Copywriting

More info

Social Media

More info

Marketing

More info

Workshops

More info

Friday Digital Roundup

The Friday Digital Roundup is a witty take on the weird world of the internet. With fun stories from around the globe, it’s the only email newsletter you’ll actually read and enjoy!

We do love writing it, but clearly not as much as people like receiving it - just look at the response we got when a technical hitch meant it wasn’t sent out on time!

David Morphew @DavidMorphew

I didn't receive the Roundup. The Roundup comes on Friday. Therefore it can't be Friday.

Geraldine Jones @EWC_wordsmith

No digital round-up this week?! My breakfast just wasn't the same without it :(

Helen Taylor @HelenTPermCos

It's the only way to start your weekend and end the week! Miss it, miss out!

Spaghetti Blog

Sunday 27th May 2018

GDPR: You’re Doing it All Wrong!

Wed 16th May 2018
By Todd

GDPR is coming and unless you’ve had no internet for about two years then you’ll have heard of it. From the 25th May 2018 GDPR will be enforced. Sounds scary, doesn’t it?

Plenty of self-titled experts have emerged recently offering to prepare businesses for the changes, and charging extortionate amounts. There’s a lot of scaremongering going on, and some confusion over what you need to do.

The regulation means that businesses need to protect the personal data and privacy of EU citizens within EU states. Personal data includes things can can identify a person, so name, address, web data, health data, etc.

Even if you have no idea what GDPR is (a new data protection law) then you’ll no doubt have had your inbox burned with email after email after email asking you one thing in a manner of different ways…

“Would you like to hear from us again?”

“Please give us permission to contact you after May.”

“Let this not be the end – click here to stay in touch.”

… and about 100 other versions of the same very simple action – Opting in!

GDPR: You’re Doing it All Wrong!

The General Data Protection Regulation (GDPR) is coming in to update a law that was first passed in 1998.

A lot has happened since then. Facebook, the iPhone, Cloud computing, browser cookies!

We’ve come on a lot in these past 20 years, right!?

So, the data protection laws we have need to reflect the systems we use. That’s fair. But we’re seriously getting frustrated with re-consenting emails and here’s why:

 

  1. It’s the best way to destroy your marketing list
  2. You don’t actually need consent under GDPR
  3. Many of the people emailing us didn’t ask to put us on their list in the first place.

 

PLEASE STOP.

Before we get onto the technical bits (as checked over by an actual expert) we wanted to explain why you should avoid the practice of sending re-consenting emails and spamming your list to beg for opt-in.

This is by far the best way to destroy your marketing list!

 
What’s your open rate? 20%? 30%? The average is very low and you’ll do well to get 40%.

Even if you have a 50% open rate on ALL your emails… you just agreed to delete 50% of your list by asking them to opt back in.

50% won’t open the damn thing and then you’ll lose them. Those occasional openers are bound to get binned. What if they wanted to hear from you but didn’t open that email? They’re gone.

And then… then there’s click rate! The avg. click rate is less than 4% so you’re effectively killing off 96% of your 50% list.

If you had 1,000 people on your list, and you went down the opt-in route, then chances are you’re going to end up with 20 people left!

20! And those are probably a few employees, your friends, and your mum.

If they’re an individual, and an existing customer, then provided they’ve been able to always remove themselves from your list then the soft opt-in applies under PECR, and as we’ll see you don’t need consent under GDPR. You don’t need to delete them.

And here’s the thing, if you haven’t emailed already, you’re way behind those who went early when this was all new and you’ll mostly likely get deleted before you’re opened as we’re all sick of it.

And here’s the other thing…

via GIPHY

 

You don’t need consent!

 
Nowhere in GDPR does it state that you need ‘consent’ for email marketing. For some reason, everyone got confused, and the big guns started their opt-in process and confused the heck out of everyone else.

This then created a snowball… no… an avalanche of emails of “Want to hear from us again?” spam!

Not really the idea, is it?

Oh… and when you email people to ask for their consent, what you’re effectively saying is:

“We’re not sure what (if any) consent we have from you.”

… If you knew, and it was recorded, you wouldn’t ask, right!?

 

So with that in mind, how are you complying with the current law, PECR?

PECR works alongside the existing data protection laws, and has been law since 2003. By saying you don’t have consent to send email to people ON EMAIL… you’re breaking the law (provided the recipient is an individual not at a company.)

Yup. “Hey there, I didn’t do this properly and now I’m emailing everyone to tell them!”

You don’t need consent under GDPR but if you word an email to say that you do (from you for your systems and processes), then you’re potentially in breach of PECR and could end up in trouble.

This has nothing to do with GDPR anymore…

You can’t break one law to comply with the other. It just doesn’t work like that.

You don’t need consent under GDPR! YOU DON’T!

 

What’s the other option?

You can go down the consent route and many have, but if you’re running a consent rule on your email then you have to apply that to everything else. If you say “We have consent from everyone to email them” then you might as well say that you have consent to call them, post them a letter, or hold any information whatsoever. You can’t segment as a rule like that.

You can use Legitimate Interest if you do it properly.

 

Legitimate Interest:

“Legitimate interest is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.” – The ICO

Sending out emails under a legitimate interest basis could well be a better solution for you, but you’ll still need to comply with PECR when emailing individuals.

Even the ICO state that:

“The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity, or to grow your business.”

So you can pretty much apply it to your marketing and business to suit you as long as you’re transparent about what you send and why and then how you store the data; and you’ve conducted a balancing test to make sure your legitimate interest doesn’t outweigh the individual’s.

So please stop sending re-consenting emails. You’re basically admitting you don’t have consent and then getting yourself into a pickle with PECR.

Don’t believe us? Ask Honda, Flybe, or Morrisons, who got in deep water by doing just this.

The National Trust mailed post out to their list to get consent. Why? PECR doesn’t apply to the post. Clever.

But, ironically the king of post, The Royal Mail, got fined under PECR.

Messy and ironic.

Stop sending reconsenting emails!

It’s worth noting that you do need consent (or soft-opt in) under PECR – and PECR only applies to individuals. So if you’re sure your B2B (and the B is Ltd company or similar) then you can use Legitimate Interest under GDPR and PECR does not apply.

The two rules are working alongside each other and basically confusing everyone. So don’t email people about opting in for GDPR – you’re doing it wrong and potentially damaging your marketing.

Get some professional advice and set up your systems and processes to follow a Legitimate Interest route (internally and in the inbox) and you’ll be just fine.

The GDPR is not here to destroy your marketing; it’s here to update a very old law.

Stop emailing me to opt-in, OK? Just stop it!

  • Desperate to make sure you’re following the rules about personal data?
  • Want help?
  • Need a Privacy Policy?

Speak to us and we’ll point you in the right direction.

Fancy some bedtime reading? Try the ICO’s guide https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

If you suffer from insomnia try the full 88 page long, 99 article regulation. https://ec.europa.eu/info/law/law-topic/data-protection_en


Tags associated with this article

Todd

"It's the only marketing email I read regularly" Be part of Friday Digital Roundup - get some fun in your box on a Friday ! - Join us here

47 comments on this article

  • Lee Cooper at 6:19am on May 17th 2018

    Hi Todd, this is great info here I am sick and tired of the opt in emails too and was convinced people are jumping on the band wagon to make a few bucks on the inexperienced!

    1. Todd at 10:35am on May 18th 2018

      I’m so over them!

  • Croz at 6:29am on May 17th 2018

    Great article. I have been saying this for 6 months and everybody said I was wrong.
    Thank you for clarifying the laws.

    1. Todd at 10:34am on May 18th 2018

      My pleasure!

  • Andy Raybould at 7:04am on May 17th 2018

    Excellent, common sense article!

    1. Todd at 10:33am on May 18th 2018

      No bull, just beef!

  • James hayward at 7:14am on May 17th 2018

    Finally a GDPR e-mail that makes sense – thanks Todd!

    1. Todd at 10:32am on May 18th 2018

      Ha! That’s my plan!

  • Nick at 7:31am on May 17th 2018

    Great article, thank you.

  • Maggie at 9:07am on May 17th 2018

    Very timely! As a private individual I completely sign up to the aims of GDPR, so I want to do no less for my customers and contacts.

    I’ve been thinking since watching your ‘live’ event about this that I’d go the ‘legitimate interest’ route. So, I’ve rewritten my privacy policy in line with this and the clear expectations of GDPR about my reasons, what I do and how people can get in touch with me (as Controller/Processor) to find out more/remove themselves from my list.

    I felt quietly confident I had things covered. It might not be perfect but I also believe the ICO will look at businesses that have genuinely attempted to provide the relevant information with a kind rather than a punishing eye and guide us to address any areas we need to strengthen.

    But the deluge of emails I’m receiving to click this box, reaffirm etc. had wilted my confidence somewhat resulting in my decision just yesterday to join the flock and do the same thing myself.

    Your post has returned my confidence and so my email recipients will not have yet one more pestering to address, or not.

    Thank you!

    1. Todd at 10:32am on May 18th 2018

      Excellent. Get it done, Maggie.

  • Rich Wilkes at 12:49pm on May 17th 2018

    Nice article Todd. Great read. I got a bit lost in the middle there but understand it a lot more now.

    Thanks 😀

    1. Todd at 10:32am on May 18th 2018

      Yeehaa! Thanks, Rich.

  • Carola at 19:58pm on May 17th 2018

    “So if you’re sure your B2B (and the B is Ltd company or similar) then you can use Legitimate Interest under GDPR and PECR does not apply.” – So Todd, what do I do as a sole trader who’s list is businesses of all sorts as well as consumers?

    Thank you, Carola

    1. Craig at 12:27pm on May 18th 2018

      Hi Carola,

      You’ve got a challenge there.

      You can use LI to process the data for GDPR purposes (provided you’ve complied with LI requirements.

      However, if the recipient is an individual (or sole trader) then PECR applies to emails / SMS – and you must have either consent or soft opt-in where they’re a customer. If you don’t have either, or you can’t prove it, you can’t email them. This has been the law since 2003, and it was breaking this which got Honda, FlyBe & Morrison’s fined. It’s also why The National Trust went for paper letters – because PECR doesn’t apply.

      Personally I’d segment that list and identify those to whom PECR doesn’t apply. The others are dead to you and need deleting unless you’ve got consent or soft optin.

    2. Todd at 12:13pm on May 18th 2018

      Howdy. As I’m not an expert in this, I’ve asked Craig to hop on and answer this for you.

  • Carina at 8:22am on May 18th 2018

    Todd.. thank you for writing this.
    Having attended 2 GDPR talks, I have known this and told my clients this. But because everyone is sending those reconsenting emails most of my clients are panicking and think that they have to and don’t want to get fined etc.

    I will be sharing this with them

    Carina

    1. Todd at 10:31am on May 18th 2018

      Awesome, thanks Carina!

  • Jon at 15:33pm on May 18th 2018

    So is this just with regards to email marketing. I presume if I am saving their data to be used as part of an online system, I would still need to get their consent?

    1. Todd at 7:54am on May 19th 2018

      It’s about transparency. Get your systems and processes and Privacy Notice set up so that you can prove your intent. I’m by no means an expert though. Look up Craig Parsons (further up these comments) as he really knows his stuff!

  • Chris at 21:58pm on May 18th 2018

    Great article Todd. The one thing that has come up a few times on emails being sent to me is that they state they will delete me from their systems of they don’t hear from me. Not just removing me from their marketing lists. To me that makes sense as they are reducing the risk of the amount of peoples data they would lose should they have a breach. Any thoughts about this approach?

    1. Todd at 7:53am on May 19th 2018

      Agree. You shouldn’t have a list with 1,000s of non engagers on. What’s the point. BUT, many of your list will open just 20-30% of your list so they may simply miss your email 🙂

  • David at 11:28am on May 21st 2018

    Hey Todd

    Really interesting article – thanks for putting it together.

    Is a named company director treated as an individual or as a B2B – e.g. can an email continue going to JoeBloggs@company.com or does it have to go to info@ ?

    Cheers

    David

    1. Todd at 20:21pm on May 21st 2018

      I’ve checked this for you with Craig who helped with compliance on this post:

      “If you’re sure company.com is a Ltd, then name@company or anything@company is excluded from PECR.”

  • Peter at 8:16am on May 22nd 2018

    Hey Todd,

    Interesting read. I run a website where 7,000 people signed up as users (all individual people not businesses) and of that 7,000 users, 1,000 people made purchases.

    Is it fair to say that 1,000 people have a legitimate interest – and i can continue to market to them? And the remaining 6000 should be disregarded?

    1. Craig at 7:04am on May 23rd 2018

      Hi… you likely have a legitimate interest to contact all 7000 under GDPR (as they signed up!); however you’ll also need a basis under PECR if they are individuals.

      Those who have bought from you are easier as provided they had the chance to get off the list when they bought, and have every time the list has been used, the soft optin applies. Those who haven’t bought you’ll need consent for (but this can be to the lesser PECR standard).

  • Mike at 8:19am on May 22nd 2018

    Hi Todd,

    This is a really interesting article – I’ve been bombarded by these ‘opt-in’ emails, and I am pretty concerned about losing my mailing list by following suit.

    I’m in a band that maintains a MailChimp email list. Historically, we have taken email addresses collected when somebody has previously purchased an album, and added these to the marketing list. The only other way we have accumulated emails is with sign-up sheets at gigs, (perhaps the only real record of ‘consent’ we have). Do you think this constitutes as ‘legitimate interest’, in which case I guess I don’t need to do anything except make sure that all future options? Would you advise against simply adding fans details to our mailing list from bandcamp sales in future?

    One approach I have seen which seems much more reasonable is where some of the emails about GDPR simply post a link to an explicit ‘privacy policy’ and ask list members to opt out if there is anything they find uncomfortable. Is this a legitimate approach?

    1. Craig at 7:06am on May 23rd 2018

      Hi Mike – see my reply above. You have to have a basis for both GDPR and PECR, where PECR applies (individuals, essentially).

      GDPR is easier because you probably have a legitimate interest (provided you’ve done the paperwork and balanced it). PECR requires consent or soft-opt in.

      C.

  • Ross at 10:48am on May 22nd 2018

    Hi,

    When dealing with individuals, I think the missing part here is that many people (including the ICO) seem to be saying that the definition of “consent” under PECR has changed with the introduction of the new GDPR legislation.

    If you accept the idea that pre-GDPR an “opt-out” based consent was valid under PECR, eg. a subscription to an email list based on a pre-ticked box, then there can be a situation whereby it’s valid to email subscribers to “upgrade” their consent to be a GDPR-standard affirmative opt-in consent.

    The ICO guidance seems to imply this interpretation:

    > Some organisations provide opt-in boxes that are automatically pre-ticked. However, the GDPR is clear that pre-ticked boxes do not give valid consent. You must use an ‘affirmative’ method of getting consent. We recommend you use unticked opt-in boxes wherever possible.

    https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/

    Thanks,

    Ross

    1. Todd at 6:13am on May 23rd 2018

      True, it’s important that you can prove the consent and also that the consent was correctly given/received. But most of the companies opting back in already had that and are just being cautious. It’s a great way to kill a list that are happy to be emailed

  • Patricia at 14:38pm on May 22nd 2018

    Todd, I loved this article can you tell me is the PECR also a European Act? So not sure if it still applies to me with an Irish business?
    Thank you

    1. Craig at 7:01am on May 23rd 2018

      PECR is the UK implementation of the EU electronic privacy directive – the Irish should have a similar piece of legislation to enable that EU directive.

  • Adina at 17:01pm on May 22nd 2018

    Great article but I’m still confused. You talk about B2B – but I’m a sole trader and my list are individuals who may have businesses but I’ve always used a double opt – in so YES they want to hear from me. And I’Ve been told I have to send a re-consent form even by mailchimp (who emailed out the GDPR stuff…) If they already doubly opted in then Yes I have consent, but somehow I’m told everywhere that I still need to re-consent them -,-

    1. Craig at 6:59am on May 23rd 2018

      If they’ve double opt-ed in, and thus you can prove when they opted in then I can’t see why you’d need to reconsent: you already have it and to a pretty good standard!

      There’s a couple of technicalities where you might want to – primarily around if the subscribers were properly informed about what they were subscribing too; but in reality that’s unlikely to get you into any trouble.

      1. Adina at 11:41am on May 25th 2018

        THANK YOU!!! so much!!

        They know exactly what they’re getting – It’s all in my email AND my thank you pages xD much appreciated thank you so much

  • Liz at 8:34am on May 23rd 2018

    We heard of your agency when you emailed us to say we shouldn’t be sending opt-in emails.

    We went to government-sponsored workshops that told us we did have to send them, and so we have. We decided to take it as an opportunity to clean up our lists. And to be frank, I’m not sorry we’re whittling our lists down, or that in a couple of days’ time we’ll definitely know we have a list that’s made up of people who really want to hear from us.

    At the same time, I’m fully aware that we have a legitimate interest in contacting anyone who could be a lead for us, and we’ll continue to do that in other ways.

    There has been a lot of hand-wringing about GDPR, mostly I think because the government agencies whose job it is to get people up to speed subcontract that job to organisations that have a commercial interest in scare mongering.

    One of the best pieces of information I read about it is available to download from the Post Office’s website. If anyone is still confused, it’s worth a read.

    1. Todd at 14:55pm on May 23rd 2018

      Howdy liz.

      Interesting… I can’t see your company on our email list. Can you email us and let us know which email you’re subscribed with? It’s certainly not the one used to add this comment.

  • Bob Travers at 9:56am on May 23rd 2018

    Can I just add, you should not be using LI willy nilly, it should not be abused and used as a form of a get out clause. Unless you have a specific need to retain a client (or ex-clients) data under a legitimate Interest (LI) need you should NOT be keeping it. For example if you offered a service to someone a while ago but just want to keep them on a mailing list in case they pop up again in the future then the LI is the wrong approach, you will end up in hot water. Also, the information you retain on a client needs to be accurate, and up to date, someone may have moved address, changed telephone number, changed email address, if so you now have someone’s name, perhaps D.O.B or perhaps other special category information tied to other inaccurate data, this will also get you in trouble. How you go about auditing this data, ensuring it is accurate and up to date is up to you, just be very careful. Todd/Craig, over to you if you would like to add anything further. Also, Todd, the tick box below (sign up to our weekly roundup) is automatically ticked, meaning I am automatically enrolled without my consent, you may wish to change that!

    1. Todd at 14:57pm on May 23rd 2018

      Howdy. Agreed. The GDPR covers way more than email. I’m obviously more interested in that than other areas.

      Yes, I noticed the pre-ticked box and instructed my web agency to change it. I’ll chase them up now as they replied yesterday to say they would fix it (missed of the initial round of amends).

  • Dušan at 12:46pm on May 23rd 2018

    Sorry, but you are oversimplifying GDPR. 🙂

    Would be nice to be that easy, but even if you have consent for having personal data about me in your email database, did I give you consent for ever? Because by GDPR, you should limit the time of saving my personal data for minimum time you require it.

    I just started…

    Not that I am fan of sending consent emails, but following GDPR is important for us all. And for marketing especially to get rid of useless large email databases where half of recipients do not really care about your business. And start focusing.

    Btw, your comment form is very non-gdpr compliant.

    1. Todd at 14:58pm on May 23rd 2018

      Of course not forever and that’s where unsubscribe links come in. If you opt-in, it’s mostly forever unless you opt-out.

      yes, the comment form (that obviously I never use as I reply from the backend) has been spotted and should be fixed when you get this reply 🙂

  • Sophie Parden at 15:25pm on May 23rd 2018

    WHY DID I NOT FIND THIS A FEW DAYS AGO.

    What a bloody good read! Thank you for sharing this!

  • angela at 18:48pm on May 23rd 2018

    Hi
    I found the article really helpful but still slightly confused. All our clients in our date base fill out a form in salon stating how they want their data to be used i.e opt in for newsletter emails etc / opt in to cancel appointments only but no other contact or opt out with no contact by emails.

    So i thought I dont need to email them to re-opt as you say rightly so which is what I thought. Also on all our emails they can unsubscribe at any time. We tell them at opt in why we will contact them offers/new products etc.

    So heres the thing I’m not sure what exactly I’m meant to do now ? I do not have our privicy policy on our website so is this something i need to do ? but we do have it listed on our sign up forms.

    So any help or guidance would be greatly appreciated as I’m fully aware I’m on deadline here

    thank you

    1. Craig at 15:07pm on May 24th 2018

      Hi,

      Great news that you’ve got your consent sorted. Well done!

      Next is the wider GDPR compliance! Outwardly you’ll definitely need a privacy notice, and to be doing what you say therein. Inwardly the minimum you’ll need is a register of processing; but you should use that as an opportunity to review your processes and security.

      Hope that helps – drop me a line if not. Craig.

  • Jim at 14:21pm on May 24th 2018

    I was seriously considering that many of these firms, that I had not heard from in years, were simply attempting to get me back on their active list.

    I just hope these companies realize, that while I may like your products or services, daily emails, will drive me to competitors quicker. Honestly, even weekly emails can be too much at times. Worse is if you’ve recently failed in customer service, and are sending me automated emails.

  • AndyL at 18:18pm on May 24th 2018

    I assumed they were doing this because they were collecting analytics data on their marketing emails.

    After all, nowadays marketing isn’t just about sending people information, it’s about sending them information and then quietly and meticulously recording exactly how they respond to it.

Post a comment

We'd love to know what you think - please leave a comment!

The Ultimate 101 of Online Marketing for Business

Your FREE Blueprint for Online Marketing

Simple, effective and easy to implement

Get the plan that generates leads and keeps them interested in you!

 

What You’ll Learn…

Setting up the main social media accounts

Creating good emails and how to send them

Why you need a business blog and what to share

And it’s all explained in simple English with no jargon or marketing BS!

Download Now