[Ebook] The GDPR decoded: a marketing guide to customer consent
As part of our webinar on the application of the GDPR regulations in marketing, our Qualifio and Lex4U experts answered your questions.
If you missed it, don’t hesitate to download our free ebook!
How to obtain consent? What about the data collected as part of social networks? And how to send commercial solicitations as part of a B2C company? Our experts answer the most frequently asked questions from marketing professionals, one year after the implementation of the GDPR.
How to obtain consent?
In the GDPR, consent is not to be taken lightly. A simple checkbox can usually do the trick, as long as it is specifically mentioned what the person will receive afterwards. For example, “I agree to receive commercial offers from Company X.” It must also have a link to the Privacy Policy so that the prospect knows what his data will be used for.
This consent must have several characteristics. It must be:
- Freely given: consent must, of course, be given freely. No unreasonable pressure may be exerted on the person concerned. Therefore, consent will not be considered as “freely given” if there is an imbalance between the person and the data controller. Examples of imbalance: a citizen in relation to the authority or a worker in relation to his employer.
- Specific: If you wish to use the data collected for different purposes, all of them must be explained at the time of the consent request. It can also help when segmenting data. Your prospect could tell you how he or she would like to be contacted via a drop-down menu, for example, or choose which type of newsletter he or she would like to receive if you offer several.
- Informed: When you seek consent, it should be formulated in clear and simple terms and should express information that is understandable and accessible. It is therefore not advisable to use legal or technical jargon, which will often be incomprehensible to your prospect.
- Unambiguous: the data subject must understand that his or her consent allows you to use his or her personal data.
Attention: the collection of consent by the acceptance of the general conditions of use or sale is not valid. Be sure to create an additional opt-in to help you obtain this consent in due form.
What about the data collected as part of social networks?
The use of data collected via social networks is a complicated issue. Care must, therefore, be taken not to become easy: just because the data are public does not mean that they can be used freely.
LinkedIn case
Let’s take a simple example: you are looking for a way to contact a person on LinkedIn and find their email address, published on their profile. This one is accessible to you because you are part of his professional network.
According to the principles of the GDPR, you need a legal basis for the use of this personal data. In the context of direct marketing, whether in B2C or B2B, the data subject must be informed about the use of his or her personal data. In this case, even on the basis of the application of Article 14 of the GDPR, which mentions the possibility of processing data that you have not collected yourself, it will be complicated for you to explain that the data subject was clearly informed at the time of collection.
On the other hand, it will be easier to justify contact with a person in the context of a professional solicitation, given the objectives of the LinkedIn social network.
Facebook contests case
Example: You are launching an Easter contest in which you invite your audience to find an egg hidden in one of the publications on your Facebook page.
Since the Wirtschaftakademie decision, Facebook page managers have been considered as co-responsible for this page.
In order to reuse the information collected in these competitions, you will need to inform participants properly about the processing of their data. This explanation can take place within the framework of your Privacy Policy, accessible via a link, for example.
Finally, the principle of purposes must be respected, and the data of these persons must not be reused for any other purpose unless it is compatible with the original intent as envisaged in Article 6 (point 4) of the GDPR.
Audience targeting on Facebook case
Concerning audience targeting, the first question to ask is obviously “does this processing make it possible to identify a natural person or to identify him/her?
If we are talking about a general targeting (typically an age group in a defined territory), it is impossible to identify a natural person based on this targeting alone precisely.
If, on the other hand, targeting concerns a behavioural analysis based on the pages assessed by the individual, this targeting is directly linked to his or her behaviour. The third party company wishing to market using this behavioural data will then have to ensure that Facebook has obtained the consent of the individual.
Obviously, in the case mentioned above, it will be necessary to give fundamental importance to the information provided to the individual, both on the part of Facebook and the company processing this data.
Concerning tracers and retargeting, the subject is in vogue. Indeed, Lawyer General Michal Bobek delivered general conclusions in the FASHION ID case which, schematically, could lead to the conclusion that the manager of a website is co-responsible for the processing of the company that installed the plug-in.
How to send commercial solicitations electronically, without violating privacy rights, in a B2C relationship?
Before answering this question, it is worth recalling the difference between postal, telephone and digital marketing.
The main difference is that it is not necessary to obtain consent in the context of a telephone call with human intervention (as opposed to an automated electronic communication system) or the sending of postal mail, provided that the person contacted has not exercised his right of objection.
However, it is essential to obtain this consent in the context of digital communication (via email, fax or text message) and to enable the recipient to exercise his right of opposition easily.
In all cases, according to the rules of the GDPR, the data controller must provide the clearest possible information on the use of the data for commercial and charitable solicitations of direct marketing campaigns.
In order to obtain this consent, we recommend that you use an opt-in, i. e. a checkbox explaining the purpose for which you wish to collect the person’s data.
Pro tips:
- Avoid collecting email addresses of individuals on websites or discussion forums;
- Do not pre-check the boxes when you ask someone to agree to receive commercial communications or communications from other partners;
- Do not make access to a service, the purchase of a good or the benefit of a discount conditional on the acceptance of receiving advertising messages electronically.
Didn’t see an answer to your question? We invite you to download our ebook, written in collaboration with the law firm Lex4U. Your answer may be found there ?