There is a litany of poor marketing and advertising practices remembered in a new survey from the New Statesman Media Group New Statesman Press Gazette sustainable luxury lifestyle and ESG publishers From Fyre Festival to Kendall Jenner and Pepsi to ...
Now that the UK Government has finally confirmed it will be adopting the EU General Data Protection Regulation (GDPR) – and dismissed any chance of repealing it once Brexit has been secured – marketers know they have just over 16 months to get their houses in order.
As far back as 2011, the European Commission first revealed plans for the first overhaul in data protection legislation in more than 20 years, so it is not like anyone did not know it was coming.
Once the Commission sets its sights on new laws, it would take a brave man – or more likely a foolhardy one – to bet against completion; the Brussels machine may be slow but it is well oiled and unrelenting.
Given the lobbying power of marketing technology giants, it is perhaps no surprise that there have been a number of concessions from the original proposals, and hard won victories, yet the main measures remain intact: huge fines, of up to 4% of global turnover, for serious data breaches; the prospect of having to hire data protection officers; threats to profiling; simpler opt-outs; and tougher rules on marketing consent.
It is on its way so, as they say, you had better shape up or ship out.
Yet even now, not everyone is confident they will be ready, despite such a long lead time. Some studies still point to a worrying lack of awareness, especially among the tech community, although a recent survey by UK direct marketing industry body the DMA suggests businesses are at last coming to terms with the changes; nearly two-thirds expect to be ready for GDPR D-Day on May 28, 2018. What the other third have been doing for the past few years – or are planning to do for the next 16 months – is anyone’s guess.
GDPR: the five top issues for marketers
Direct marketing as a legitimate interest. The text recognises that the processing of personal information for marketing purposes may be regarded as carried out for a legitimate interest. While processing for direct marketing purposes is considered a legitimate interest, if an organisation relies on legitimate interest for its processing then it needs to make a careful assessment of the relationship between it and the individual.
Definition of personal data. Personal data is any information relating to an identified or identifiable person. How companies interact with personal data is the focus for the legislation. An identifiable person is somebody who can be identified directly or indirectly, particularly by reference to a name, identification number, location data or online identifier.
Whether or not online identifiers such as cookies fall into the definition of ‘personal data’ will depend on where they are placed in the online ecosystem. For example, a cookie placed by my internet service provider will be classified as personal data as it could identify me, whereas a cookie placed by an advertiser lower down the online ecosystem and cannot be linked to my email address or anything else which could identify me, is unlikely to be considered as personal data.
This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, ‘blind’ data can be more widely used than identifiable personal data.
Consent. The GDPR text refers to ‘unambiguous’ consent rather than ‘explicit’ consent, which is a stricter definition. Under unambiguous consent, consent for postal and telephone marketing can still be given on an unsubscribe or opt-out basis.
Either way, marketing organisations should bear in mind that the rules on consent will tighten up. Information must be provided concisely, in a transparent and intelligible way, and be easily accessible using clear and plain language. Days when the consent could be buried in lengthy terms and conditions are numbered.
Right to object (unsubscribe/opt-out). Under the new Regulation, individuals will have the right to object to any processing of their personal information, including profiling, at any time and free of charge. If individuals object, then their personal information can no longer be processed for marketing purposes.
Most marketers will use the legitimate interest grounds for processing personal information (see above) if they are using an unsubscribe/opt-out methods. But the right to unsubscribe/opt-out must be brought to the attention of the individual in the first communication and be clearly and separately stated. Again, existing unsubscribe/opt-out language will need to be revised.
Profiling. Profiling has now been included under the label ‘automated decision making’. Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them. So, individuals can opt out of profiling.
But, individuals have no right to opt-out of profiling if they have already explicitly consented to it, or if profiling is necessary under a contract between an organisation and an individual, or if profiling is authorised by EU or Member State Law.
Data protection rule – there may be other trouble ahead
However, before everyone starts putting up the bunting and patting themselves on the back for a job well done, there is trouble on the horizon – big trouble – in the form of an overhaul of the ePrivacy Directive, which appears to have gone under the radar.
First announced in spring last year, when most were too wrapped up in the EU Referendum debate to take note, the legislation also includes the Privacy & Electronic Communications Regulations (PECR) and was last updated in 2009.
Covering all online and mobile marketing, SMS, email and telemarketing activity, many experts believe it could have far wider consequences for the data and marketing industries than GDPR will ever have.
To make matters worse, the Commission has also pledged that the update will be completed by May 2018, bringing it in line with GDPR.
In its current form, PECR is already a major headache for marketers and breaches of the laws represent the majority of the UK Information Commissioner’s Office workload.
Over the Christmas period, a first draft of the legislation exposed plans to make all business-to-business (B2B) electronic marketing opt-in only – meaning that any marketer wanting to email corporate employees would require opt-in consent.
Cue outrage from the direct marketing industry, which warned the measure would have dire consequences for the sector. Within days, these fears were dismissed by reports that the measure was only contained in an early draft but this initial relief was soon followed by a raft of other threats, from a crackdown on third-party data to tighter rules on telemarketing (see panel).
There is also the not insignificant matter of website cookies. The Commission is now proposing that Internet users should no longer have to click on a banner every time they visit a website to find out what cookies are being placed on their machines. Instead, websites should be able to read the cookie preferences set in users’ browsers, similar to those which record online history.
Perhaps unsurprisingly, the digital ad industry has balked at the plan, claiming the changes could have a serious impact on online advertising, which, according to figures from trade body the Interactive Advertising Bureau (IAB), generates £10bn of revenue for publishers and content creators in the UK alone.
IAB Europe chief executive Townsend Feehan (pictured left) said: “People who thought cookie banners were annoying will be disappointed to hear that things won’t get better,” adding that users may have to set their preferences for every app and every device they use.
Also, due to proposed changes in rules governing profiling, email and messaging services like WhatsApp, Hotmail and Gmail would not be able to scan communications to serve targeted ads without users’ explicit permission.
IAB head of policy and regulatory affairs Yves Schwarzbart (pictured below right) said: “It will particularly hit those companies that find it most difficult to talk directly to end users and what I mean by that is tech companies that operate in the background and facilitate the buying and selling of advertising, rather than the ones that the user directly engages with.”
Add in to the mix the fact that, with the legislation being linked to GDPR, companies falling foul of the new laws will also face fines of up to 4% of their global turnover, and you can see why many experts are bracing themselves.
Given its complexity is it really likely that the new ePrivacy Directive will be ready in time? Robert Bond, a data protection specialist and partner and notary public at Bristows LLP, believes the directive will add another dimension to the GDPR timetable, but added: “It will be tough, but I believe it will get done. However, implementation in the UK will likely be piecemeal and we will see a number of Statutory Instruments rather than an Act.”
The DMA maintains it will be lobbying the UK Government and through affiliate European trade body FEDMA will be lobbying EU institutions to try to secure concessions.
But what do consumers make of the improved protection which both the GDPR and ePrivacy Directive are designed to provide?
According to research by Callcredit Information Group, designed to gain a deeper understanding of consumer attitudes towards data sharing, 81% of UK consumers who have been briefed on the changes believe the new laws will make them more likely to hand their personal data over to companies.
As Callcredit chief data officer Mark Davison (left) said: “The digital revolution has led to an unprecedented explosion of personal data that continues to erupt at an astounding rate. Naturally, consumers are curious about how this data gets used and how safely it is stored.”
However, Davison reckons that while regulation is one way to build consumer trust, businesses also have a crucial role to play in ensuring the security of their customers and making sure they communicate the steps taken to achieve this at every stage of the customer journey.
He added: “More must be done to ensure that people feel they have full control over their own data and a deeper understanding about how brands are using it. This, combined with tackling consumer concerns about the risk of identity theft and online fraud, will accelerate growth of the hotly anticipated rise of the personal information economy to the mutual benefit of both businesses and consumers.”
A marketer’s guide to the ePrivacy Directive:
Scope of the legislation: The scope is not limited to electronic communications personal data. The definition used is much broader than that as it includes electronic communications data. This means that the Regulation will apply to machine-to-machine communication and to over the top services (OTT) such as Skype and WhatsApp.
Definition of direct marketing: All advertising on over the top service providers (Skype and Whats App) and social media sites (Facebook, Twitter) regardless of whether it is generic or targeted would fall within the definition.
Definition of consent: The same as the definition within the GDPR. However, Article 9 in the proposal does add some extra detail regarding consent for individuals who have consented to the processing of their electronic communications data. As long as the data processing continues, individuals must be reminded of their right to withdraw their consent at any time. The proposal mandates that this takes place at six monthly intervals. Furthermore, consent may be expressed by making changes to software settings, enabling access to the Internet. This could be changing the settings on your Internet browser on your computer or altering privacy settings on a mobile app that accesses the Internet. Regulatory guidance will be necessary on this issue.
Publicly available directories: Directories in this category will also need to have the consent of individuals to share their data. As well as ensuring that the personal data available is up-to-date. Individuals should have a means to verify, correct or delete personal data relating to them.
Passing information on to third parties: Software providers, which could include those offering Internet browsers, will need to offer individuals the right to stop third parties from storing and using their data. When installing new software individuals should be informed of the privacy settings and asked whether they consent to their electronic data being processed in a particular way and passed on to third parties. This places a great deal of power in the hands of the Internet browsers or other software companies. They will need to record consent in some way and be able to share that with third parties, relying on consent expressed via technical settings. What data third parties can use will depend on the language used by the browser when gaining consent and the granularity they go into when naming what sector, group or organisation the data will be shared with.
Telemarketing: The proposal includes a requirement for organisations making direct marketing calls to either present the identity of a line they can be contacted on or have specific code/prefix that identifies a direct marketing call. The second ask is troublesome as a direct marketing prefix would be difficult to agree on, there are a plethora of different organisations carrying out calls and their aims are all quite different. For example, would there be a different prefix for fundraisers? The policy quickly becomes very complicated and is therefore unlikely to actually help consumers or affect the rogue operators breaking the rules to make nuisance calls, the UK DMA argues.
Please register below to unlock this article.
An email will be sent to you with your membership details.