What Europe’s Tightened Rules for Personal Data Mean for Marketers

In April 2016, the European Union passed a new regulation called the General Data Protection Regulation (GDPR). The regulation, which is aimed at updating and unifying personal data laws across the EU, significantly changes the requirements surrounding the use of personal data, and will undoubtedly have a profound effect on marketers.

The scope of the new regulation, which takes effect May 25, 2018, is large. The GDPR affects any businesses based in the European Union as well as anyone collecting personal information from EU citizens.

The regulation also expands the definition of personal data.

“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

How do these regulations affect marketing?

The new regulations require explicit consent for the use of personal data.

This means that marketers can only send marketing communications to people who have specifically and explicitly consented to receiving marketing communications using their personal data. Email addresses and phone numbers are two examples of commonly used personal data that will be affected by the GDPR.

At the same time, customers must be adequately informed as to how their personal data will be used. If a company intends to use personal data of any kind—which can include information as broad as medical information and social media posts—they must inform people of their intent to do so when acquiring consent.

If personal data will be used to customize marketing messages or customer offers, customers must consent to this use. The regulation states that this consent must be “freely given, specific, informed and unambiguous.”

New standards of consent: soft vs. hard opt-in

The requirement of free, specific, informed, and unambiguous consent affects several common marketing practices. Some common email marketing practices include:

  • Adding people who download a white paper to a company’s newsletter subscriber database
  • Emailing people using information collected from business cards at a conference
  • Pre-checked boxes indicating consent to receive marketing messages

The latter two of these scenarios are no longer allowable under the new regulations.

Unless the language on opt-in forms includes notification of the use of personal data and delivery of marketing messages, the first item of the list is also disallowed. Consent forms must state the intent to use data clearly and unambiguously, without the use of vague language.

In other words, so-called “soft” methods of opt-in are no longer acceptable.

Updating consent forms to include language related to marketing messages and personal data usage can allow companies to continue collecting emails through white papers, contests, and other online forms, but people must complete a “hard” opt-in after being expressly informed that they are signing up for marketing messages.

Ability to demonstrate consent: single vs. double opt-in

Under the new regulations, the burden of proving that consent was received is on the company collecting personal data. If requested, companies must be able to produce proof that a person has freely, specifically, and unambiguously opted into communication after receiving adequate information.

This requirement notably affects opt-in practices. Because a double opt-in clearly demonstrates consent to receive messages, double opt-in will become the new standard for marketing communications.

An email marketing example can help clarify the difference:

A person goes to a website and enters their contact information into a form, then presses submit. Before a company can begin sending any marketing communications, they are required to send an email where the person must again confirm their desire to opt-in.

Fortunately, double opt-in is already a best practice for email marketing. Requiring a double opt-in improves the quality of an email list because it ensures that everyone on the list is relevant to, or at least interested in, the company.

Isn’t having a larger email list (as a result of single opt-in) always preferable?

No. The quality (as opposed to size) of an email list becomes important when assessing open rates, clickthrough rates, and email conversion rates. A large list of disinterested people artificially deflates the measurement of these campaigns—each measure will appear lower, which makes it more difficult to determine whether a campaign is successful.

A single opt-in email list is also more likely to have high bounce rates and be sorted as spam by email services.

Enacting double opt-in allows for clearer measurement of success, better A/B testing, and adjustment of marketing campaigns—which can in turn improve ROI—all while remaining compliant with new regulations.

Retroactive regulation of existing databases

Existing databases are affected by the new regulations.

That means that companies currently using personal data will need to be able to demonstrate consent—even though explicit consent was not required to build the existing database.

How does this affect marketing communications? If you cannot demonstrate consent for each person in your email marketing database when the regulation takes effect, you will no longer be able to send those people emails.

How can you overcome this problem? Communicate with your email marketing database before the regulation takes effect. Sending a re-authorization campaign that asks people on your email list to specifically choose to continue receiving communications fulfills the explicit consent requirement of the new regulations.

Note: this type of re-authorization is also a generally useful email marketing tool. If a segment of your email marketing database has become less active, re-authorization or re-engagement campaigns can help you identify those people that are still interested in your company so that you don’t waste time marketing to dead leads.

Maintaining marketing compliance under GDPR

Marketing communications will be significantly impacted by GDPR, but maintaining marketing best practices can help achieve compliance.

Key considerations for compliance:

  • Free, specific, informed, and unambiguous consent is required before any use of personal data, including for marketing communications
  • Using hard opt-ins and double opt-ins can ensure that there are records of consent, which companies must be able to produce on demand
  • Existing databases must follow new regulations, and can be updated for compliance using re-authorization campaigns

There may be additional considerations depending on the size and nature of your company. For example, some companies will be required to retain a data protection officer (DPO), and new regulations govern the reporting of data security.

If you need help updating your marketing communications to remain compliant with GDPR, don’t hesitate to reach out and contact us.