You’ve likely received a plethora of emails from companies requesting you to consent to receive their email newsletters or other email promotions – even though you had previously agreed to opt in. They want to be sure they’re meeting the General Data Protection Regulation (GDPR) going into effect this month.
Ironically, the regulation meant to limit unnecessary, unwanted emails lead to a deluge of emails asking people to receive emails. That prompted critics to blame GDPR for “consent fatigue” and call it a burdensome and unhelpful regulation.
Many of those requests for consent are unnecessary and some may be illegal, according to data regulation experts. Businesses do not need to automatically refresh existing consents, they say. They can continue to rely on any existing consent as long as it meets GDPR requirements.
“But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard,” states Steve Wood, deputy commissioner for policy at the UK’s Information Commissioner’s Office. “If they do there is no need to obtain fresh consent.”
Clear, Unambiguous Consent
Transparency is the hallmark of the privacy regulation. Organizations risk non-compliance if their emails are difficult to follow and key information is lost at the end of long text, Wood says. People must clearly understand what they are consenting to.
“Some have said that they will lose customers by bringing their consents to the GDPR standard. I say you will have better engagement with them and build customer trust,” he asserts.
Although the European Union enacted the GDPR, the data privacy regulations apply to companies that process data of EU citizens, even if they don’t operate in the EU, including companies that receive web traffic from EU countries. That means it impacts most major American companies. Companies not meeting the law risk heavy fines in addition to possible reputational damage if they violate the rules.
Legal Grounds for Processing Data
The GDPR describes six legal grounds to process personal data. Besides consent, they include contract, legal obligation, vital interests, public interest and legitimate interests. First determine which of those six legal grounds your organization should rely on to process personal data, Toni Vitale, the head of regulation, data and information at the U.K. law firm Winckworth Sherwood, told The Guardian. If a business has an existing relationship with customers who have purchased its goods or services, it may not need to obtain customers’ consent to receive communications.
“Even if you are relying on consent, that still does not mean you have to ask for consent again, Vitale advises. “Just make sure that your consent met the GDPR standard and that consents are properly documented.”
Illegal Requests for Consent?
Some of those requests for consent may themselves be illegal. If companies lack proper consent to email people, they may lack the consent needed to email people to ask for consent in the first place.
The sender could be breaking the UK’s Privacy and Electronic Communications Regulations that forbids unrequested emails that request consent to send marketing promotions, Vitale says. Similar to the US National Do Not Call Registry, it applies to all electronic communications such as email or SMS mobile phone messages.
Many businesses did not record when and how customers first consented to receive communications, Lukasz Olejnik, a privacy researcher and consultant, told The Guardian. They simply dumped email addresses into databases. Some of those companies requested “new” consent due to that lack of record keeping and uncertainty.
Companies should try to determine if they have valid consents or obtain consents, experts advise. If companies can show they’re planning for compliance appropriately, regulators may give them leeway, they say.
Bottom Line: Many businesses are sending customers unnecessary and perhaps even illegal requests for consent to receive emails due to uncertainty about the General Data Protection Regulation. Confusion over the law’s requirements on email marketing and other business communications abound. Many companies may be taking what they see as the simplest and safest route out of fear of heavy fines, poor legal advice, and lack of clear direction from regulators. Meeting the privacy and data security rules will likely become an ongoing chore.
William J. Comcowich founded and served as CEO of CyberAlert LLC, the predecessor of Glean.info. He is currently serving as Interim CEO and member of the Board of Directors. Glean.info provides customized media monitoring, media measurement and analytics solutions across all types of traditional and social media.
That’s true Will, most of people are very much unclear about GDPR – what is it, does it affect them and their business, etc.
I’ll spread the word about this on my socials, after all this is important to know!