By 25 May 2018, many of us will already be fatigued by the barrage of emails arriving into our email inboxes regarding the General Data Protection Regulation (GDPR). Companies are contacting customers on their mailing lists to get (in some cases again) affirmative opt-in consent from their subjects, apparently to comply with the GDPR. The question is, are these emails and reconsents even necessary?
Many people are unaware that consent for email marketing is already a requirement under European e-privacy law which allows marketing on an opt-out basis for existing customers. If you have your unsubscribe rights in place, all is well, the GDPR does not change that at all.
If a company has already acquired personal data (such as a purchased marketing list) it still needs to have grounds to process it. But if there are no grounds for processing then consent may be the simplest way of complying with the rules. However, users may then reply asking how the company got their private data in the first place, so companies need to carefully consider their subsequent actions to avoid any potential reputational damage. This may be particularly pertinent if companies are unsure how the company collected the contact information in the first place as they may have no grounds for contacting the user at all.
If there is already a commercial relationship in place, then consent is not needed as present legislation already allows for marketing emails on the product/service to be sent out and also on related products/services so long as an option to opt-out is offered.
So, the question is, do these emails need to be sent at all? We can split email marketing issue into two steps, firstly, the processing of data enabling the company to send marketing emails and, secondly, the ePrivacy Directive, which looks at the sending of the communication itself. A company needs to have a legal basis under the GDPR for the first step and then it must meet the ePrivacy Directive rules, which have regulated email marketing since 2002.
Realistically, the only companies that should be sending out reconsent emails for marketing are those that cannot currently demonstrate that this consent was legally obtained. If it was not obtained this would already put them in breach of EU law, namely Article 13 of the ePrivacy Directive, which stipulates that communications, including emails may not be sent without prior consent unless there is an existing customer relationship.
Companies should ask themselves whether reconsent is necessary? Unless, of course the reconsent is being used to paper over previous lack of compliance, which users might start to notice.
Also, it is important to note that companies who contact people who have previously opted-out of all communications is illegal since their personal data should not have been held on their database anymore.
On the positive side and a counterintuitive feature of GDPR it that it is a good opportunity for customers to automatically get off mailing lists. It is the easiest and most consistent way of unsubscribing and withdrawing consent…by doing nothing.