Now that you’ve written those GDPR policy documents and tackled your corporate mountain of old data, you might be ready to leave the legal stuff to the lawyers and get back to marketing, comms and sales. But maybe you’ve read something about PECR and some people on LinkedIn are still insisting that b2b email marketing will be over in May 2018?
What Is PECR?
PECR is the Privacy & Electronic Communications (EC Directive) Regulations 2003 which governs email marketing. As an EU Directive, the UK can choose how to interpret PECR. Crucially the UK allows businesses the freedom to email other businesses on business matters without consent. Most EU countries do not allow b2b email marketing without consent.
The EU wants to update PECR and upgrade it to a Regulation (the ePrivacy Regulation or ePR) which means that all EU nations must follow the rule to the letter and there is no flexibility on its interpretation. The European Parliament signalled its desire to update it before May 2018 and bring in the new ePrivacy Regulation on 25 May 2018. As this would bring the UK into line with the EU and likely outlaw the sale of all third party b2b mailing lists, Electric Marketing wrote to a number of government ministers and departments asking for more information.
Five weeks later, the Department of Digital, Culture, Media & Sport has emailed a reply; The Rt Hon David Davis MP Minister For Exiting The European Union, passed my letter to them.
EU Plans To Update PECR
The Department For DCMS states that is pretty much impossible for the EU to stick to their timetable of introducing ePR, the update to PECR legislation in May 2018. It points out that while the European Parliament has agreed its policy, all 28 member states are yet to officially state their position on the proposal and the final text of the ePrivacy Regulation is yet to be agreed by the European Parliament, Council and Commission.
“Our stand is that the quality of the text must be prioritised over speed”
The email from the DDCMS says that the UK government is pushing for a workable timetable for implementation, which I take to mean a two year period for business to prepare for the new ePrivacy Regulation.
What Is The UK Government’s Position On The PECR Update?
The email goes on to say
“In relation to unsolicited communication (spam emails and unsolicited calls), the UK’s position is to ensure the provisions for marketing communication are aligned with the high standard set in our domestic regime (‘PECR’) without compromising our regulator’s ability to enforce against such communication. We also aim to tighten the definition of direct marketing communications to avoid users needing to consent every time they load a webpage with ads. Elsewhere, the UK’s position is to maintain the level of flexibility for Member States in the current law.”
I believe that means the UK’s position is to continue to allow b2b email marketing without consent. But I am quoting the email from the ministerial support team at the Department for Digital, Culture, Media & Sport verbatim so that you can come to your judgement.
When Will The New PECR Regulation (ePR) Come Into Force?
Perhaps more pertinent is the question of timing; the EU needs to agree a text and pass the update to PECR before the UK leaves the EU on 29th March 2019 for the updated Regulation to become part of the European (Withdrawal) Bill and to pass into domestic legislation. If the EU passes the Regulation, it is likely that there will be a period of implementation which may be two years as with GDPR. If the ePrivacy Regulation is not passed before the UK leaves the EU, we will have to see what sort of Brexit deal is struck with regard to implementing new EU laws in the UK post-Brexit.
What Is The Government’s Policy on Data Protection Post-Brexit?
For more information, read this Government publication Future Partnership.
Electric Marketing will keep a close watch on the progress of PECR throughout 2018 and into 2019.
Our view is that the implementation of PECR reform seems a way off yet. But beyond 2020, the future for business-to-business digital marketing is not certain.
GDPR Signals The Death Of The Opt-In Mailing List: How Can You Still Use B2B Email Marketing In 2018?
The new GDPR (General Data Protection Regulation) rules that if your mailing list is opt-in, consent to opt-in to receive marketing communications must be be “freely-given, specific, informed and unambiguous”.
It is no longer permitted to use mailing lists on the basis of the old opt-in wheeze of a series of double negatives to leave a box unticked agreeing to be contacted by “the company’s marketing partners”. The ICO’s (Information Commissioners Office) guidance on interpreting GDPR specifically rules out pre-ticked boxes and states that any third party using a mailing list must be named when the consent is given.
From May 2018 a mailing list can only be opt-in if a person has ticked a box next to a statement that specifically names your company. So your client list and any one who has signed up to receive info from your company on your website are opt-in lists. Third party opt-in lists are pretty much out after May 2018 and any company or list broker promoting opt-in mailing lists is not up to speed on GDPR.
The good news is that ICO guidance also states that
You don’t always need consent. If consent is too difficult look at whether another lawful basis is more appropriate.
Electric Marketing mailing lists are compiled and used on the lawful basis of “legitimate interest”. If you have a business interest in contacting a person, you may contact them without gaining their prior consent to do so. This applies across mailing, telemarketing and email, with some key restrictions.
There are no restrictions on postal mailing. Direct marketing with envelopes and stamps is swinging back into fashion. It is expensive compared to email marketing but compares well with other forms of digital advertising.
Business-to-business telemarketing is restricted to companies which have not added themselves to the CTPS register. All Electric Marketing lists do contain the phone numbers of CTPS registered companies and they are marked up as CTPS. You can buy mailing lists excluding CTPS registered companies. It is worth noting that companies must renew their registration each year so a company’s CTPS status can change over time. You can check a company’s status by putting their phone number into our free CTPS Checker.
Email marketing for business-to-business marketing is restricted by your own list of individuals who have unsubscribed from receiving emails from your company. This is a key point of difference between consumer email marketing which definitely does require consent. The reason for the difference is that email marketing is governed by a different EU directive, known as the Privacy & Electronic Communications Regulations (PECR). PECR states that it is permitted to send emails offering business services to business people at their business email addresses, but if they ask you to stop emailing them, then you must remove them from your list and must not email them again.
So the opt-in mailing list is dead. But email marketing for business-to-business communications lives on.
Happy New Year!
GDPR sure has been a long time coming. We’ve been worrying about the effects of the new Data Protection legislation from Europe since 2011. We are now a year away from the deadline of 25 May 2018 to comply. And Brexit won’t save us.
For consumer marketers there are big changes but for b2b marketing, changes need to be made but they are not too onerous. And if you already comply with current legislation, you will find yourself with a pretty short to-do list for GDPR.
Electric Marketing has prepared this guide to GDPR for b2b marketing. It focuses on what is relevant for b2b marketing.
The key change is that a company must show itself to be compliant with the rules. Write a policy document which sets out how you comply with the rules. Our guide puts the eight key issues into simple language that your policy document must cover.
There is a lot of misinformation out there about how email marketing will be affected by the new rules. This is certainly true for consumer marketing but b2b email marketing is not governed by GDPR, it is covered by the Privacy & Electronic Communications Regulation (PECR).
Until PECR is updated, the rules for b2b email marketing remain as they are ie you may send an email to a person’s business email address about business matters without first gaining their permission. Your email must have an opt-out mechanism. If the person opts out, you must not email them again. This is known as an ‘opt-out regime’.
What About Consent?
If you are using data for the sole purpose of b2b direct marketing, you do not need the prospect’s consent to do so. GDPR gives six reasons for lawfully processing data ie using emailing lists. Read them here on the Information Commissioner’s website.
B2B marketing does not rely on consent as the reason for data processing. Your policy document will say that you are processing data for the reason that the GDPR calls “legitimate interest” ie you have a legitimate business interest in emailing the person at their business email address.
Worried About PECR (Privacy & Electronic Communications Regulation 2003)?
The EU has an ambition to update the rules of PECR in May 2018 and has drafted legislation. The draft legislation appears to allow the UK to retain its opt-out regime for b2b marketing and while this could change, it seems unlikely. It is also possible that the EU’s timetable for updating PECR may slip beyond May 2018.
So PECR is as yet unknowable but if the EU’s timetable for the legislation slips just ten months to beyond March 2019, the UK’s Great Repeal Bill may not include the PECR update. To read more about the likely effects of the PECR update, look at solicitors Bird & Bird’s take on PECR here.
On 26 March 2016 the Information Commissioner issued new guidance on Data Protection and Privacy & Electronic Communications Regulations for direct marketing.
The full guidance can be read here https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf but we’ve extracted the sections for business-to-business marketing and they are shown below:
Business-to-business texts and emails
1. Rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.
2. However, it serves little purpose to send unsolicited marketing messages to those who have gone to the trouble of saying they do not want to receive them.
3. Corporate subscribers do not include sole traders and some partnerships who instead have the same protection as individuals. If an organisation does not know whether a business is a corporate body or not, it cannot be sure which rules apply. Therefore we strongly recommend that organisations respect requests from any business not to email them.
4. In addition, many employees have personal corporate email addresses (eg email@example.com), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.
1. Sole traders and partnerships may register their numbers with the Telephone Preference Service (TPS) in the same way as individual consumers, while companies and other corporate bodies register with the Corporate Telephone Preference Service (CTPS). So organisations making business-to-business marketing calls will need to screen against both the TPS and CTPS registers.
The right to opt out
1. Organisations must not make unsolicited marketing calls to a person who has said that they don’t want those calls. In other words, there is a right to opt out, and organisations cannot call someone who has objected to or opted out of marketing calls.
Organisations should not make it difficult to opt out, for example by asking individuals to complete a form or confirm in writing. As soon as an individual has clearly said that they don’t want the calls, they must stop.
2. If an individual objects or opts out at any time, their details should be suppressed as soon as possible. It is important not to simply delete their details entirely, otherwise there is no way of ensuring that the organisation does not call them again.
3. Organisations must not send marketing texts or emails to an individual who has said they do not want to receive them. Individuals have a right to opt out of receiving marketing at any time. Organisations must comply with any written objections promptly to comply with the DPA – but even if there is no written objection, as soon as an individual says they don’t want the texts or emails, this will override any existing consent or soft opt-in under PECR and they must stop.
4. Organisations must not make it difficult to opt out, for example by asking individuals to complete a form or confirm in writing. It is good practice to allow the individual to respond directly to the message – in other words, to use the same simple method as required for the soft opt-in. In any event, as soon as an individual has clearly said that they don’t want the texts or emails, the organisation must stop, even if the individual hasn’t used its preferred method of communication.
5. If an individual objects or opts out at any time, their details should be suppressed from marketing lists as soon as possible. It is important not to simply delete their details entirely, otherwise there is no way of ensuring that the organisation does not contact them again.
EU Regulation On Data Protection Unlikely To Become UK Law Before 2019
Nearly four years into the process, the Council of the European Union has now decided on its negotiating position for the trilogue with the European Parliament and the European Commission. There is now a timetable running to December 2015, during which representatives from the Council, the Parliament and the Commission will come together to decide on the final wording of the new EU-wide data protection regulation. This means that if they stick to this timetable, which on past form is by no means certain, by the end of 2015 we should know how the new regulations will affect direct marketers in the UK.
Among the controversial questions still to be thrashed out are:
What is the precise definition of ‘personal data’?
How will the ‘right to be forgotten’ work in practice?
What exactly is meant by the ‘legitimate interest’ of data controllers? Does this include marketing? And if it does, does it include any or all of consumer marketing, B2B marketing, online marketing and offline marketing?
Must consent be ‘explicit’ or not?
Will compulsory data breach notification apply to minor breaches or just high risk breaches?
Will all businesses be required to have a data protection officer?
What happens if EU data protection rules conflict with a non-EU country’s data protection rules?
While we might know what the new regulations will be by the end of 2015, they are unlikely to be adopted into EU law before mid-2016. In fact the Information Commissioner’s Office now estimates that the two year run-in period before the regulations become compulsory can realistically be expected to start at the end of 2016, meaning that they will not be enforced in the UK before the beginning of 2019.
We are following the progress of the proposed EU Regulation on Data Protection very closely.
While the MEPs voted overwhelmingly for a set of proposals which would outlaw list broking, cold telemarketing and cold mailing to named contacts, the Ministers of Justice & Home Affairs from each of the 27 EU nations are taking a more business-friendly, risk-based approach. They met on 10 October to agree their own set of proposals. They will meet again in January 2015 to try to reach agreement on the issue of the ‘right to be forgotten’.
When the Ministers of Justice & Home Affairs have reached agreement, then the three-way negotiations with the European Parliament and the European Commission begin. This is likely to happen in the second half of 2015.
According to the DMA (Direct Marketing Association), this progress means that the Regulation could be passed into EU law by late 2015. The UK then has two years to implement the law, which means that the Regulation could be enforced in the UK by late 2017 or more likely, early 2018.
To increase the uncertainty of what may happen in direct marketing, David Cameron has promised an ‘in/out referendum’ on Britain’s membership of the EU before 2018. It seems unlikely, but by 2018 we might be negotiating our way out of the EU.
To read the full text of the DMA’s article, written by solicitor James Milligan, see here.
Proposed EU Regulation on Data Protection will affect all businesses using mailing or email lists to prospect for new customers
We’ve been lobbying against the proposed new EU data protection legislation for getting on for two years now.
Earlier in 2014 the EU Parliament agreed a piece of draconian legislation that would outlaw list broking, insist on written consent for all marketing communications sent to a named person, with no distinction between b2b and b2c, and effectively finish off personalised marketing to anyone other than your recent customers. If that legislation were enacted it would mean the end of direct marketing as we know it. We will return to the days of writing to Dear Marketing Manager or Dear Stationery Buyer.
Following this vote there have been some alarmist blogs placed on the DMA’s website which have stirred the small business community into panic. Here’s one from June
However the reality is that the EU is still debating what form the legislation will take and what that legislation will be. The European Parliament has voted for this legislation but that does not mean that it will become law.
The European Commission, the European Parliament and the Council of Ministers have now all drafted three different versions of the proposed data protection regulation. The European Parliament draft is by far the most damaging for anyone who uses mailing or email lists to prospect for new customers. The three bodies will enter into negotiations as to which elements of each version will become EU law.
There are two types of EU legislation;
1. EU Regulation which obliges all countries to enact the legislation without amendment
2. EU Directive which has to be debated and passed through the UK Parliament at Westminster and to which amendments can be made.
The current UK Government is pushing for the laws to become a Directive, which will give UK MPs some leeway to alter the legislation as it applies to the UK.
It should be borne in mind that the UK amended the last similar piece of EU legislation (a Directive) with the Electronic Communications Act specifically allowing the sending of B2B emails in the UK without the sender first obtaining consent.
The UK coalition government opposes the proposals and is lobbying for them to be a Directive at the very worst. Unfortunately the Labour party is currently in favour of the proposals and has not replied to any of our letters on the subject.
As things stand we have at least two years until the law is changed.
If your company buys in data to use to prospect for new customers, please write to your MP, explaining what the proposed legislation will mean for you. Also write to Simon Hughes MP who is in charge of the UK negotiation with the EU. The more letters MPs receive, the more attention will be paid to the issue and it becomes less likely that the UK sleepwalks into agreeing to legislation that is damaging for business.
The time to write to your MEP has passed as the vote has happened and most UK MEPs (bar UKIP) voted in favour of the new draconian data laws. But it is always worth explaining to an MEP the consequences of their vote and the effect it will have on your business, our industry and the wider economy.
The European Parliament has voted to adopt the less business-friendly version of the Data Protection Regulation, proposed by the European Parliament’s Civil Liberties Justice and Home Affairs Committee (LIBE) in the November 2013 report.
The European Commission, the European Parliament and the Council of Ministers have now all drafted different versions of the proposed data protection regulation.
Europe’s Justice and Home Affairs ministers failed to reach an agreement on the draft legislation at their Council meeting in December 2013.
The Greek government has taken the chair of the Presidency of the EU Council and hopes to thrash out an agreement on the wording of the new legislation by summer 2014. If this happens it is possible that the new regulations could be agreed in 2014 and become law in 2017.
What impact will these changes have on your business? See http://www.electricmarketing.co.uk/EUdata.html
We wrote to a variety of MEPs, MPs, government ministers, other politicians and business organisations.
Here are summaries of their responses:
Charles Tannock MEP, Conservative – no response yet
Claude Moraes MEP, Labour – no response yet
Baroness Sarah Ludford MEP, Liberal Democrat – I am seeking to create an instrument with standards that are workable, realistic and enforceable by being user-friendly for citizens, allowing reasonable business to proceed, focused on outcomes rather than on process and tick-box exercise, and tough in sanctions on companies which practise deception or otherwise cheat the customer.
Dr Syed Kamall MEP, Conservative – The regulations must protect the privacy of citizens without putting too much of a burden on small and medium sized businesses. There is still a long way to go but we are optimistic a good result can be achieved.
Gerard Batten MEP, UK Independence Party – All legislation affecting citizens of the UK should be made at Westminster. I will therefore be voting against these regulations.
Jean Lambert MEP, Green – no response yet
Mary Honeyball MEP, Labour – I do not sit on the committees considering this matter. [BUT SHE DOES GET TO VOTE ON IT]
Marina Yannakoudakis MEP, Conservative – The regulations must protect the privacy of citizens without putting too much of a burden on small and medium sized businesses. There is still a long way to go but we are optimistic a good result can be achieved.
David Cameron, Prime Minister – It’s the responsibility of the Business Secretary, so I’ve passed your letter to Vince Cable.
Vince Cable, Business Secretary – Letter passed to the Ministry of Justice.
Lord McNally, Justice Minister, Liberal Democrat – We want to protect the civil liberties of individuals while allowing for economic growth and innovation. The UK benefits of the proposals are outweighed by the costs of additional administrative and compliance measures they introduce. The regulations in their current form could have a net cost to the UK economy of £100m-£360m per annum. The Government’s position is to negotiate for EU legislation that does not impose disproportionate burdens on business, including the direct marketing industry.
Ed Miliband MP, Leader of the Opposition – Your comments have been noted.
Boris Johnson, Mayor of London – I have no input to this. Try writing to the Direct Marketing Association.
Chuka Umunna, Shadow Business Secretary – no response yet
Nick Clegg, Deputy Prime Minister – no response yet
Institute of Directors – We are working on forming a policy position around the incoming legislation.
Federation of Small Businesses – We agree that the new rules will have a devastating effect on the direct marketing industry and are working hard to have them changed.