiations for the sale of a product or service to that recipient; the direct marketing material you are sending relates to your similar products and services only; and the recipient was given a simple means of refusing (free of charge except for the cost of transmission) the use of their contact details for marketing purposes when those details were initially collected and, if they did not refuse the use of those details, at the time of each subsequent communication.
The ICO also recently published the following as part of its legitimate interest guidance:
You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR.
Note this still means you will need to meet the Legitimate Interest tests: purpose; necessity; balance. This answer may also change when ePrivacy becomes effective.
In the past, we have provided a soft opt-in option on our website for all marketing communication channels (i.e., “if you do not want to receive marketing communications, please tick the box.”) Can an existing customer that has not opted out based on the above statement, continue to be sent marketing communications (email, phone, postal) under GDPR? What evidence do we need to show that they have not opted out?
We need to break this question out into several parts:
1) if by “soft opt-in” you mean “passive opt-in” i.e. the consent box was pre-checked, you will in all likelihood need to re-permission these subscribers to meet the higher standard for consent required by GDPR.
2) if by “soft opt-in” you mean the details were acquired in the course of a sale, this will meet the Legitimate Interest definition (for now) and this was confirmed by the new guidance published by the ICO a few days ago.
3) in terms of “evidence,” this is exactly why GDPR requires active opt-in to prove that consent has been acquired. The absence of an action does not constitute proof.
If a customer purchases a policy and is added to a newsletter list, can we continue to send under legitimate interest? The newsletter is about the product only
As per the previous two responses, latest ICO guidance suggests that soft opt-in equates with legitimate interest. Senders will still need to be able to demonstrate that they meet the legitimate interest tests in order to be able to rely on this basis for processing personal data.
Can we qualify legitimate interest based on email interaction? What would you consider a solid timeframe to judge if someone is still active (i.e., 0 – 12 months?) Is it ok to count a click in a panel in an email (e.g., a repermissioning panel) as consent or should there be a subsequent link on a dedicated page?
GDPR states that personal data should not be held for any longer than it is needed. How long this may be is not explicitly defined, but would almost certainly not exceed the sender’s trading cycle (e.g. it might be longer for a company offering global cruises than it would be for a pizza delivery company). It would be a real stretch to equate legitimate interest with email activity. Over and above GDPR, there are also email best practice considerations. Mailbox providers are going to start punishing your deliverability if you are sending to addresses that have been inactive for 12 months.
Is it necessary to store the form where the consent comes from to comply with the article 7.1? If yes, is necessary to take a screenshot of the form in the moment where the subscriber post the form or is enough to have for example a pdf of the webpage saved when the form is put online?
It is not necessary to do that, but keeping as much evidence as you can helps. Most people will keep things like email address, date, time, time zone, and IP address of sign-ups. If you want, we’d recommend keeping a copy in whatever format you believe you need (PDF or otherwise) a single copy of the form that was filled out with a date and time of when it was launched or changed. You can identify it in the CRM where the client’s opt-in proof is also kept. Thus, not keeping a copy of every single form. Just a single copy with a notation of who used it when.
If someone is entering their details into a form to specifically sign up to receive emails from that company, is pressing submit on that form conforming to the GDPR’s consent requirements? We would include copy on the form about what kinds of emails the user could expect to receive, potentially with two tickboxes that would opt them into the two different subjects of our business. If we pre-ticked these boxes does that adhere to GDPR? We would also send them a follow up getting them to confirm their email address after they have submitted the form.
ICO guidance states:
Our interpretation is that you can’t only use a “click here” button because of the requirement for consent to be unbundled. The opt-in boxes need to be un-checked.
We are mostly concerned about efficiently collecting the user agreement and how this agreement can be mutualized for different products (if you agree to receive the offer A and its partner, then you’ll receive B as well)
This feels like a scenario where there is potentially an intention to share the personal data with other parties. That being the case: consent must be unbundled and each third party needs to be explicitly named.
What is your advice on creating a suppression list?
If your business has email marketing software, especially if this is separate to your web shop/blog/CRM, you are probably relying on a blacklist/suppression list to make sure that when someone unsubscribes they are not accidentally re-subscribed again (by re-synchronizing your databases, for example). ICO Direct Marketing Guidance Version: 2.2 19th May 2016 states:
Organisations should maintain a ‘suppression list’ of people who have opted out or otherwise told that organization directly that they do not want to receive marketing. Note that individuals may ask an organization to remove or delete their details from a database or marketing list.
However, in most cases, organizations should instead follow the marketing industry practice of suppressing their details. Rather than deleting an individual’s details entirely, suppression involves retaining just enough information to ensure that their preferences are respected in the future.
I’d love to hear more about best practices, particularly in the area of soft consent, and whether it is necessary to have our contacts opt back in to our email distribution before GDPR. In the past, our customers have downloaded a brochure which then leads to a sale. Would you agree that this would constitute a sale or negotiation for a sale and that we would therefore not need to have these contacts opt back in? We’ve always give individuals the opportunity to refuse/opt out at the time we collected the e-mail information and in all future emails to these contacts.
We have already dealt with the relationship between soft opt-in and legitimate interest in the responses above. One additional point is that the most recent ICO guidance does appear to be tightening up the language around “negotiations for the sale of a product or service.”
Note that the ICO’s Direct Marketing Guidance document (this document has recently been updated to include specific guidance for GDPR) states:
The customer does not actually have to have bought anything to trigger the soft opt-in. It is enough if ‘negotiations for a sale’ took place. This means that the customer should have actively expressed an interest in buying an organization’s products or services – for example, by requesting a quote, or asking for more details of what it offers. There must be some sort of express communication
We would probably agree that the situation you describe above meets this definition, but also remember that there is no set time limit for consent but how long it lasts will depend on the context
While there is no firm definition of how long consent remains valid for, you should apply the “reasonable man” test your customers. If a typical customer would believe that their consent had expired after 24 months (for example) then you should certainly encourage all records on your list who exceed this threshold to opt-in again.
In our next post, we respond to questions about re-permissioning. If you would like more information about GDPR you can browse our GDPR category on the blog or watch our recent webinar. And if you have questions of your own, feel free to leave it in the comment section below.