The GDPR no longer needs an introduction (if this is the first time you hear of the GDPR, read our introductive article here). Most of us should know what the GDPR stands for. However, there is still a lot of uncertainty about the practical consequences of the GDPR and the interpretation of certain articles. So here’s one pressing question that we’ll dive into for you right now.
Am I still allowed to email my existing clients after the GDPR?
Many companies have been building a customer base for years now. Not only companies – not-for-profit organisations, charities and other institutions have gathered huge amounts of data as well. Only some of this data was obtained through an opt-in system. This leads to the following question: do these businesses and organisations have to ask for permission from every person in their database to keep using their data? That entails the risk that many people will ignore the request or refuse to respond, potentially causing your databank to shrink considerably.
Before looking into the answer, let’s look at what consent to process data means.
What is consent under the GDPR?
The GDPR makes processing of data unlawful, unless you’re in one of six scenarios. Obtaining consent from the data subject is one of these scenarios, or ‘justification grounds’. Consent is also the most volatile, in the sense that individuals should be completely free to give it, but also retract it at any moment. In addition, consent has to be unambiguous, informed and given through a clear, affirmative action. Opt-out and the soft opt-in are therefore no longer valid options. Only the clear opt-in will be able to lead to valid consent, making the process of obtaining consent a lot harder than before.
Consent is not the only legal ground for processing. As mentioned before, there are six grounds in total and you only need to be able to rely on one of these to be allowed to process personal data. That includes the processing for the purpose of executing a contract, or because the company has a legal obligation to process certain data. Invoicing details, accounting information and certain medical data can be processed lawfully under these justification grounds. Another ground is the processing for a legitimate purpose – but more on that below.
This all fits into the general scheme of the GDPR, which is to give data subjects more control over data relating to them.
So what happens to your existing database?
Only if consent was obtained in a way compliant with the GDPR before, can the data still be used. This means that if consent was not obtained, or was obtained by way of a pre-ticked box, or is an opt-out, then consent should be asked again.
You could organise a reactivation campaign and send an email to everyone in your database, asking to consent to the processing of their data. And yes, this could lead to a long list of refusals – but think about this in a glass-half-full way: it will keep the people actually interested involved, whilst weeding out those who are not.
Are there ways to avoid the consent requirement?
Let’s go back to the six justification grounds. Consent is not always the only option; there is also the processing for legitimate purposes. If your company shows its interests in processing personal data outweigh the right to privacy of individuals, then consent is not required. However, there’s very little indication as to what could constitute a legitimate purpose.
In the context of direct marketing, for example, it seems the GDPR has left a little room for an exception to the general opt-in rule. In one of the recitals, the law literally states that the processing of personal data for direct marketing purposes may be considered as a legitimate purpose. This means the European legislator gives you the benefit of the doubt, but there still needs to be a balance of interests.
Moreover, the GDPR is not the only law to keep an eye on here. There is also the e-Privacy Regulation that regulates, among other things, cookies, the use of e-mail addresses and the authorisation requirements for e-marketing. It’s not in effect yet, but will replace the current e-Privacy Directive.
Simply put, the e-Privacy rules require consent via opt-in for e-marketing, unless the e-mail addresses are collected in the context of a sale and if the individual was given the opportunity to object at that time (opt-out). So if there has not been any contact with the data subject yet, the usual opt-in has to be provided.
Taking into account the GDPR and e-Privacy Directive, it does seem sufficient to offer an opt-out when engaging in direct marketing via e-mail. This means that consent is not strictly needed. However, the e-mail must concern a “similar service or product” and must be sent to an existing customer.
In all other cases, it is definitely safer to work with an opt-in system consistent with the GDPR. This may be a bit onerous at first, but it is also the path of least resistance. And be sure to keep an eye on developments around the e-Privacy Regulation!
This post has been written by Jan-Willem Lust and Morgane Van Ermengem.