Data Privacy

Towards LGPD and Beyond – Legal Bases for Email Marketing

minute read

Post Image

Brazil’s new Lei Geral de Proteção de Dados (LGPD) data protection legislation is now less than 12 months away, becoming effective in August 2020. While being a near carbon copy of Europe’s General Data Protection Regulations (GDPR), there are subtle differences:

Source: IAPP – GDPR matchup: Brazil’s General Data Protection Law (full version here)

For Brazilian marketers, as in Europe, a major decision will be whether to rely on Consent or Legitimate Interest as the legal basis for marketing communications. LGPD does not directly reference email, and more specific legislation (like Europe’s Eprivacy laws) does not currently exist. The Brazilian Code of Conduct for Email Marketing recommends using Consent, but acknowledges a soft opt-in can exist where an existing commercial or social interest can be demonstrated (effectively legitimate interest).

In Europe, the preference was to rely on Legitimate Interest if possible, because of the reduced impact on list churn. This required a Legitimate Interest Assessment (LIA), where this basis is tested for purpose, necessity, and balance. Where senders could not demonstrate Legitimate Interest, Consent was then required as the legal basis. Some senders took a so-called “blended” approach, applying a combination of both.

GDPR was seen by some as a great opportunity for marketers to build stronger relationships with their customers. Marketo produced a report categorizing GDPR compliance as “legal first” or “marketing first” and showing the latter are more likely to achieve business objectives. A great example came from insurance provider Homeserve, which is now seeing better engagement, fewer complaints, and saving money too! This year’s DMA Marketer Email Tracker report showed across-the-board uplifts in deliverability, opens, clicks, conversions, and ROI!

A combination of more robust consent, clearer setting of expectations, and greater provision of choice means there are now higher levels of trust between consumers and brands. They are providing better quality data, making them more engaged and likely to transact.

So Brazilian marketers can feel positive about LGPD, but whichever approach they take the way their new subscribers are acquired will need to reflect the new law’s requirements. We’ll look at some great examples of how their European counterparts achieved this.

1. Straight Talking

GDPR defined consent as follows:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

The British Broadcasting Corporation (BBC) was widely praised for meeting these requirements with its clear and informative sign-up process:

Note the following:

  • Consent is for the email channel only (granular)
  • Consent is separate from terms and conditions and the privacy policy (unbundled)
  • The text is specifically about BBC programs and online (named)
  • The “Yes please” button must be clicked to provide consent (active opt-in)
  • Consent can be easily withdrawn (unsubscribe at any time)

Also note the “layered” approach—instead of providing all information at point of sign-up, the BBC uses drop-down boxes to provide more information.

2. Make Mine a Double!

In Europe, there was debate around whether all programs would need to implement double opt-in (DOI). This was in response to the requirement to record consent—keeping a record of when and how the consent was obtained, and exactly what individuals were told at the time. Many practitioners felt double opt-in would be the only water-tight means of establishing this, but ICO guidance simply says, “you must have an effective audit trail of how and when consent was given.”

That said, the new legislation does place a premium on obtaining accurate data. Double opt-in ensures only valid address owners can sign up, and it also proves there is a genuine interest in signing up. For sensitive personal data (ethnicity, religious beliefs, etc.) double opt-in also satisfies the additional requirement for explicit consent.

There is also a favorable argument for DOI when it comes to return on investment. Litmus reported programs using double-opt-in achieve average ROI of 45:1 compared with 40:1 for single opt-in.

Source: Litmus – 2018 State of Email Analytics

3. Make a Decision

Some senders decided to “force” a consent decision—“Yes please” or “No thanks”—as this Sainsbury’s examples illustrate:

The rationale is that human beings are naturally lazy! When a box is unchecked, the easiest thing is to leave it that way. Providing a “Yes please/No thanks” decision means one option has to be selected. While there will be opt-outs, this approach also increased the number of opt-ins. For more insights read this excellent report from Holistic Email Marketing/Pure360.

4. Legitimate Interest

Relying on Legitimate Interest (soft opt-in) still requires providing data subjects with the opportunity to object to having their personal data processed—at the point its acquired, as well as all future communications. In this example from Currys new customers can opt-out before the purchase is completed.

Currys also provides another good example of “layering” where customers can click on the icon to learn more about how they will benefit.

Also ensure other points where personal data is captured are equally robust. DMA research shows 4 in 10 programs now acquire email addresses instore, often when customers are asked if they want an e-receipt. The same rules apply, and point of sale operators require training to ensure customers are given the opportunity to opt-out, and that this is recorded. See my previous DMA article for more reading on this topic.

5. Cookies

A core objective for most email programs is driving traffic to their websites, so marketers must also consider their use of cookies. These are useful because they allow a website to recognize a users’ devices and their previous browsing behavior, but it means the processing of personal data is often involved. As a result, website owners must seek consent from data subjects before cookies are used:

Note the clear explanation around the reason for the cookies, how they will be used, and the granularity that allows users to choose which cookies they are happy with. In addition, a layered approach is taken so users can find out more about each cookie type.

Many programs have also introduced a standalone cookie policy—separate from the privacy policy—as we saw with the earlier BBC example.

This post has highlighted considerations for acquiring new subscribers in a way that meets both the letter and the spirit of the new laws. In the next part of this series, we’ll look at the challenges of informing existing subscribers the way their personal data is being used will change, and we’ll also highlight some of the biggest mistakes European senders made!