Although the GDPR is not new, its effects on business marketing activities continue to puzzle practitioners. Marketing under the GDPR with consumer information is still possible, but you’ll need to understand the regulation thoroughly.
What is the GDPR?
Implemented in May 2018, the European Union’s General Data Protection Regulation (GDPR) claims to be the toughest privacy and security law in the world. And you don’t have to be based in Europe to be impacted by it.
As long as your organization targets or collects data related to individuals in the EU, you must abide by the regulations. If you don’t, you can expect penalties reaching into the tens of millions of euros.
The GDPR is large and far-reaching and may impact many areas of your company, including your marketing strategies.
Consent and marketing under the GDPR
Can my company capture consent in exchange for content? For example, can I collect an email address to download a white paper or register for a webinar?
Yes, but… to do this, you must be very clear on the specific uses of the information you collect. Businesses must clearly state the purpose at the time information is collected. It’s unlikely any non-disclosed purposes will be consented to if challenged.
For example, a company can’t use email addresses obtained solely for contest entry purposes to then market to the individual or, for that matter, share that information with partners. The exception is, of course, if the consumer was asked and specifically and actively agreed to this.
Essentially, businesses need to be very specific when it comes to the intended uses of information collected.
How should companies manage vendors?
What are the key questions a marketer needs to ask email service providers (ESPs) to help them comply with GDPR requirements?
If you’re just beginning your business dealings in the EU, you need to ensure your email service provider can comply. In short, ensure your ESP is aware of their obligations under Article 28 (3-f) of the GDPR and that they can help you demonstrate compliance.
Setting up a comprehensive vendor assessment is also a good idea and it’s recommended companies put in place a data protection agreement, incorporating standard contractual clauses.
Can companies still market to consumers with legitimate interests?
Does “soft opt-in” still exist under the GDPR?
The term “soft opt-in” is often used to describe how a company can market to existing customers. Provided you have fulfilled certain criteria, under existing regulations you can market to customers without their explicit consent if:
- You have already sold your goods and services to that individual
- They gave you their details and did not opt out of marketing messages
- You are emailing them about goods or services that are the same or similar to previous goods or services
- You give them a clear chance to opt out with every message you send them. If individuals have unsubscribed, opted out, or otherwise indicated their desire that your organization stop using their personal information, your organization may not contact them to seek their consent to marketing.
The “soft opt-in” rule means you may be able to email or text your own customers.
However, it does not apply to prospective customers or new contacts, such as those from bought-in lists. It also does not apply to non-commercial promotions like charity fundraising or political campaigning.
Seeking GDPR-compliant consent
What is “stale” consent, and how does it impact my business?
There’s a lot of buzz around “stale” consent. Stale consent is consent that was previously obtained, but that may not meet the GDPR’s new standards.
For instance, let’s say your marketing department had pre-ticked boxes for individuals to receive newsletter updates when they filled out a form to download a white paper. That previously obtained consent may no longer satisfy the clear, affirmative action requirement under the GDPR.
For any instances that do not satisfy GDPR standards, companies should seek GDPR-compliant consent. Or, they should no longer use the earlier, acquired personal data.
Requesting consent from individuals whose previously obtained consent doesn’t meet GDPR standards is known as a “re-permissioning” or “re-engagement” campaign.
How does the GDPR impact data sharing between the EU and the U.S.?
Are there any legal or other issues with accessing EU databases from the U.S.?
In short, yes. The GDPR impacts data sharing between the EU and other parts of the world. As described in Chapter 5 of the GDPR, companies in the U.S. and elsewhere outside the EU must have a legal transfer mechanism for receiving or accessing EU personal data.
This means companies must evaluate the methods they use for receiving, transferring and importing EU personal data. They also need to document their transfer basis.
Many U.S. companies self-certify to the EU-U.S. Privacy Shield Framework. In fact, TRUSTe has verified thousands of them.
GDPR impact on lead generation and business cards
How does the GDPR apply to attendee lists, either provided via email or business cards? Will trade show vendors need to change how they share attendee information?
Attendee lists and delegate lists such as those provided at conferences and trade shows, webinars, webcasts and workshops can be used if:
- The entity collecting the data has obtained the consent of the data subject
- The entity collecting the data has informed subjects how their data will be stored, used and shared.
It’s important to remember that personal data does not just relate to email addresses. It’s defined as any information that can be used to directly or indirectly identify someone.
That can include their name, email address, photo, or computer IP address, but also information on medical conditions, dietary requirements and social media posts.
