The ICO has updated its guidance “Preparing for the General Data Protection Regulation (GDPR), 12 steps to take now” and recommends that businesses “Refresh existing consents now if they don’t meet the GDPR standard”.
Why is this necessary? In March 2017 the ICO issued draft “GDPR consent guidance”. This was a consultation version to gather the views of stakeholders and the public. The draft guidance states “if existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing”. This means that, in practice, many businesses will have to refresh their consents.
Should I re-contact my entire database now? Before you do, here are a few things you may wish to consider.
- The European authorities have not yet issued their guidelines on consent and the ICO intends to “evolve” its guidance to take into account European level developments.
- The ICO may make changes to the guidance following the public consultation. There have been over 300 responses. The Direct Marketing Association has described the draft guidance as “anti-competitive” and believes that the ICO’s view that “opt-out boxes… are essentially the same as pre-ticked boxes, which are banned” is “incorrect”, and that the requirement to specifically name third parties relying on the consent (as opposed to categories of recipient) is “in direct contradiction of” other parts of the GDPR.
- The general rules on consent relating to “personal data” (e.g. names, email/postal addresses and even IP addresses or other device-specific codes if an individual is identifiable) are governed by the GDPR but the new ePrivacy Regulation, published in draft/proposal form in January 2017, contains more specific rules on electronic marketing. The new ePrivacy Regulation will replace the current rules, which include a ‘soft opt-in’. Significantly, the draft still includes a version of the ‘soft opt-in’ permitting marketing by email of similar products and services within an existing customer relationship, provided that the customer is given an opportunity to object to marketing communications at the time of collection and with each message. So whilst the opt-out box might be dead under the GDPR, at present it still seems to be an option under the proposed ePrivacy Regulation (albeit in a very narrow set out circumstances).
So, what now? Businesses that use personal data to send marketing communications should: (i) identify whether they need a consumer’s consent to send that marketing communication; (ii) review whether they need to make any changes to how they seek, record and manage consent under the GDPR; and (iii) assess whether they fall within and comply with the proposed ePrivacy Regulation. However, if you wish to rely on ‘soft opt-in’ for certain electronic marketing or if parts of the draft guidance would be unworkable for your business, you might choose to wait for a more definitive view from the ICO on what consent means in practice and how it interrelates with the ePrivacy Regulation before contacting your customers with revised consent wording. The ICO had aimed to issue a final version of its consent guidance last month but hasn’t yet.
Failure to comply with the GDPR (or proposed ePrivacy Regulation) with respect to marketing communications has potentially serious consequences, with the power to punish with large fines available to regulators.