Yes, that’s right: now is the time to grow your email lists.
Many soothsayers have claimed that email marketing will be in decline as businesses mark up to three-quarters of their email data obsolete, fearing it does not meet the higher standards required by the new General Data Protection Regulations from May 25th, 2018.
Effectively, all GDPR brings to the email party is the requirement that data is collected in a simple, clear, and transparent way. Which is to say that you have to make clear at the time of collecting an email address exactly what you will do with it. We paraphrase, but what you’re basically saying is:
“Hey Customer! Please give us your email address so that we can send you marketing emails. You don’t have to agree, and if you do you can always change your mind. Please tick the box if you agree. Ps. If you don’t you can still be our friend.”
If, when you do your personal data assessment or Privacy Impact Assessment, you decide that your privacy notices and sign-up forms were confusing, used complicated language, or even used a pre-ticked box, you should refresh that consent and make sure people are clear.
GDPR also requires that you record consent and are able to show what the sign-up form looked like and how/when/where that form was used. In satisfying a complaint you may need this to prove you acted in a way which was compliant with GDPR.
Can you incentivize sign-ups until GDPR?
You know, the “sign up now and we’ll send you a voucher code” type of offer.
According to the ICO in their Consultation: Guidance on Consent (March 2017), the answer is as follows:
“It may still be possible to incentivise consent to some extent. There will usually be some benefit to consenting to processing. For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal. However, you must be careful not to cross the line and unfairly penalise those who refuse consent.”
If the process is direct marketing, as it will be in most cases, then you have to have chosen the relevant lawful basis for processing under GDPR and if this direct marketing uses email as its channel then you will also need to comply with PECR. But that’s a story for another day…
DISCLAIMER: The content and opinions within this blog post are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. Adestra shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog post.