When can you call or email a client? There’s still a lot to learn about the practical elements of GDPR and direct marketing
A lot has been said about GDPR in the past few years. Suomen Yrittäjät reported at the beginning of November that businesses know about the regulation, but not how to implement it.
There are shortcomings in register maintenance and data protection. The article also reports that fines of €400 million in total have been awarded in the EU since last May.
In marketing and communications, besides the GDPR, direct marketing and marketing permission is governed by the Act on Electronic Communication Services. In future, this will largely be replaced by the ePrivacy Regulation, as well as the Consumer Protection Act in consumer business.
For Elina Koivumäki, an entrepreneur who provides legal services, the situation is familiar.
“Businesses may remember some detail, like not generally being allowed to send a consumer emails without consent, but then they don’t remember whether it applies to B2B. The regulations often have different provisions for dealings between companies and private persons.”
Koivumäki points out that a lot of direct marketing operates on the “opt out” mechanism: actions are permitted until the recipient says no.
“That is the basic premise in telemarketing, direct mailings and B2B emails, until the recipient says they don’t want to receive any more direct marketing,” Koivumäki says.
Consent needed for direct marketing
The GDPR contains six legal bases for personal data processing.
“Of these, consent is the most significant, particularly when we’re talking about processing consumer customers’ personal data for marketing purposes,” says Suomen Yrittäjät specialist Karoliina Katila.
Under the GDPR consumers must be told, when their personal data are collected, whether the data will be used for direct marketing. The marketer must state where the data are collected and that the consumer has the right to say no to direct marketing.
“Email and text message marketing require the recipient’s prior consent. It cannot be an automatically prefilled tick box: the consumer has to actively express their consent to receive electronic marketing messages and tick the box themselves,” says Katila.
A company may send electronic direct marketing without permission in exceptional circumstances. To do this, the company must have received the contact details when selling the product or service, and the message must only market equivalent or similar products or services to those sold in previous transactions. The consumer must have been informed about the sending of marketing messages at the time of the transaction, and each message must inform him or her of the right to ask to stop receiving such messages.
“Each of these criteria must be met,” Katila says.
Marketing to corporate clients must be related to work
Direct B2B marketing to companies may be done more freely than to consumers. However, the product or service must be related to a person or his or her job or area of responsibility. Blind mass mailings are not permitted. Per the GDPR, a B2B mailing list is a personal register which must only contain essential information.
“Recipients must have an easy way of unsubscribing from this list, too, and there has to be an easy way for them to know what information the company has about them,” Katila says.
No need for total blocks
Koivumäki would encourage businesses to think about whether they can break down blocks of marketing into smaller ones. If, for example, a company offers many products or services, the customer’s refusal to receive marketing messages need not be total.
Koivumäki gives an example. A customer receives constant invitations from a company to events she does not want to attend. The company has interesting content and good offers, though.
“One small wrong ad could lead to the customer objecting to everything from this company, even though that isn’t what is required by law. I’d encourage businesses to think about breaking down their opt-outs into ‘If you no longer wish to receive invitations to our events, click here’, instead of the option never to hear about the company ever again. Whether your IT system can adjust to deal with solutions like this has an impact,” says Koivumäki.
Common sense helps with the GDPR
Consumers and customers are very aware of their rights. Hence, an entrepreneur could try to make a selling point out of being open and honest about the data she/he registers.
“For example, I could go to my hairdresser, who’s written down everything that’s been done to my hair for the years, and she could ask whether it’s OK if the data are still stored. I could imagine reacting positively: I’m being informed and all the data on me, the customer, are secure and usable,” says Koivumäki.
In Koivumäki’s opinion, the GDPR does not need to be read literally.
“I concede that the GDPR places excessive demands on small businesses, and it’s clear that the supervisory authorities are not as interested in a small company as they are in a multi-million-euro company’s customer loyalty system.”
But how does a business know what it can do without attracting fines?
Koivumäki says that common sense and the degree of seriousness help when interpreting the regulation.
“In confusing situations, I often think about what Brussels’ intention was in introducing this new regulation. The purpose is to protect your customers’ and potential customers’ privacy while your company’s digital business grows and develops. The legislators absolutely wanted to allow diverse ways of processing data, but how can an entrepreneur act in his or her business without endangering customers’ data or privacy?”
The sensitivity of personal data also affects how strictly the regulation is interpreted. Data on health, sexual orientation, political opinions or similar matters require more rigorous interpretation of the Regulation.
“My hairdresser doesn’t process sensitive data if she writes down what colour she dyes my hair and that I like a bob cut, but hairdressers know a lot about us! A hairdresser doesn’t record information about customers’ love lives or the like in any register – or at least they shouldn’t. Personal data legislation is based on the premise that information only becomes personal data and part of a register when you store it digitally or physically” Koivumäki says.
Entrepreneurs should remember that GDPR is also about keeping personal data safe and secure, where it can only be accessed by authorised people. Please review how you store personal data and make sure you only store data that is relevant for your processing. If you have any questions please contact a professional.
elina.hakola (at) yrittajat.fi