Businesses across the UK are preparing for the biggest overhaul of data protection legislation in over 25 years. As of 25 May 2018 a new EU law, the general data protection regulation (the "GDPR"), will come into full effect. Regardless of Brexit the GDPR is here to stay and given the increased monetary penalties it is important that businesses are aware of what they need to do to ensure compliance.
The changes under the GDPR are particularly significant to charities because charities rely on contacting donors and supporters for funding and therefore often handle high volumes of personal data, particularly in terms of direct marketing. There is however significant confusion in the legal press as to how the changes to consent for the purposes of processing personal data under the GDPR interact with obtaining consent for email and SMS marketing under the Privacy and Electronic Communications Regulations ("PECR").
Whereas previously, under the PECR, consent for direct marketing via emails and SMS messages could be obtained via "soft opt-in" i.e. by sending messages giving the recipient the option to opt-out, the GDPR states that consent must be freely given, specific, informed and unambiguous, and therefore "silence, pre-ticked boxes or inactivity should not constitute consent". Some commentators have interpreted this as meaning that "soft opt-in" is no longer to be relied upon for direct marketing via email and SMS messages, which would mean that charities would now need to always obtain "opt-in" by getting explicit consent, whereas other commentators state that the new consent requirements do not apply to direct marketing.
The key to unravelling the conflict is to separate the issues. With email and SMS marketing, the PECR defines consent standards required for lawful marketing using electronic communications only. PECR and GDPR are not interchangeable or a substitute for each other, but work in collaboration. PECR requires charities marketing to individuals by email and/or SMS messages to obtain consent through opt-in/soft opt-in with a simple unsubscribe process, whereas the GDPR requires one of the processing requirements to be fulfilled, stating that this would usually be a legitimate interest in relation to processing personal data in order to facilitate e-marketing e.g. profiling and segmentation, as opposed to consent. If the charity relied on consent instead of legitimate interest however, then it would now need to be obtained at the higher GDPR standard.
That being said, to add to the confusion, the PECR is also being updated and it is intended that the new regulations will come into force at the same time as the GDPR. It is currently unclear whether the standard for obtaining consent in relation to sending e-marketing under the new regulations will be to the same standard as the GDPR or whether it will be the same or similar to that under the PECR i.e. opt-in/soft opt-in. It would therefore be best practice to adopt opt-in for e-marketing in anticipation of a potential change.
We advise charities to:
- review marketing processing flows and opt-in mechanisms;
- set-up opt-ins for e-marketing if required;
- establish the legitimate interest requirement where appropriate;
- give the individual a choice between targeted/segmented content and non-personalised content. This way, if they currently don't want to be tracked and profiled they can still be an email subscriber and they can always opt-in to targeted content later.