Companies that must comply with the GDPR should take a close look at their marketing processes to ensure that they will meet GDPR requirements. The following three examples are key places where most companies should take another look at their processes with regard to GDPR consent requirements.
Marketing Outreach Email Programs
Most companies’ marketing departments have outreach programs where a large database of clients and prospects are sent emails with information about new products or services. If individuals have unsubscribed, opted out, or otherwise indicated their desire that your organization stop using their personal information, your organization may not contact them to seek their consent to marketing. Art. 21(3) further states: “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”
Even under the outgoing EU Data Protection Directive and related national legislation, the U.K. ICO last year fined multiple companies that sent emails to individuals who had already opted-out of marketing emails–asking those same individuals to update their marketing preferences, including whether they wanted to opt-in to receiving future marketing messages. As the ICO stated: “Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law…businesses must understand they can’t break one law to get ready for another.”
There is a lot of buzz around “stale” consent. “Stale consent” is consent that was previously obtained (e.g., under the standards of the existing Data Protection Directive and its national implementing legislation) but which does not meet the GDPR’s new standards for consent.
For instance, if your marketing department used to have pre-ticked boxes for people to receive newsletter updates when they filled out a form to download a whitepaper, that previously obtained consent may not satisfy the clear, affirmative action requirement under the GDPR.
Organizations should evaluate their previous and existing methods of obtaining informed consent, and for any instances that do not satisfy GDPR standards, seek to obtain GDPR-compliant consent from those legacy individuals–or else no longer use the earlier, acquired personal data. This requesting of consent from individuals whose previously obtained consent did not meet GDPR standards is what is referred to as a “re-permissioning” or “re-engagement” campaign. A recent ICO blog post noted, “Before sending emails consider what the most effective way is to reach your customer – it may not be email. Consider a data protection by design approach – where can this information be embedded to have the best impact.”
Webinars, webcasts, and workshops
Whatever your company may call them, chances are your company offers webcasts. Oftentimes companies partner up to offer broader expertise on the topics being presented.
While companies may continue to partner with others, they should first obtain clarity–based on the facts of the given situation–as to their status as data controllers, data processors, or joint controllers. Provided individuals are made specifically aware of all parties collecting and using their personal information, and this and the proposed uses of the personal data are actively agreed to by the individual, data obtained through partnerships can be validly used.
TrustArc Direct Marketing Consent Manager
TrustArc Direct Marketing Consent Manager helps companies meet GDPR consent requirements for activities such as promoting products and services, surveys, newsletter subscriptions and other marketing activities.