By Ken Magill
The EU’s General Data Protection Regulation goes into force in May and will be a permission game changer for many organizations that serve Europeans. It requires, among other things, explicit, provable permission from individuals to use their personally identifiable information to send direct-marketing campaigns to them. The GDPR also requires clear unambiguous explanations as to what the information will be used for, and the collection of no more data than is necessary to execute the campaigns for which permission has been granted.
From the text of the regulation: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include: ticking a box when visiting an internet website choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data acceptance of the proposed processing of his or her personal data silence, pre-ticked boxes or inactivity should not therefore constitute consent Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
The GDPR also requires additional explicit permission to use European consumers’ information to send any direct-marketing that falls outside the scope of the original consent. It also allows consumers to revoke consent at any time and “the right to be forgotten,” or the right to erase their information. The law also requires marketers—referred to as “controllers”—to be able to prove consent: “Where processing is based on the data consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. … A declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”
Does this mean email marketers will have to re-permission their house files? Not necessarily. It depends on how explicit and transparent the permission process was in building the file. “GDPR is very specific,” said J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals. “You can’t capture consent for a very broad purpose and interpret it broadly. The other thing that is pretty clear under GDPR that you can’t do is condition access to a service on consent.” There may be some marketers who send messages only to their own list who look at their permission practices and decide they’re already in compliance with GDPR, said Hughes. Others may have to re-permission their files.“It depends,” Hughes said. “So many of these things are going to be on a case-by- case basis. The expectation, though, is that specific consent means specific to the thing that you’re doing. You should start from the point that if you’re doing something new, you need something new.”
One positive aspect of the GDPR’s requirement that marketers only collect the data they need is that they will theoretically present less of a target to hackers.“If you don’t have it they can’t hack it,” said Hughes. “That’s a pretty healthy hygiene idea that the GDPR puts forward but so do good database architects: If you don’t need it, don’t collect it in the first place.”