« Do I need to collect consent? » – Mythbusting marketing obligations in a GDPR and CCPA eraMay 5, 2020byYannig Roth
Any marketer even remotely interested in the legal landscape around 2016 heard all sorts of discourses about GDPR. The regulation would be the end of newsletters, of solicitations, of targeted advertising. Companies would face tremendous fines if they failed to become compliant within a year. Two years after GDPR came into effect, marketing still exists and internet users only see two differences with how it was before: fewer pre-ticked boxes in registration forms, and more cookies consent notices every time they visit a website. Customer experience has increasingly become more tedious, while marketing departments are still unclear how to handle data collection and processing in a compliant way.
Why are marketers so concerned with GDPR?
Following the digital transformation trends, most marketing departments have been relying on data collection to follow prospects, create campaigns, feed their CRM and target their visitors with massive campaigns of emailing. The arrival of GDPR changed the trend and set new rules, particularly in regards to the collection and use of personal data. For marketing departments, frantic data collection as a whole is now called into question, with two main concerns:
- what are marketing departments allowed to collect?
- when should marketers ask permission to their prospects, and what for?
While hundreds of blogs and whitepapers have been written about these questions, the answer is simple: you can collect anything, as long as you have good reasons to do so. And a good reason, in GDPR language, is called a legal basis.
What is a legal basis?
The legal basis is the legal ground that allows a company to carry any data processing. Article 6 of GDPR lists the 6 possible legal basis but companies usually operate within of of the following:
- Performance of a contract to which the data subject is party
- Legitimate interest of the data controller
This is why the department of operations at an insurer can collect so much personal data about their customers: they are performing a contract with the data subject.
On the other side, marketing carries more complexity when it comes to picking a legitimate basis for personal data, because most marketing interactions happens before a contract is set between the company and the customer. In most cases, the data processing carried out by the marketing team relies either on (1) the “legitimate interest” of the company, or on (2) explicit user consent.
Legitimate interest means that the company collects and use data to perform a definite action that benefits them, like prospecting, or raising awareness, or improving their service. Legitimate interested is then the most flexible legal basis: the company can carry a data processing as long as it has a definite purpose in mind, and that this purpose is not overridden by the individual’s interests, rights, or freedom.
But then comes the next question: how to translate this into an actual way of doing marketing? Who sets the limit? Legal questions like this one are all but common sense for most professionals.
It is often a gray area: the company has a legitimate interest in raising awareness about its products, but this interest is not important enough that it can collect all the lifestyle and habits data of their customers. Yet, determining the right amount of data and collection methods that fit this balance is complex. Thus marketers usually decide to rely on consent to carry their data processing activities.
It comes with other concerns: Do customers have to consent to receive each new campaign? Is consent valid for all types of processing? Should marketers ask for the same consent periodically?
Validity of consent
While GDPR sets a limited number of principles with regards to the validity of consent, operational staff have a hard time translating it into actual marketing elements. Section 4 of GDPR sets out the following principles:
Consent should be freely given
The data subject must be able to say no. They can choose to consent or not to consent without suffering degradation of service or other negative consequences if they refuse. For example, when downloading a whitepaper that will be communicated by e-mail, making the receipt of the e-mail conditional on the provision of other personal data (surname, first name, position, company, etc.) does not allow the data subject to consent freely. This is precisely why – to download our whitepaper – we only ask for your email address!
Twitter became famous for their “worst practice” of free consent, by offering its users to unsubscribe if they refused the Terms and Conditions. Those terms and conditions contained the principles of data collection and use, which cornered user in consenting to everything is they wanted to use the service at all.
Consent should be specific
The data subjects consents to the processing of a specific type of personal data for a clearly defined purpose (a single purpose, for a single processing operation, in the GDPR words). It should be clear which processing you intend to carry out and are asking consent for. Each purpose thus requires to collect a specific consent: if a company wishes to use a prospect’s e-mail address to send them other relevant whitepapers, and to communicate this address to a partner who would also like to send promotional content, the two consents must be requested separately, with a clear distinction between the purposes. The data subject must be able to say yes to the first, and no to the second.
Consent should be informed
Informed consent means that the data subject knows who is processing the data, what will happen to the data, the purpose of the processing and how they can change their mind and withdraw their consent. Sadly, this is where we see the worst implementations: instead of improving transparency, it results in a list of bullet points with generic information that checks the boxes of GDPR without respecting the spirit of the law. If you want to collect consent according to the rules of GDPR, you should clearly state who handles the processing, who decides what the data will be used for, why this or that type of data is collected, and how the data subject can withdraw their consent if they change their mind about the processing. And anyone should be able to understand those information without reading a 2-pages long pop-up.
Consent should be unambiguous
In a word, there should be no doubt that the data subject has given their consent. Pre-ticked checkboxes, dark patterns, passive consent “by continuing to browse this website, you accept..”, or any other design that discourages or prevents the person from making a positive act of consent will invalidate consent. According to GDPR Recital 32, “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
How to create a seamless GDPR-compliant user experience
This is theory. In practice, most companies are struggling to integrate compliance to their user experience. They try to be serious about consent, and add pop-ups to their website, send periodic emails or push notifications. As customer journeys have grown increasingly complex, they end up asking for the same consent three times on three different channels.
CRM software and GDPR: a failed match
Usual marketing tools like CRM software have not been designed to take into account consent and privacy issues. Their monolithic nature incentivizes marketing teams to ask for the same consents again and again, to fail to respect customer choices from one device to another, and to create discontinuity between the Web, mobile and offline experience. Best case scenario? Creating segments, tags and custom emailing campaigns to deal with consent issues.
Marketers juggle with emails and forms to deal with consent issues, even though these means are detrimental to the seamlessness of the customer experience as a whole. It also adds complexity when a customer requires erasure of their data: the marketing team will have to dig CRM notes, segments or attachments and manually make changes, hoping no mistake will be made in the process.
While marketing teams understand the need to streamline data collection, it is perceived as additional and unfair complexity that does not benefit them.
Ensure GDPR compliance with a Preference Center
Best practice to ease consent collection and respect GDPR obligations is to put a Preference Center in place, in addition to the traditional CRM. Brands are increasingly adopting Preference Centers, as we describe in our Preference Center Barometer. Besides plain GDPR compliance, it helps centralizing information about customer preference and data collection in one place, acting like a Single Point of Truth for marketing teams. Integration with other marketing tools like CRM software is seamless, ensuring accuracy and real-time updates of customer data.
The team has an overview of permissions, consents and preferences for every prospect in the database. This information is also made available to the customers, giving them control over what they want to share and under which conditions. From a transparency point of view, gains are tremendous. From the marketing point of view, it also ensures a better data quality: customers can withdraw consent if they deem necessary, they can correct wrong or outdated information, and indicate the channels of communication they prefer.