With just under two months before 25th May, consumers are seeing a plethora of re-permissioning emails hit their inboxes. Some work (very well), others down right fail.
In this article our General Counsel, Julian Palmer, considers what it takes to make sure your re-permissioning campaign (to send future marketing campaigns) works first time.
Any good business knows who its best customers are, how often they interact and the amounts they spend. At the other extreme, the business may almost certainly have a group of customers that they are not sure where they got the contact details from.
You could consider categorising your customers as demonstrated in the table below, or via some other classification. The aim is to grade the quality of the consent that the customer gave – you should have already considered whether you need consent in the first place in sending marketing emails.
There will be a natural anxiety about deleting data, but you have to consider that you may well be in breach of the current laws if you continue to hold it. The current directive on ePrivacy makes it clear that consent is required to send unsolicited marketing emails (except in one case, which I discuss in our No Nonsense Guide to GDPR) . Consent being “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
You have to have the mind-set that you may be asked to prove you have consent.
Let’s just take that last point first. Recital 171 says:
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”
Read very narrowly, this recital (an official comment on the Regulation, but not the law itself), could be saying that only the mechanism by which a person gives consent has to be in line with the requirement of GDPR, i.e. the indication by the customer – through, perhaps, checking a box or providing an email address. Is that what is meant by “the manner”? Most legal commentators have construed the term more widely, in the context of retail, taking the view that since there is prescribed information that must be brought to the attention of the customer at the first point of collecting the customer’s data, any past consent – even from ‘platinum’ customers – needs re-permissioning.
Once you have decided which groups of customers you are going to take forward for re-permissioning, you should then look at their interactivity with your business and your marketing. Basic granularity is, probably, as simple as classifying your customers as follows:
Again, what you are working through is deciding whether a person – even one who has previously bought from you – has had periods of interactivity.
Once you have worked through this classification, best practice (i.e. least risky) is to undertake a phased re-permissioning campaign starting with, in this case, platinum + opens emails and regularly buys.
Much of the purpose of the foregoing processing is to ensure that if you go for a re-permissioning campaign you do not fall foul of the current law as happened with Honda and Flybe, resulting in fines of £13,000 and £70,000 respectively.
You will get one crack at getting re-consent. Customers are simply not going to keep giving consent. It has long been recognised that there is consent fatigue amongst consumers – just look how most customers handle cookie consent.
A central plank of GDPR (and the current laws on data protection) is that individuals are told what information is collected, the lawful ground for processing, the rights of individuals under GDPR, the data protection authority that individuals can complain to, along with details of who the retailer shares data with and whether the data is processed outside of the EEA (I.e. outside of the EU, Iceland, Lichtenstein and Norway).
Examples that go a long way to offering the type of information and clarity that is required by GDPR include:
What each of these policies do well – especially ASOS and Jimmy Choo – is set out their policies in an easy to read style. In the case of ASOS it enforces the message that what the customer tells ASOS is ultimately controlled by the customer. It is quite an ambitious message, because GDPR does not give individuals many absolute rights – some are balanced against the needs of the retailer to comply with national laws, for instance. Nevertheless, the essential requirements of a well written privacy policy (under GDPR) have been covered off, namely they have addressed the following questions:
In writing your policies, you should:
So now that you have seen a few good examples – and there are bound to be others in the coming weeks and months – you might be thinking that you can just rip the best of them off by replacing their business and contact details with yours. Privacy policies, cookie policies and terms and conditions are, like many documents, subject to copyright law. There are civil and criminal penalties for infringement.
What do you do if you cannot copy someone else’s policy and you do not want to see a lawyer? You have a couple of options. We don’t make any warranties as to the quality of these documents and it will be for you to come to your own decision on whether to use them or not, but you can find privacy policies that have been written to take into account GDPR at:
The templates come with guidance and also a level of legal support.
An alternative that we have found is a firm in Germany offering this platform, which is quite good because it generates the policy from a series of questions. The policies are generated in English (or German).
The point to recognise though when using such options, is that you are expending management time on creating your documentation, which may be better spent on retail marketing and sales.
And finally, just a word of warning….
If you are going to be gushing about how you care about customer privacy and security, bear in mind that such sentiments will come back and haunt you if you have a data breach and a class action subsequently follows.
The last thing you want to do is send out a re-permissioning email that is wrong, so the essential elements are:
… It is just such a shame the link to the privacy policy (at the time of publication, at least) is to a policy written to comply with current data protection laws and not GDPR. So, for instance, can the reader really say ‘Yes please’ to future profiling when there is no meaningful description in the privacy policy about the logic behind the profiling as required by GDPR?
Use your website. You could follow the likes of Manchester United and approach re-permissioning through alternatives to sending out emails. How about landing page pop ups, retargeted advertising and even good-old-fashioned snail mail warning that from 25th May your great email messages will not be landing in customers’ in-boxes as before?
Ometria is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.
Take the first step toward smarter customer marketing