GDPR: Getting Re-Permissioning of Customer Consent Right First Time

With just under two months before 25th May, consumers are seeing a plethora of re-permissioning emails hit their inboxes. Some work (very well), others down right fail.

In this article our General Counsel, Julian Palmer, considers what it takes to make sure your re-permissioning campaign (to send future marketing campaigns) works first time.

Look at your data

Any good business knows who its best customers are, how often they interact and the amounts they spend. At the other extreme, the business may almost certainly have a group of customers that they are not sure where they got the contact details from.

You could consider categorising your customers as demonstrated in the table below, or via some other classification. The aim is to grade the quality of the consent that the customer gave – you should have already considered whether you need consent in the first place in sending marketing emails.

There will be a natural anxiety about deleting data, but you have to consider that you may well be in breach of the current laws if you continue to hold it. The current directive on ePrivacy makes it clear that consent is required to send unsolicited marketing emails (except in one case, which I discuss in our No Nonsense Guide to GDPR) . Consent being “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

You have to have the mind-set that you may be asked to prove you have consent.

• It follows that if you have no idea where you got [email protected] from, you should stop processing that address, irrespective of the fact that you know that she opens your emails and has not marked them in her inbox as junk.
• It also follows that you cannot send unsolicited marketing emails to someone who, for example, has given you his/her email address simply for you to email to them the receipt of their in-store purchase. Clearly, you had consent to send the receipt, but not subsequent marketing emails.
• When it comes to email addresses that have been supplied by a third party, you will have to consider the quality of the warranty given when you bought the data, along with any supporting evidence of consent.
• GDPR makes it clear that consent given as part of the terms of the sale of goods or services is not consent that can be freely given. As a consequence you will have to obtain fresh consent before 25th May.
• GDPR has a wider definition of consent, meaning that pre-checked boxes are out from 25th May. This is because there has to be an ‘unambiguous indication’ of your customer’s consent and a pre-checked doesn’t give the necessary affirmative action.
• Even the ‘platinum’ customers may not necessarily be marketed to after 25th May!

Let’s just take that last point first. Recital 171 says:

“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”

Read very narrowly, this recital (an official comment on the Regulation, but not the law itself), could be saying that only the mechanism by which a person gives consent has to be in line with the requirement of GDPR, i.e. the indication by the customer – through, perhaps, checking a box or providing an email address. Is that what is meant by “the manner”? Most legal commentators have construed the term more widely, in the context of retail, taking the view that since there is prescribed information that must be brought to the attention of the customer at the first point of collecting the customer’s data, any past consent – even from ‘platinum’ customers – needs re-permissioning.

Getting granular with your segments

Once you have decided which groups of customers you are going to take forward for re-permissioning, you should then look at their interactivity with your business and your marketing. Basic granularity is, probably, as simple as classifying your customers as follows:

• Opens emails and regularly buys
• Opens emails and infrequently buys
• Opens emails and clicks through to browse items
• Opens emails – no activity
• Receives email – no activity
  • No activity after 6 months
  • No activity after 12 months
  • No activity after 18 months

Again, what you are working through is deciding whether a person – even one who has previously bought from you – has had periods of interactivity.

Once you have worked through this classification, best practice (i.e. least risky) is to undertake a phased re-permissioning campaign starting with, in this case, platinum + opens emails and regularly buys.

Avoiding a penalty

Much of the purpose of the foregoing processing is to ensure that if you go for a re-permissioning campaign you do not fall foul of the current law as happened with Honda and Flybe, resulting in fines of £13,000 and £70,000 respectively.

Getting prepared for re-permissioning

You will get one crack at getting re-consent. Customers are simply not going to keep giving consent. It has long been recognised that there is consent fatigue amongst consumers – just look how most customers handle cookie consent.

• Consider what consents you want – email marketing, social media tracking, cookies.
• Write a well written privacy policy.
• Have a simple mechanism for obtain affirmative consent.
• Time stamp the consent – so that it can be linked to the privacy wording, cookies policy and any other terms you publish at the time of obtaining consent.

Writing a privacy policy

A central plank of GDPR (and the current laws on data protection) is that individuals are told what information is collected, the lawful ground for processing, the rights of individuals under GDPR, the data protection authority that individuals can complain to, along with details of who the retailer shares data with and whether the data is processed outside of the EEA (I.e. outside of the EU, Iceland, Lichtenstein and Norway).

Examples that go a long way to offering the type of information and clarity that is required by GDPR include:

• ASOS
• Jimmy Choo
• Laithwaites
• Moneysupermarket

What each of these policies do well – especially ASOS and Jimmy Choo – is set out their policies in an easy to read style. In the case of ASOS it enforces the message that what the customer tells ASOS is ultimately controlled by the customer. It is quite an ambitious message, because GDPR does not give individuals many absolute rights – some are balanced against the needs of the retailer to comply with national laws, for instance. Nevertheless, the essential requirements of a well written privacy policy (under GDPR) have been covered off, namely they have addressed the following questions:

• Who are we?
  • Company name
  • Registered address
  • Trading address
  • Contact email: data@ type address
• What type of data do we collect?
• Why do we need the data?
  • Ordering
  • Making the customer’s experience better – cookies, profiling
• What do we do with the data?
• How long will we keep the data?
  • Consider granularity
• Explanation of customer’s rights:
  • Correct the information we hold
  • Object to processing
  • Restrict processing
    • This will come down to how granular your use is
  • Erasing data
  • Porting it to third parties

In writing your policies, you should:

• Avoid legalese – your customers are not all lawyers. Of course, some words are going to be words of art – cookies, data controller, EEA for instance, but avoid horrible words such as “hereinafter” or “aforesaid”.
• When describing the type of information that you collect, don’t forget the types of data that is collected by your email marketing solution, such as Ometria – such as IP addresses, metadata and data added through profiling.
• Use short sentences, avoiding the passive voice and use bullet points when providing lists (see Jimmy Choo).
• Make sure that you future-proof your policy so that it covers the business’ future plans.
• Consider using a layered approach, with a short and simple statement highlighting the key points, behind which sit more detailed layers. One of the best examples – though from the States – is Proctor and Gamble, where you have a notice, which links through to a more detailed privacy policy.

So now that you have seen a few good examples – and there are bound to be others in the coming weeks and months – you might be thinking that you can just rip the best of them off by replacing their business and contact details with yours. Privacy policies, cookie policies and terms and conditions are, like many documents, subject to copyright law. There are civil and criminal penalties for infringement.

What do you do if you cannot copy someone else’s policy and you do not want to see a lawyer? You have a couple of options. We don’t make any warranties as to the quality of these documents and it will be for you to come to your own decision on whether to use them or not, but you can find privacy policies that have been written to take into account GDPR at:

• Simply Docs
• SEQ Legal

The templates come with guidance and also a level of legal support.

An alternative that we have found is a firm in Germany offering this platform, which is quite good because it generates the policy from a series of questions. The policies are generated in English (or German).

The point to recognise though when using such options, is that you are expending management time on creating your documentation, which may be better spent on retail marketing and sales.

And finally, just a word of warning….

If you are going to be gushing about how you care about customer privacy and security, bear in mind that such sentiments will come back and haunt you if you have a data breach and a class action subsequently follows.

Getting your re-permissioning email right

The last thing you want to do is send out a re-permissioning email that is wrong, so the essential elements are:

• Have something that the reader has to check or click
• Think about your consents, terms and conditions etc – make sure that they are hyperlinked and to the right version
• Have a good pitch to encourage the call to action
• Have a stick – no more fantastic emails from you after, say, 1st May
• Have an unsubscribe link – it’s still an unsolicited marketing message

Spot what’s wrong…

Spot what’s great…

… It is just such a shame the link to the privacy policy (at the time of publication, at least) is to a policy written to comply with current data protection laws and not GDPR. So, for instance, can the reader really say ‘Yes please’ to future profiling when there is no meaningful description in the privacy policy about the logic behind the profiling as required by GDPR?

Alternative channels to re-permissioning (and capturing new subscribers)

Use your website. You could follow the likes of Manchester United and approach re-permissioning through alternatives to sending out emails. How about landing page pop ups, retargeted advertising and even good-old-fashioned snail mail warning that from 25th May your great email messages will not be landing in customers’ in-boxes as before?