How to avoid a fine like MoneySuperMarket over email consent and permissions
I think we, as human beings in general, are familiar with the concept of asking for something and then giving thanks when we are given what we have asked for (unless you are a burglar, of course). Indeed, in the Top 20 languages in the world there is a translation of two common terms we use: Please & Thank You. From the Arabic “Min fadlak/fadlik” and “Shukran” to Wu, “Te kue zhou” and “Ciohkue jiajia non”.
However, marketers seem to have a very different concept of seeking permission. The fear is that if they ask a prospect or customer for consent, they may say no. No! No! No! So, instead of asking, they presume that they have consent. But as MoneySuperMarket has just found out (as did Honda and Flybe earlier this year), no definitely means no to the value of an £80,000 fine in this case.
What happened to MoneySuperMarket?
On the 17th July, the Information Commissioners Office found that MoneySuperMarket Limited (MSC Ltd) breached regulation 22 of the Privacy & Electronic Communications Regulations 2003 (PECR) by sending over 6.7m emails to an unsubscribed list: a list of people who said that they did not want to receive emails. Once upon a time they did consent, but since then they withdrew that consent. That is their right.
In this case, disguised as a Terms and Conditions update email, the text of the campaign read: “You’ve told us in the past you prefer not to receive these [marketing emails]. If you’d like to reconsider, simply click the following link to start receiving our e-mails.” The ICO felt that, under section 11(3) of the Data Protection Act 1998 (DPA) and PECR, the content of the email made it a direct marketing communication to people who had withdrawn their consent to receive such messages.
Investigating your own permissions?
In May next year, the General Data Protection Regulations (GDPR) will become enforceable. Between now and then many businesses will be looking at the data they hold and assessing the level of consent they have to send marketing communications to those people. If you’re in that situation yourself, there are a number of elements to consider:
Firstly, all data protection law, whether DPA, GDPR, PECR (or the ePrivacy Regulations that will replace PECR next May too), is based on the 8 principles of Data Protection. In the examples above ‘Principle 1 – fair and lawful ‘ was substituted for the interests of the organisations. So read about the principles and decide whether the data you hold really meets that criteria.
Secondly, consider which basis you will use to process personal data. If you are a B2C organisation, you may consider your lawful basis to process personal data for direct marketing purposes to be ‘Consent’ (GDPR Article 6, 1(a)). If you are a B2B organisation your basis may be ‘Legitimate Interest’ (GDPR Article 6 1(f), Recital 47).
What is the difference between Consent and Legitimate Interest, I hear you cry? Sum this up in once sentence I was asked, though a gargantuan task. Here’s an attempt. Legitimate Interest is ideal where an organisation has an existing relationship with a person and believes it is in its legitimate interest to pursue that person, most likely in a B2B relationship – marketing toner to the person who bought the printer. Whereas Consent is the alternative where there is no legitimate interest, as very likely in a B2C situation there isn’t a pre-existing relationship with the brand, but an indication of desire to receive messages exists (like a sign-up process).
Lastly, you should review your current personal data processing permissions (yes, another 3 Ps in marketing!) and ask yourself whether what you have now is in the spirit of GDPR. If not, it may not be lawful to continue to use that data and you must decide what steps to take next.
Be careful – the temptation will be to carry out a re-permissioning exercise. Sounds reasonable on the face of it but there are potential pitfalls as MSC Ltd discovered:
- You cannot email someone to ask permission to email them.
- You cannot email someone to ask permission to email them even if once upon a time they had consented and subsequently withdrawn consent; Flybe and MSC Ltd did this and were fined.
- You should not email someone to ask permission to email them if you are not sure you have permission; Honda did this and got fined.
So, what could you do?
- Find a lawful basis for processing personal data for which you do have permission.
- Target those who have unsubscribed from email, for example, via a different channel (provided you have consent for this) – send them a postcard with ‘Wish You Were Here’ with a picture of your online channels and a CTA to sign up. If you are using mail, make sure you run your list via the Mailing Preference Service first.
- Deploy a preference centre rather than a straight unsubscribe process – offering those wishing to unsubscribe some options (if you’re an events company, it may be that the person is unsubscribing purely because they can’t attend this year’s event so offer alternatives but make it clear).
- Make sure your sign-up, registration forms or preference centres have correct ‘consent’ wording and processes so people updating their preferences know they are ‘re-consenting’.
- Avoid using the term ‘re-permissioning’ that could suggest that you don’t have or don’t know whether you have consent.
Above all – be open and transparent about your intentions relating to use personal data and stick to those promises – every relationship is about trust, whether it is your partner, your pets, your prospects or customers! Of course. there is much more to the law than this, but hopefully my points will offer some guidance.