Now that we are all getting used to GDPR, you have probably seen mailing lists advertised with the reassuring words “GDPR Compliant Data”. But what does it mean for b2b mailing list data to be GDPR compliant?
- The mailing list has to be current and up-to-date. The new General Data Protection Regulation does not define ‘current’. Electric Marketing is taking the view that our mailing lists, verified by telephone two or three times a year, qualify as being current.
- If the mailing list contains personal information, and names and company email addresses which contain a person’s name do count as personal information, every person on the list must be informed that they are on the mailing list and be informed of the extent of the information held by the data owner. This is not the same as consent, but a mailing list owner should contact the data subject and give them the opportunity to opt out. Unlike consumer marketing where consent is required, business-to-business marketing remains an opt-out regime.
- Data must have been collected lawfully ie data must not be stolen and must have been collected for the purpose it is being used for eg data subjects should not be told that their email address will be used for research purposes only to be sent sales and marketing emails.
So now you know what to expect of a reputable mailing list supplier. My next blog covers the steps that you, the user of bought-in b2b email lists, must take when running a GDPR compliant email marketing campaign.
Have You Invested In an eMailing List which is GDPR Compliant?
After the deluge of permissioning emails around GDPR, many people are acutely aware of which emails they have signed up to receive and which requests for permission they denied or ignored.
This means that slack marketers can no longer rely on the short memory of a target by writing something like this:
“You are receiving this email as you have subscribed in the past to receive information about our events. If you wish to update your email preferences or unsubscribe, please click the link below”.
Yes this statement is doing the right thing by offering an unsubscribe but post-GDPR this sort of email sign off is increasingly being called out by targets.
A little white lie claiming that the prospect is receiving emails because they have ‘previously signed up’ or ‘enquired in the past’ when the marketer bought in an email list and the company has no previous relationship with the data subject does not enhance your campaign. In the post-GDPR age, very few people are falling for this anymore.
I have seen this at the bottom of a few emails this month:
“This email was sent to you as a corporate subscriber within the meaning of the Privacy and Electronic Communications Regulations 2003. Your personal data are protected under the General Data Protection Regulation and Data Protection Act 2018. If you would like to know how and why you have received this message, please visit our information page.”
Electric Marketing is signing off its emails with this:
“As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a need for business marketing data within your business. We have identified your email address as being an appropriate point of contact within your organisation. This represents legitimate interest in line with the ICO’s guidance. Our Privacy Notice is available here”
Like the new regulation, our statement is a bit clunky but as we all get used to what GDPR means for business-to-business marketing, this will no doubt become shorter and snappier over time.
Before the introduction of GDPR in May 2018, many companies emailed everyone on their client and prospect databases with a polite request (with a helping of desperate pleading) for consent from the data subjects to receive marketing emails. But with reported response rates at below 10% and with “consent fatigue” running high well before the deadline, any company which sent an email threatening that the recipient would ‘never hear from us again’ is now looking at a much diminished marketing database.
But businesses marketing to other businesses do not have to rely on consent as a lawful basis to process personal data (ie use email addresses for marketing) . B2B marketers can use an alternative basis to process personal data; legitimate interests.
You can send business-to-business marketing emails on the basis that you have a Legitimate Interest in doing so. Before using Legitimate Interests as a reason for data processing and email marketing, you will need to carry out a Legitimate Interests Assessment.
Your third responsibility is to communicate that you are using Legitimate Interests to the data subject. We believe that this can be done by putting a statement at the end of every marketing email that you send stating something along the lines of
“As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a need for business-to-business marketing data within your business. From our research, or from information that you have provided, we have identified your email address as being an appropriate point of contact within your organisation. This represents legitimate interest in line with the ICO’s guidance.”
You can read the ICO’s guidance on Legitimate Interests.
All B2B marketers who are using bought-in email lists in eMarketing campaigns must carry out and document their Legitimate Interests Assessment.
Any mailing list or email list that you have bought from a mailing list company can only be used on the basis of Legitimate Interests after 25 May 2018. Consent is now only valid if the company using the data was mentioned at the time of data collection. Unless your mailing list was researched on your behalf and your company name was mentioned to the data subject, consent (or third-party opt-in) is not valid under the terms of GDPR.
This blog was first published on 17th May 2018 (pre-GDPR) and was updated on 14th August 2018.
There has been a fair bit of scaremongering (and some unseemly profiteering on the back of scaremongering) surrounding GDPR.
If you are looking at files of old email addresses and wondering if you can continue to send business marketing emails, Electric Marketing’s data cleansing services can help you tidy up your b2b mailing lists and remove the records that are incorrect.
If you are unlucky enough to come to the attention of the ICO, the fact that you have taken steps to comply with the regulation that data must be up-to-date will stand you in good stead. The new regulation is clear that companies which fall foul of the new rules will be given guidance to put things right.
What the regulation does not specify is how up-to-date must your b2b data be? It does not define a time-frame for ‘up-to-date’. Given that data on large companies decays at a rate of 50% in each 12 months, Electric Marketing is working on the assumption that data that is more than a year old probably falls into the not up-to-date category. Our tests show that half of the records sold 12 months ago will now be incorrect in some way, be it a new postcode, changed phone number, new email address or change of person’s name or job title.
But the client who called Electric Marketing wondering if the data he bought in 2012 is ‘GDPR compliant’, the answer was a firm no, as you need to update it. However if you have kept your data up-to-date by calling the companies or verifying the data in some way, then yes you can still use your pre-2018 mailing lists. But you must comply with the new rules and use the mailing lists on the basis of legitimate interests.
If you have not kept your data files up-to-date consider using a data suppression file such as Electric Marketing’s Leavers Database to get rid of the egregious errors. It will be tricky to convince the ICO that your data is up-to-date if it includes defunct companies such as Monarch Airlines, Allied Domecq or Consignia. Or old London phone numbers beginning 0171.
If your data update process extends to suppressing the unsubscribes and removing the emails which bounce back, be aware that some servers do not automatically reject email addresses that are no longer valid. Your emails may be being forwarded and read by the replacement managing director. On the other hand they may be sitting unread on the target company’s email server, ready for an officious DPO to report you to the ICO for sending promotional emails to an email address that has been out of use for 2 years.
I feel I may have drifted into scaremongering myself there. But the new General Data Protection Regulation is insistent that data is current and it is a risk to store and use marketing data that has not been maintained.
This is blog was published on 15th May (pre-GDPR) and edited on 14th August 2018 (post GDPR).
If you buy business mailing lists and email lists, you can be forgiven for thinking that you can no longer use them since the arrival of GDPR on 25th May 2018, when the new General Data Protection Regulation came into force. Much has been written decrying this Data Protection Regulation update as the end of cold email marketing. And it does herald some big changes, most notably the tightening up of how people consent to their personal data being used. But this does not rule out cold b2b email marketing or using bought-in business mailing lists to generate sales.
Since 25th May, for consent to be used as a lawful basis to process data (ie send b2b marketing emails) a person must actively consent for their data to be processed and used and the name of the company using the data must be mentioned at the time consent is given. This means that mailing list companies can no longer sell data that is “fully opted-in”. To opt in, people have to opt in directly with the company using the data. Unless your company name was mentioned when the person’s email address was collected, you can no longer rely on consent as a reason to process personal data.
But consent is not the only reason to process personal data. There are six lawful bases for processing data in the Data Protection legislation. You need to show compliance with one reason. The most useful for business-to-business direct marketers and email marketers is known as Legitimate Interests.
Legitimate interests might be your own interests, or the interests of the third party receiving the data, or a combination of the two.
Latest guidance from the Information Commissioner says that legitimate interests may be the most appropriate basis when:
“the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.”
Crucially for marketers, direct marketing is described in the GDPR as an activity that may indicate a legitimate interest.
We’ve put together a guide on the simple steps you need to take to use legitimate interests as your reason to continue processing data and to continue using bought-in mailing lists for your email marketing.
Legitimate Interests is not a new concept and in fact, Electric Marketing has never relied on consent as a basis for collecting and processing data. What is new is that GDPR requires us all to document how we are using data and to communicate this to users and data subjects. Which on balance, seems quite reasonable.
Now that you’ve written those GDPR policy documents and tackled your corporate mountain of old data, you might be ready to leave the legal stuff to the lawyers and get back to marketing, comms and sales. But maybe you’ve read something about PECR and some people on LinkedIn are still insisting that b2b email marketing will be over in May 2018?
What Is PECR?
PECR is the Privacy & Electronic Communications (EC Directive) Regulations 2003 which governs email marketing. As an EU Directive, the UK can choose how to interpret PECR. Crucially the UK allows businesses the freedom to email other businesses on business matters without consent. Most EU countries do not allow b2b email marketing without consent.
The EU wants to update PECR and upgrade it to a Regulation (the ePrivacy Regulation or ePR) which means that all EU nations must follow the rule to the letter and there is no flexibility on its interpretation. The European Parliament signalled its desire to update it before May 2018 and bring in the new ePrivacy Regulation on 25 May 2018. As this would bring the UK into line with the EU and likely outlaw the sale of all third party b2b mailing lists, Electric Marketing wrote to a number of government ministers and departments asking for more information.
Five weeks later, the Department of Digital, Culture, Media & Sport has emailed a reply; The Rt Hon David Davis MP Minister For Exiting The European Union, passed my letter to them.
EU Plans To Update PECR
The Department For DCMS states that is pretty much impossible for the EU to stick to their timetable of introducing ePR, the update to PECR legislation in May 2018. It points out that while the European Parliament has agreed its policy, all 28 member states are yet to officially state their position on the proposal and the final text of the ePrivacy Regulation is yet to be agreed by the European Parliament, Council and Commission.
“Our stand is that the quality of the text must be prioritised over speed”
The email from the DDCMS says that the UK government is pushing for a workable timetable for implementation, which I take to mean a two year period for business to prepare for the new ePrivacy Regulation.
What Is The UK Government’s Position On The PECR Update?
The email goes on to say
“In relation to unsolicited communication (spam emails and unsolicited calls), the UK’s position is to ensure the provisions for marketing communication are aligned with the high standard set in our domestic regime (‘PECR’) without compromising our regulator’s ability to enforce against such communication. We also aim to tighten the definition of direct marketing communications to avoid users needing to consent every time they load a webpage with ads. Elsewhere, the UK’s position is to maintain the level of flexibility for Member States in the current law.”
I believe that means the UK’s position is to continue to allow b2b email marketing without consent. But I am quoting the email from the ministerial support team at the Department for Digital, Culture, Media & Sport verbatim so that you can come to your judgement.
When Will The New PECR Regulation (ePR) Come Into Force?
Perhaps more pertinent is the question of timing; the EU needs to agree a text and pass the update to PECR before the UK leaves the EU on 29th March 2019 for the updated Regulation to become part of the European (Withdrawal) Bill and to pass into domestic legislation. If the EU passes the Regulation, it is likely that there will be a period of implementation which may be two years as with GDPR. If the ePrivacy Regulation is not passed before the UK leaves the EU, we will have to see what sort of Brexit deal is struck with regard to implementing new EU laws in the UK post-Brexit.
What Is The Government’s Policy on Data Protection Post-Brexit?
For more information, read this Government publication Future Partnership.
Electric Marketing will keep a close watch on the progress of PECR throughout 2018 and into 2019.
Our view is that the implementation of PECR reform seems a way off yet. But beyond 2020, the future for business-to-business digital marketing is not certain.
GDPR Signals The Death Of The Opt-In Mailing List: How Can You Still Use B2B Email Marketing In 2018?
The new GDPR (General Data Protection Regulation) rules that if your mailing list is opt-in, consent to opt-in to receive marketing communications must be be “freely-given, specific, informed and unambiguous”.
It is no longer permitted to use mailing lists on the basis of the old opt-in wheeze of a series of double negatives to leave a box unticked agreeing to be contacted by “the company’s marketing partners”. The ICO’s (Information Commissioners Office) guidance on interpreting GDPR specifically rules out pre-ticked boxes and states that any third party using a mailing list must be named when the consent is given.
From May 2018 a mailing list can only be opt-in if a person has ticked a box next to a statement that specifically names your company. So your client list and any one who has signed up to receive info from your company on your website are opt-in lists. Third party opt-in lists are pretty much out after May 2018 and any company or list broker promoting opt-in mailing lists is not up to speed on GDPR.
The good news is that ICO guidance also states that
You don’t always need consent. If consent is too difficult look at whether another lawful basis is more appropriate.
Electric Marketing mailing lists are compiled and used on the lawful basis of “legitimate interest“. If you have a business interest in contacting a person, you may contact them without gaining their prior consent to do so. This applies across mailing, telemarketing and email, with some key restrictions.
There are no restrictions on postal mailing. Direct marketing with envelopes and stamps is swinging back into fashion. It is expensive compared to email marketing but compares well with other forms of digital advertising.
Business-to-business telemarketing is restricted to companies which have not added themselves to the CTPS register. All Electric Marketing lists do contain the phone numbers of CTPS registered companies and they are marked up as CTPS. You can buy mailing lists excluding CTPS registered companies. It is worth noting that companies must renew their registration each year so a company’s CTPS status can change over time. You can check a company’s status by putting their phone number into our free CTPS Checker.
Email marketing for business-to-business marketing is restricted by your own list of individuals who have unsubscribed from receiving emails from your company. This is a key point of difference between consumer email marketing which definitely does require consent. The reason for the difference is that email marketing is governed by a different EU directive, known as the Privacy & Electronic Communications Regulations (PECR). PECR states that it is permitted to send emails offering business services to business people at their business email addresses, but if they ask you to stop emailing them, then you must remove them from your list and must not email them again.
So the opt-in mailing list is dead. But email marketing for business-to-business communications lives on.
GDPR sure has been a long time coming. We’ve been worrying about the effects of the new Data Protection legislation from Europe since 2011. We are now a year away from the deadline of 25 May 2018 to comply. And Brexit won’t save us.
For consumer marketers there are big changes but for b2b marketing, changes need to be made but they are not too onerous. And if you already comply with current legislation, you will find yourself with a pretty short to-do list for GDPR.
Electric Marketing has prepared this guide to GDPR for b2b marketing. It focuses on what is relevant for b2b marketing.
The key change is that a company must show itself to be compliant with the rules. Write a policy document which sets out how you comply with the rules. Our guide puts the eight key issues into simple language that your policy document must cover.
There is a lot of misinformation out there about how email marketing will be affected by the new rules. This is certainly true for consumer marketing but b2b email marketing is not governed by GDPR, it is covered by the Privacy & Electronic Communications Regulation (PECR).
Until PECR is updated, the rules for b2b email marketing remain as they are ie you may send an email to a person’s business email address about business matters without first gaining their permission. Your email must have an opt-out mechanism. If the person opts out, you must not email them again. This is known as an ‘opt-out regime’.
What About Consent?
If you are using data for the sole purpose of b2b direct marketing, you do not need the prospect’s consent to do so. GDPR gives six reasons for lawfully processing data ie using emailing lists. Read them here on the Information Commissioner’s website.
B2B marketing does not rely on consent as the reason for data processing. Your policy document will say that you are processing data for the reason that the GDPR calls “legitimate interest” ie you have a legitimate business interest in emailing the person at their business email address.
Worried About PECR (Privacy & Electronic Communications Regulation 2003)?
The EU has an ambition to update the rules of PECR in May 2018 and has drafted legislation. The draft legislation appears to allow the UK to retain its opt-out regime for b2b marketing and while this could change, it seems unlikely. It is also possible that the EU’s timetable for updating PECR may slip beyond May 2018.
So PECR is as yet unknowable but if the EU’s timetable for the legislation slips just ten months to beyond March 2019, the UK’s Great Repeal Bill may not include the PECR update. To read more about the likely effects of the PECR update, look at solicitors Bird & Bird’s take on PECR here.
On 26 March 2016 the Information Commissioner issued new guidance on Data Protection and Privacy & Electronic Communications Regulations for direct marketing.
The full guidance can be read here https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf but we’ve extracted the sections for business-to-business marketing and they are shown below:
Business-to-business texts and emails
1. Rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.
2. However, it serves little purpose to send unsolicited marketing messages to those who have gone to the trouble of saying they do not want to receive them.
3. Corporate subscribers do not include sole traders and some partnerships who instead have the same protection as individuals. If an organisation does not know whether a business is a corporate body or not, it cannot be sure which rules apply. Therefore we strongly recommend that organisations respect requests from any business not to email them.
4. In addition, many employees have personal corporate email addresses (eg email@example.com), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.
1. Sole traders and partnerships may register their numbers with the Telephone Preference Service (TPS) in the same way as individual consumers, while companies and other corporate bodies register with the Corporate Telephone Preference Service (CTPS). So organisations making business-to-business marketing calls will need to screen against both the TPS and CTPS registers.
The right to opt out
1. Organisations must not make unsolicited marketing calls to a person who has said that they don’t want those calls. In other words, there is a right to opt out, and organisations cannot call someone who has objected to or opted out of marketing calls.
Organisations should not make it difficult to opt out, for example by asking individuals to complete a form or confirm in writing. As soon as an individual has clearly said that they don’t want the calls, they must stop.
2. If an individual objects or opts out at any time, their details should be suppressed as soon as possible. It is important not to simply delete their details entirely, otherwise there is no way of ensuring that the organisation does not call them again.
3. Organisations must not send marketing texts or emails to an individual who has said they do not want to receive them. Individuals have a right to opt out of receiving marketing at any time. Organisations must comply with any written objections promptly to comply with the DPA – but even if there is no written objection, as soon as an individual says they don’t want the texts or emails, this will override any existing consent or soft opt-in under PECR and they must stop.
4. Organisations must not make it difficult to opt out, for example by asking individuals to complete a form or confirm in writing. It is good practice to allow the individual to respond directly to the message – in other words, to use the same simple method as required for the soft opt-in. In any event, as soon as an individual has clearly said that they don’t want the texts or emails, the organisation must stop, even if the individual hasn’t used its preferred method of communication.
5. If an individual objects or opts out at any time, their details should be suppressed from marketing lists as soon as possible. It is important not to simply delete their details entirely, otherwise there is no way of ensuring that the organisation does not contact them again.
EU Regulation On Data Protection Unlikely To Become UK Law Before 2019
Nearly four years into the process, the Council of the European Union has now decided on its negotiating position for the trilogue with the European Parliament and the European Commission. There is now a timetable running to December 2015, during which representatives from the Council, the Parliament and the Commission will come together to decide on the final wording of the new EU-wide data protection regulation. This means that if they stick to this timetable, which on past form is by no means certain, by the end of 2015 we should know how the new regulations will affect direct marketers in the UK.
Among the controversial questions still to be thrashed out are:
What is the precise definition of ‘personal data’?
How will the ‘right to be forgotten’ work in practice?
What exactly is meant by the ‘legitimate interest’ of data controllers? Does this include marketing? And if it does, does it include any or all of consumer marketing, B2B marketing, online marketing and offline marketing?
Must consent be ‘explicit’ or not?
Will compulsory data breach notification apply to minor breaches or just high risk breaches?
Will all businesses be required to have a data protection officer?
What happens if EU data protection rules conflict with a non-EU country’s data protection rules?
While we might know what the new regulations will be by the end of 2015, they are unlikely to be adopted into EU law before mid-2016. In fact the Information Commissioner’s Office now estimates that the two year run-in period before the regulations become compulsory can realistically be expected to start at the end of 2016, meaning that they will not be enforced in the UK before the beginning of 2019.