Legal Hub - GDPR Practitioner Advice 2
08 May 2018
The DMA Email Council's Legal Hub has created a series of GDPR questions and answers to assist practitioners to understand the GDPR regulation and directly tackle some of the most burning questions in the industry.
Q Do we need to double opt-in (confirmed opt-in) to satisfy GDPR?
Written by Steve Henderson, deputy chair of DMA Email Council and compliance officer at Communicator
There’s no definitive right answer regarding which method to use. While double opt-in is not a requirement of the legislation, a double opt-in process will validate the email syntax, the email recipient and also provides an individual’s record of consent, but can result in lower subscriber numbers.
A clear and effective single opt-in process is easier to use and will often result in higher subscriber numbers, but carries a higher risk of invalid data and doesn’t provide the same degree of traceability of double opt-in.
Ultimately your decision will be whether you value quality or quantity and whether you believe your subscribers will stick with you while you ask them to perform more steps.
This balancing process will vary with the scenario, so I have a full write-up of the pros and cons here: https://www.communicatorcorp.com/blog/the-GDPR-QA-double-opt-in
Q: Can we rely on legitimate interests (if justifiable) for email marketing?
Written by Simon Hill, deputy chair of DMA North Council and co-founder of Extravision
Under PECR you still need permission (marketing consent or an existing customer relationship) to be able to send email marketing.
Looking at GDPR, to perform the task of email marketing, you will need data and you’ll need to process that data.
If you have permission to email under PECR then it’s unlikely that you will want to ask for additional permission to process the data – in which case legitimate interest will be your legal basis for processing that data under GDPR.
So, no: legitimate interests won’t be your legal basis for marketing, but it may be your legal basis for processing the data you need to perform your marketing.
Q: Can I rely on soft opt-in after GDPR comes into effect e.g. if somebody purchases from me, can I send them marketing messages?
Written by Simon Hill, deputy chair of DMA North Council and co-founder of Extravision
Soft opt-in is part of the “existing customer relationship” element of PECR, which isn’t changing at the moment. For this, you need to make sure you give customers the ability to opt-out during your purchase process – so pre-ticked opt-in boxes (soft opt-in) may still be used. With caveats:
You need to make sure the information requirements of GDPR (being simple, clear and transparent) have been met during the transaction process and you need to make sure the subsequent emails are in line with your customer expectations and are limited to content related to that original purchase.
So, you may still use soft opt-in, but because of the limitations you may be better following long-established best practice, keeping tickboxes unticked, and upgrading your opt-in process to GDPR-standard consent
For more practitioner advice - click here
Please login to comment.
Comments