At the end of this month, GDPR will come into force and with companies still worrying about what the impact will be, we thought it would be a good idea to take a closer look at what it will mean in practice. We will begin by taking a closer look at the Privacy and Electronic Communication Regulations (PECR) which deal with exemptions to Data Subject consent when it comes to electronic marketing.
According to the ICO, you must have consent to use data if you:
– Market by phone, email, text or fax;
– Compile a telephone directory (or a similar public directory).
There are two main exemptions under PECR for B2B marketing and where there has already been a soft opt-in.
Business to business marketing for incorporated bodies, public sector organisations, government bodies etc are exempt. So as long as you are meeting ethical standards, there is no problem communicating with other companies.
However, be aware that sole traders, and employees of sole traders, are classified as individuals and must, therefore, be treated in the same way as private Data Subjects.
Where you can prove that you already have an existing relationship with individuals, sole traders and employees of sole traders, you can continue communications without the need to obtain additional consent.
Soft opt-in exists where a sale or negotiation of a sale has already occurred, i.e. you’ve bought something from them, or you’ve made an enquiry and they’ve responded to it. However, you must be able to provide proof that you have followed three criteria:
1. Are you marketing similar goods and services?
2. Did you inform the person at the time you collected their data that you would be using it for marketing purposes?
3. Did you inform them, at the time they agreed to opt-in, that they could opt out at any time? For instance, at end of an insurance quote phone call, when they asked if they could send occasional mail, did they also inform you that you can opt out?
If you can’t answer the three criteria positively:
● Stop marketing to that person.
● Potentially remove the person from your database.
● Find another mechanism of getting that person’s consent.
Many of us have received emails from the companies we deal with asking for us to sign up for consent. Unfortunately, when it comes to individuals, these emails are potentially in breach of PECR, leaving the companies concerned vulnerable to complaints. However, those being sent to business addresses are exempt from PECR, although when people use their work emails for personal purposes, e.g. buying things online which blurs the lines, is a breach committed? It would seem unfair of them to complain in those circumstances.
Different ways of collecting consent
So how do you capture consent without being in breach of PECR? One way is the old-fashioned method – snail mail! Postal communication is not covered by the Regulation because it is not electronic, so send customers a postcard inviting them to go online and update their preferences, or send a letter with a prepaid reply card they can fill in and pop in the post.
Another way would be to add a popup box on your website reminding people to update their preferences or sign up for information.
Or hand a paper form round at events, as we do at our breakfast briefings, asking for attendees’ email details and their consent to keep in touch.
Please note that the use of telephones does count as electronic communication and therefore falls under both GDPR and PECR. In the case of B2B calls, you may only make live calls (i.e. not using an automatic dialer) to any business, not on TPS or CTPS. Calls to individuals and sole traders without their consent are not permitted.
If you would like help becoming GDPR-compliant, please contact our Hertfordshire GDPR consultants.