Data Protection Act (DPA) & Privacy and Electronic Communications Regulations (PECR)
In general, existing law (pre-GDPR), treats consent differently between B2C and B2B. Where B2B email addresses are treated as ‘corporate subscribers’ who can be marketed to without explicit consent as long as you enable them to opt-out. Whereas B2C email addresses are ‘consumers’ and must have provided explicit consent and the grey soft-opt-in caveat.
The ICO has created a full “Guide to Privacy and Electronic Communications Regulations” and full “Guide to data protection”.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) comes into effect on May 25th, 2018.
The GDPR does not look like it will differentiate between B2B and B2C and requires unambiguous consent for all people whether their email address is their work address or their personal one, without any soft-opt-in leeway.
The Information Commissioner’s Office (ICO) has created a GDPR guide as a live document which is a good reference and is kept up to date as things change.
Also the DMA are frequently publishing content, advice and some case studies in their dedicated GDPR section.
Consent and GDPR
One of the main talking points is how brands can collect data and be GDPR compliant and if any data already collected is or isn’t compliant and what to do about it.
The ICO’s GDPR guide provides a handy set of bullet points to help you make sure you are doing it right. Here are a few of the more vital ones for email collection purposes.
- Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
- Keep a record of when and how we got consent from the individual.
- Keep a record of exactly what they were told at the time.
- Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
- Check to see if any of your existing contacts qualify under legitimate interest to avoid you having to re-consent them.
A single opt-in signup form that can be completed by anyone has been deemed too ambiguous for most marketers. Removal of this ambiguity via a double opt-in email, that can only be clicked by the owner of the address is the most popular strategy.