How many of you where surprised when they woke up on May 25th to find the world hadn’t collapsed? The days (weeks) leading up to the day that GDPR came into effect where characterized by a lot of buzzing that almost reminded me (yep, I’m that old…) about the Y2K craze of December 1999 when everyone seemed to fear a collapse of all computer systems because they would reset their clocks to the year 0 instead of 2000.
One of the things that really changed on May 25 was that we stopped receiving tons of mails begging you to please subscribe (we’ve also send a couple of these…). Another one is that you started seeing numerous misunderstandings about what you are still allowed to do under GDPR. Take for example a LinkedIn post we read of someone who was slapped on the wrist by a company he contacted via the contact form on their website. They claimed this wasn’t GDPR compliant because they didn’t gave him permission.
(read the myths below the illustration)
So we asked the GDPR experts at Privatum if they could help us to set right the most common misunderstandings about GDPR and Direct Marketing. Here is their top 5:
Myth 1: For every direct marketing action I undertake I need the explicit consent of the people I’m contacting
It’s a common misunderstanding that direct marketing always requires prior consent of the people you contact. Under three conditions you can send direct marketing without prior consent:
- the contact is a customer;
- the info you are sending is about products or services similar to those that you as a company are already providing;
- when you collect the digital contact details of the customer, you offer an easy and free way of prohibiting the use of this data.
If one of these conditions isn’t met, for example if the info you are mailing is about products or services that you don’t provide yourself, than you do need prior consent.
Myth 2: Direct mailing to prospects always requires prior consent
A prospect is a potential customer. If this prospect has shown a clear interest in the products or services you deliver, for example by completing the contact form on your website, than you are allowed to send this person direct mailing. You don’t need his prior consent.
In the past this was translated in Belgium into ‘Aanbeveling nr 02/2013 van 30 januari 2014 m.b.t. direct marketing en bescherming van persoonsgegevens (CO-AR-2012-0070)’ (ed. Recommendation number 02/2013 of January 30, 2014 concerning Direct Marketing and the Protection of Personal Data). This stated that not consent but justified interest can be considered as a basis for customer relation management towards own customers and prospects. In the UK a similar interpretation was made by the ICO (Information Commisioner’s Office).
Myth 3: GDPR applies to direct marketing send to an ‘info@’ address
GDPR applies to personal data, so all information about an identified or identifiable human being. An ‘info@’ mail address or the public phone number of a company isn’t considered as personal data which means GDPR doesn’t apply to these.
Myth 4: If you buy addresses from a data broker you are always allowed to use these for direct marketing
Under GDPR you are required to process personal data in a transparent, honest and righteous manner. This means the data broker must be able to demonstrate the data was acquired the way it should, that it was made clear the data was acquired to be sold for direct marketing use.
Myth 5: You need a double opt-in to get validated consent for sending direct marketing
A double opt-in means that an individual needs to confirm his email address before it can be added to a mailing list. For example: someone registers for a newsletter with his email address. This person receives a mail with a confirmation link he needs to click to register.
The GDPR sets a high standard for consent, which means it offers the individuals real choice and control. There are 4 criteria to uphold in order to have legally validated consent:
- Free will: there are no negative consequences for the individual if (s)he doesn’t give consent.
- Informed consent: the individual needs to be fully aware (s)he is giving consent and to what extent.
- Specific consent: if there are multiple uses of the acquired information (like newsletters, events, product launches,…), the individual needs to indicate which of these (s)he wants to receive.
- Consent needs to be given via a straightforward and conscious act, for example by ticking an empty box, clicking a button,…
Looking at these four criteria, a double opt-in isn’t required to get validated consent. Nonetheless there is the advantage of a double opt-in that you are reassured a valid email was entered.