One of the questions we’ve most commonly been asked in recent months is “does the GDPR mean we have to get fresh consents from our entire marketing database?” In many (indeed, perhaps most) cases, the answer is “no” - though the explanation for this is not all that straightforward, and so the confusion here is easy to understand.
This confusion stems in large part from Recital 171 of the GDPR, which reads: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation” (emphasis added).
The idea here is that, if you collected consent for data processing pre-GDPR, then you can continue to rely on that consent post-GDPR. So far, so good. But the sting in the tail is that this holds true only if the consent you obtained pre-GDPR was obtained to a GDPR standard - i.e. the consent was “unambiguous” and demonstrable (i.e. auditable) in line with the requirements of Art 7. Since these requirements didn’t apply pre-GDPR, it follows for most businesses that the consents they obtained pre-GDPR won’t be valid once the GDPR comes into effect - and so they may need to go out and get new GDPR-standard consents. That, or accept the risk of non-compliance.
At this point, you might be thinking “So all our marketing consents are invalid? Do we really have to go and get fresh marketing consents from x thousand / million customers?” Things are not quite as bleak for marketers as it may seem, however.
Marketing regulation under the GDPR
To begin with, marketing under the GDPR (whether postal, phone, e-mail, SMS or any other form of marketing) is regulated exactly like any other data processing activity. This means that you have to show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In fact, it often won’t be.
This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR. Recital 47 of the GDPR actually says that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This means, for example, that if a business wishes to send postal marketing about a new product to its customer base, it can often do so in reliance on its ‘legitimate interests’ - it generally does not need its customers’ consent to this mailing. It will, however, always need to offer them an opt-out (Art 21(2)).
Marketing regulation under the e-Privacy Directive
Marketing regulation under the GDPR is only half the story, however. Europe also has a separate law - the Privacy and Electronic Communications Directive(or e-Privacy Directive) that contains supplemental rules governing consent requirements for e-marketing, i.e. marketing sent over electronic communication channels (such as phone, fax, e-mail and SMS, for example). When sending e-marketing, these supplemental consent rules apply in addition to the need for businesses to identify lawful processing grounds under the GDPR.
Put as simply as possible, these rules require opt-in consent for e-mail and SMS marketing, unless an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time. If so, first party e-mail and SMS marketing is possible on an opt-out basis (though third party e-mail and SMS marketing still require opt-in). Similarly, phone direct marketing is also generally possible on the basis of opt-out provided the call list is first screened against the relevant country’s national do-not-call registry (as well as the business’s in-house opt-out list).
Consequently, much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (i.e. consent). In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.
Looking forward to the e-Privacy Regulation
This is not quite the end of the story, however.
The e-Privacy Directive is, itself, undergoing reform presently - to be replaced by a new e-Privacy Regulation at some point in the future. The European Commission has set an optimistic goal of achieving adoption of the e-Privacy Regulation by May 2018 - i.e. to see it enter into force at the same time as the GDPR - though whether this timescale can be realised is uncertain.
Nevertheless, broadly speaking, the original draft of the e-Privacy Regulation proposed by the Commission largely retains (at Art 16) existing e-marketing rules as they apply under the current e-Privacy Directive. The European Parliament has, to date, seemed relatively accepting of at least this aspect of the Commission’s proposed reforms, making it likely that opt-out e-marketing will remain possible once the e-Privacy Regulation is finally adopted.
Still, it is worth remembering that it is only draft law at present and so e-marketing rules may evolve further as the Council of the EU and the Parliament enter their trilogue negotiations. Marketers will need to monitor developments here closely.
The law of unintended consequences?
While it will be good news for businesses that their existing lawful opt-outmarketing is generally unaffected by GDPR, businesses which previously sought opt-in consent may now find themselves technically needing to refresh those consents for GDPR compliance - an ironic result for businesses that had previously looked beyond strict legal compliance and had taken a best practice, opt-in approach to marketing.
Resistance to change is alive and well when it comes to CASL compliance. The current statutory review is giving voice to factions who would like to see CASL abolished. They would like to go back to treating their prospects poorly.
We are hearing a lot of whining and complaining about CASL from a few characters claiming to represent Canadian businesses. They are attempting to build a case for returning to an opt-out system, or at the very least a hybrid system, so it is easier to spam people. We are scratching our head regarding most of their arguments. In fact, it brings to mind a 7 year old throwing a fit because they don't want to do what they're told. So let's try to explain why CASL is needed.
Why do I have to have consent?
Because your prospects and customers deserve respect. Their inbox belongs to them and you should ask if they are interested in the kinds of messages you would like to send them. HINT: if they say NO or do not respond, they are likely either not interested OR they do not like the messages or the frequency of messages. NOT providing consent when you ask is a message in itself.
Because there are far too many unwanted email messages already. You're either part of the problem or part of the solution.
Because if we don't stop inundating them with email, people will find a better way to communicate and email will find it's way to the trash bin. Some individuals have already decided email is a waste of time. Primary reason: we have peppered them with irrelevant messages. Yes I know they are relevant to you - the sender - just not to your entire audience. My proof is the exceptionally poor open rates we seem to find acceptable.
Because it's the law.
But I have never had to have consent before. Why now?
Because we blew it. As businesses and marketers we BLASTED at will - relevance be damned. Is anyone else in marketing embarrassed that the Government had to step in and insist that we treat our prospects and customers with respect? Canada was the last G8 country to pass an anti spam law. By the time we arrived at the table we could see how much of a mess it was.
Fact is we almost destroyed email marketing as a valuable tool in our marketing kit. It is an exceptional way to communicate and interact with customers and near-customers - a very important group of people for most companies. But we insisted on using it to create awareness which it is very weak at.
Email is not a mass marketing tool and we should stop treating it like one just because it is so cheap to execute.
Lets be honest. It has been the "best bang for the buck" and without regulations we have been able to do whatever WE want. Whatever is best for us. Yet good marketers think "Customer First" (or used to) and these tactics fly in the face of customer-centric marketing. How did we let it get this far? Have you given your email address to any retailer lately? Yikes! Thank the Government for mandating a working unsubscribe in every email. I know getting off some lists is like trying to get dog poo off your hiking boots, but having it be part of our anti spam law helps.
Next you must be transparent in every communication and include the full company name, postal address, a contact name and 2 ways to reach them.
You also must have a working unsubscribe in every email. "Working" is defined as being able to unsubscribe within 2 clicks and being removed from the list with 10 business days (2 weeks). 2 clicks; 2 weeks.
Pretty simple. If you are just starting to build your email list, CASL compliance is the right way to manage email marketing. And it is easy to design a series of processes to enable you to show proof if required.
The difficulty in being CASL compliant is changing the poor email habits and processes that we already have in place. That's what is causing all the whining and complaining about how tough CASL is: people HATE change. Especially when they do not undertsand WHY.
Campaign Monitor reports there are 180 billion spam messages sent every day. (A colleague suggested SpamHaus has state a number far North of that).
One message to one inbox is no problem. 180 Billion every day...
We all have the experience of our inbox being taken over by messages that we have no need for, commitment to or interest in.
CASL is designed to return the control of our inbox back to the individual. And it's working.
Should we make some changes to CASL based on what we have learned in the first 3 years of enforcement? Yes. The lawyers have pointed out several issues and they should certainly be rectified. But for the most part, it is working and we should just all adjust. At the end of the day, as Kim Arsenault of Inbox Marketer says " It is what our clients have been doing all along. CASL did not change much in our world as we knew it was simply best practices for email marketing, when you put your customer first."
As it relates to email marketing, are you putting your customer first?
Step 1: Appointing a Data Protection Officer (“DPO”) or “Pilot”
The CNIL’s methodology first stresses the need for organizations to appoint a leader to pilot governance of data protection within their structure. This person will internally carry out informational, advisory and control tasks. Pending the application of the GDPR in 2018, the CNIL suggests that organizations may appoint a French DPO (Correspondant Informatique et Libertés) now. This will allow them to be one step ahead and better organized to comply with the upcoming GDPR. The CNIL strongly recommends appointing a DPO (with internal relays) who will be in charge of ensuring GDPR compliance, even if the organization is not required to appoint a DPO under the GDPR.
The first step will be completed once organizations have appointed a “pilot” responsible for implementing GDPR compliance measures based on an engagement letter, and have provided that person with human and financial means to perform his/her tasks.
Step 2: Data Mapping
For the second step, organizations are recommended to identify, in detail, their data processing activities. They may do so by preparing and maintaining a register of data processing activities. The CNIL’s methodology notes that, under the GDPR, organizations will have to keep full internal documentation of their data processing activities. The CNIL’s methodology proposes a template register.
Organizations may move to the third step if they:
have contacted all the appropriate services and entities that process personal data within their structure;
have established a list of their data processing activities per (main) purpose – not per system or application used – and of the types of personal data processed;
have identified the vendors/data processors involved in each data processing activity; and
know where the data is being transferred and to whom, where it is hosted and for how long it’s retained.
Step 3: Prioritizing Compliance Actions
After preparing the register in the second step, the CNIL’s methodology recommends identifying, for each data processing activity, the actions that will need to be implemented to comply with current and future data protection obligations. This prioritization must be carried out, taking into consideration the risks to the rights and freedoms of the data subjects.
The actions to be implemented will, at a minimum, include:
ensuring that only personal data that is strictly necessary is collected and further processed;
identifying the legal basis for the data processing;
reviewing existing privacy notices to comply with the GDPR notice requirements;
verifying that all vendors/data processors are aware of their new obligations and responsibilities under the GDPR and that appropriate privacy clauses are inserted in services agreements;
defining a procedure for handling data subjects’ requests for exercising their data protection rights; and
verifying the data security measures implemented.
The third step will be completed once organizations have implemented measures to protect data subjects concerned with their data processing activities and have identified those data processing activities that involve a privacy risk.
Step 4: Managing Risks
If, during the previous step, organizations have identified data processing activities that may pose high risks to the rights and freedoms of data subjects, they will need to carry out a privacy impact assessment (“PIA”) for each of these data processing activities. The CNIL’s methodology refers to the CNIL’s 2015 PIA guides as a tool to carry out PIAs under the GDPR.
The fourth step will be completed once organizations have implemented measures to respond to the main risks and threats to data subjects’ privacy.
Step 5: Organizing Internal Processes
Under the fifth step, organizations must implement internal procedures to guarantee data protection at any time, taking into account all events that may occur during the lifetime of a data processing activity (such as a data security breach, management of data subjects’ requests, changes to the data collected, change in vendors, etc.). In particular, this implies the following actions:
taking into account data protection principles when designing an application or a data processing activity;
increasing employee awareness and ensuring that information is escalated to relevant employees or directors, in particular by developing a training and communications plan;
handling data subjects’ complaints and requests for exercising their data protection rights; and
anticipating data security breaches by ensuring that, in some cases, the breach will be notified to the data protection authority within 72 hours, and without undue delay, to data subjects affected.
An online notification service will be available on the CNIL’s website in May 2018. Pending that service, organizations may consult, by way of example, the French data breach notification form used by telecommunications providers to notify their breaches.
Organizations may only move to the final step once (1) best practices for data protection are implemented by the services in charge of implementing data processing activities, and (2) personnel know what to do and whom to contact in the event of a data incident.
Step 6: Keeping Documentation on Compliance Measures
For the final step, organizations must compile and group all necessary documentation together. The actions and documents produced at each step must be regularly re-examined and updated to ensure continued data protection. In particular, this documentation will need to include:
the register of data processing activities (for data controllers) or the categories of data processing activities (for data processors);
PIAs for high risk data processing;
data transfer mechanisms (e.g., EU Model Clauses, Binding Corporate Rules and certifications, where applicable);
consent forms, as well as evidence that data subjects have given their consent where consent is the legal basis for the data processing;
procedures implemented for the exercise of the data subjects’ data protection rights;
contracts with vendors/data processors; and
internal procedures in the event of a data breach.
The sixth step will be completed once the documentation demonstrates compliance with all of the GDPR obligations.
The CNIL will adapt and complete the above tools when relevant GDPR guidelines are published by the Article 29 Working Party.