GDPR for emarketeers: 8 questions about personal data

In today’s connected world, personal data is being collected at an incredible rate. However, individuals have rights in relation to their personal data, including the right to object to their personal data being used for marketing objectives. Organisations have until 25 May 2018 to comply with the EU’s General Data Protection Regulation (GDPR), which will replace the Data Protection Directive. So, how will GDPR impact they way emarketeers work? Here are 8 practical questions answered by Frédéric Dechamps, a lawyer in new technologies of the Brussels Bar.

I regularly organise contests on my website, blog and Facebook page in order to collect new leads. Will I still be able to do that when the GDPR comes into force?

Yes. However… You’re going to need participants’ explicit consent to legitimate the use of their personal data and make it clear and transparent for which purposes you will be using their data. That raises a question: what is explicit consent? There’s certainly much to say. Just google it and you’ll find more than 12.7 million articles.

Under the GDPR, consent must be “freely given, specific, informed and unambiguous”. Basically, consent has to be given through an “affirmative” action, which means that “consent by default” methods such as silence, pre-ticked boxes and inactivity are specifically ruled out.

Furthermore, you must adopt any measures needed to make sure your clients or prospects can exercise their rights. Data subjects are indeed entitled to require a controller to rectify or delete their personal data. There has also been a lot of publicity in relation to the right to be forgotten (“right of oblivion”) and Article 17 now lists 6 cases in which any person may obtain the erasure of personal data.

I have an existing database of prospects that I have been building through the years. Can I still use it for promotional activities after May 2018?

Yes. However… Just like all other files containing personal data, your databases are affected by the GDPR. You will need to make sure to gradually regularise this database, for example by adapting your privacy policies in order to provide better information to prospects about the use of their personal information.

I use Facebook Custom Audiences (and sometimes upload email addresses to Facebook) to target advertising messages to my clients and prospects on Facebook. Will I be able to do that in GDPR?

Facebook advertising model is likely to be disrupted by the GDPR, since they will be unable to use the personal data they hold for advertising purposes without user permission.

“Although the GDPR does not aim to prohibit these activities, it asks to become aware of the treatments and be transparent to users,” said Frédéric Dechamps.

Our advice to emarketeers? For all the data you want to collect, ask yourself this question: “Why is it relevant to collect this information?” If you do not know how to answer it, it would be at least prudent to reconsider its collection.

Under the current law, I consider all my existing clients as being automatically subscribed to my newsletters and promotions. Is it still true in a GDPR context?

Yes. However… It becomes necessary to set up processes that will help you prove the conformity of your actions in case of control, and thus prove that the consent was given in a free, specific and above all informed way!

“With the RGPD, emarketeers will have to be more attentive to the consent. It must be shown that the consent was expressly given by the subject.”

I buy or rent email addresses from an email broker for my direct marketing actions and send promotional emails to this database. Can I still buy contact lists under GDPR?

Yes. However… We strongly recommend against purchasing email data. Under the new GDPR regulation, ensuring users opt-in to your email marketing campaigns and give consent to be contacted will be a requirement. So unless you reach out to a prospect and explicitly obtain consent for you to send them an email, you are not in compliance with GDPR. Clearly, obtaining consent for personally identifiable data will be a challenge for emarketeers.

Do I need to have a cookie wall on my website?

This is not covered by the GDPR, but by the ePrivacy Regulation (Cookie Law), which is actually under revision by the European authorities.

Like its predecessor, the ePrivacy Directive, the upcoming Regulation foresees various rules on spam and unsolicited electronic communications. Although it could become a nightmare for the digital media and advertising industries, the point is to harmonise data protection laws across the EU.

The ePrivacy Regulation aims to simplify the rules regarding cookies and streamline cookie consent in a more ‘user-friendly’ way. In practice, it means that websites will not need to show those cookie walls anymore. The new rule? Browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers.

I use retargeting solutions (such as AdRoll or Criteo) to retarget audiences. Can I still do that?

Yes. However… Retargeting can involve use of personal data and it’s likely that some form of consent will need to be gathered — and passed to any third parties — before retargeting could commence. If, like a lot of emarketeers, you’re using retargeting providers to help you build profiles of individuals’ interests for display ads, it will be up to you to make sure they’re GDPR compliant!

I collected email addresses over the years but cannot prove how I collected those nor where they come from, is this going to be an issue under GDPR?

Yes. To continue using these email addresses, you will first need to regularise your database and seek the consent of individuals. Indeed, as part of the GDPR, you must keep clear records to demonstrate consent.