Late in March 2017, the ICO reported that it had fined automaker Honda and airline Flybe a combined total of £83,000 ($104,000) for breaching data protection laws, for sending marketing emails to people without the appropriate consent.
These emails, although asking customers to update personal data and marketing preferences, fell afoul of rules as they were considered marketing communications sent to people who had opted out of such messages.
While this was an infringement of the existing Privacy and Electronic Communications Regulations (PECR), it can be seen as a taste of what’s to come under the forthcoming – and stricter – General Data Protection Regulation (GDPR) in May 2018.
So, with just 13 months to prepare for the changes to how all UK, EU and worldwide businesses use the personal data or European Union citizens – what do you need to know about how you review, seek and record consent? Under current laws, consent is defined as:
“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
Under GDPR, consent is defined as:
“The data subject’s consent means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
1. How is consent considered valid?
Consent must be:
- Freely given, without coercion, undue incentives or a penalty for refusal. Where consent is a condition of a subscription, consent must be demonstrable.
- Specific to the type of communication in question and the organization sending it.
- Displayed clearly and easy to understand so the person knows what they are agreeing to.
- Show a positive expression of choice, with a prominent statement signifying agreement. Opting in cannot be inferred by silence, pre-ticked boxes or inactivity.
GDPR also sets out stricter rules for email communications, including the need for consent from the organization sending the marketing (rather than consent given to a third party that may have provided the data), as well as indicate the consent is ongoing beyond the message sent and specific to a certain form of communication.
2. Are there alternatives to explicit consent?
While explicit consent has not been stipulated, obtaining it is considered best practice. That said, implied consent – a situation where the person could easily conclude they have consented to marketing, even if not said in as many words – could be considered valid.
Watch on demand
The impending GDPR changes will bring to the forefront two ‘big concepts’ to the marketing world – Accountability and Data Governance. In this webinar we will explore how marketers can look at GDPR as a positive advantage and use these ‘big concepts’ to both increase consumer trust and start to build a true business asset from your customer data.
3. What are approved methods for obtaining consent?
The clearest method is to ask your customers to tick an opt-in box to confirm they wish to receive marketing messages, and document the specific channels you wish to use (post, email, phone calls etc.). Other methods (including clicking an icon, sending an email, subscribing to a service or oral confirmation) can be used, but the important things to consider are that:
- The customer must understand that they have consent, and what they have consent to, without any important details hidden with ‘small print’.
- Organizations cannot email or text to ask for consent, as the message itself constitutes a direct marketing message (as Honda and Flybe discovered).
- There needs to be a simple method for opting-out.
4. Are there rules relating to opt-in and opt out boxes?
|This consent form is confusing as the first tickbox asks for a positive action to signify agreement (opt-in), while the second asks for a positive action to signify refusal (opt out).|
A consent form like this has issues because it uses pre-ticked boxes, as well as mixes them with unticked boxes.
Best practice is to have opt-ins that require a box to be ticked, rather than unticked. A pre-ticked box will not be considered enough to demonstrate consent. Mixing ticked and unticked boxes will also make it harder to prove consent was given. To comply, there will also need to be specific boxes for each type of communication, or analysis, you hope to use.
5. I use marketing lists provided by third parties. How will this affect consent?
Although providing third party consent is quite common, as customers have not told these organizations directly this may not be sufficient for electronic messages, where specific consent would be required.
However, consent might be valid when specific third party organizations or tightly defined groups have been named (although not when presented with a long, exhaustive list or general categories).
6. Is there a time limit to consent?
Although there is no fixed time limit where consent expires, context is important and it should be assumed that it does not remain valid forever. An important thing to note is that a person’s most recent indication of consent is paramount – if a customer agrees to marketing on three previous occasions but opts out the fourth time, it is this last decision that sticks.
Even when consent has not been explicitly withdrawn, GDPR considers consent to last ‘for the time being’, which has been interpreted to mean ‘until a time where there could be a significant change in circumstances’.
7. Will my organization need to provide proof of consent?
It is an organization’s responsibility to demonstrate valid consent; else it could be at risk of enforcement action. Clear records will need to show a date of consent, what has been consented to, the method of consent and who obtained it, and these may be needed as records of evidence in the event of a complaint.