Global Marketing Alliance

The GDPR consent dilemma: is there an alternative?

consent dilemma

Photo by Jonathan Natiuk, www.sxc.hu

Stricter rules on consent, under the EU General Data Protection Regulation, are causing a headache for marketers. With the 25th May 2018 deadline looming, there is some frustration in the industry about what preparations are necessary to comply. Additional guidance from the UK Information Commissioner’s Office, and at EU level, is eagerly sought.

Adding to the regulatory burden on top of the GDPR is the prospect of an ePrivacy Regulation governing electronic communications. Replacing the EU ePrivacy Directive (which gave us PECR in the UK), the aim is for this new regulation to come into force in line with the GDPR next year. However, the final text has yet to be published and rumours are growing it may be delayed.

It’s becoming increasingly apparent that planning for the future isn’t easy.

Why will obtaining consent be tougher?

What we do know is the GDPR stipulates consent must be ‘freely given, specific, informed and unambiguous’. The Regulation continues: ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent.’

In its Draft Consent Guidance published in the March, the UK Information Commissioner’s Office (ICO) interpreted this to mean: ‘Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.’

The UK regulator went on to say consent must be granular; it mustn’t be a pre-condition or bundled in with terms and conditions. Perhaps most alarmingly for many was the requirement for third parties, with whom data would be shared, to be named. These are tough conditions for many marketers to meet and still hit their revenue targets.

The final ICO guidance on consent had been expected in June, then was moved to ‘summer’ and now more rumours circulate that it will be further delayed. I have heard it might even be as late as December – just five months before the GDPR comes into play. Many will be praying, when it finally arrives, some rules will be relaxed, others will be fearing they won’t be.

What the ICO did stress in its draft was that consent should only be used if consumers can be given a genuine choice. If they can not, alternative grounds for processing should be considered.

What’s the alternative to consent?

If you are unable to provide individuals with a genuine choice, you could consider relying on legitimate interests (GDPR Article 6.1(f)). This is a route that may prove popular specifically for postal marketing communications. However, this shouldn’t be viewed as an easy alternative. It needs careful consideration – the interests of an organisation must not be outweighed by the privacy rights and freedoms of individuals. You need to establish if the processing is necessary and would be in the reasonable expectations of the individual. You are also required to effectively communicate your use of legitimate interests and uphold the right to object to processing under such grounds.

The Data Protection Network (DPN) has recently published Guidance on the use of Legitimate Interests under the GDPR (sign up for the guidance free), to help organisations assess how and when legitimate interest might be used. The guidance was made possible by contributions from the UK DMA, ISBA and some of the UK’s largest companies and institutions, and has been welcomed by the ICO and the DPC in Ireland. The guidance includes:

Consent dilemma: what about the soft opt-in?

This somewhat ambiguously named term brings us back to the proposed ePrivacy Regulation. As it stands at the moment, marketing to individual consumers via email requires consent, unless you:

‘Soft opt-in’ is not a way of collecting consent – by using this mechanism you are essentially relying on your legitimate interests to do so. What remains to be seen is the final ePrivacy text. In the draft text published at the beginning of the year, the soft opt-in was retained, but its scope limited to ‘in the context of the sale of a product or service’, rather than the current PECR wording allowing for it to be used in the context of ‘negotiations of a sale’. Again, we await further clarity.

What about B2B marketing comms?

The draft text of the ePrivacy Regulation is ambiguous as to whether a distinction can be drawn between corporate and individual email addresses. Will it still be possible to use opt-out for the former? The text could be read that it will be permissible for individual EU member states to make a provision for this under national law. However, even if this exemption stands, named corporate data – for example: john.smith@company.com – is personal data and would therefore need to be processed in line with the GDPR. A choice would need to be made, therefore, between using consent or legitimate interests for sending electronic B2B communications.

Yet again, the devil is the detail.

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

Read also:

GDPR and your data: check you comply . . . then check again

Countdown to D-Day: GDPR and affiliate marketing – will you be ready or devastated?

Emailers: 7 things you need to know about the opt-out process

Exit mobile version