GDPR: (re)confirming consent, an error to avoid

/0 Comments/in , , , /by

With the entry into force of the General Data Protection Regulation (GDPR) on May 25th, you’ve probably received dozens of emails asking you to consent (or re-consent) to the processing of your personal data.

Now, you may be wondering if you should do the same for your own business.

The answer is no, and here’s why:

Firstly, the GDPR only concerns you if your company is active on the European market.

If your company doesn’t deal with European consumers, you don’t have to worry about the GDPR. It’s much more important to ensure that you comply with the Canadian Anti-Spam Law (CASL), which is almost as severe as the GDPR but focuses on Canadian companies, and commercial electronic communications to and from Canada.

If, however, you are active in Europe, whether you are physically present there or not, compliance with the GDPR is your concern, but this is not a reason to bombard your contacts with requests for confirmation of consent. It is a harmful and often useless step because there are other ways to put you in good standing.

Counterproductive results

From a marketing perspective, confirmation of consent is probably the worst legal basis to justify the processing, use and storage of personal data.

Indeed, companies having opted for “consent confirmation” campaigns have been able to note the danger of these. For example, many of their contacts took the opportunity to withdraw their consent in frustration following the avalanche of similar messages received. This is a quick and easy way to destroy your marketing database.

The same thing happened in 2014 when CASL came into force. Thousands of messages were received by consumers asking if they would agree to continue receiving business messages. These messages were initially useless because a temporary provision gave the sender an implicit right to send messages until July 2017. Above all, these emails damaged the reputation of several companies and had the opposite result; the loss of consent of the vast majority of their marketing contacts leading some SMBs to bankruptcy.

A request for consent probably not necessary

Firstly, explicit consent by means of a form in accordance with a European Parliament directive on the protection of privacy (Directive 95/46 / EC) is also valid for the GDPR. If your forms comply with the Canadian Anti-Spam Law, then your consents respect the GDPR. It is, therefore, unnecessary to waste your time and that of your clients to ask them for a new consent.

In addition, the GDPR provides five other legal bases to justify the collection and processing of personal data. These five legal bases are: the contractual necessity, the respect of a legal obligation, the safeguarding of the interests of the person concerned or another physical person, the public interest and finally, the legitimate interests (article 6 of the GDPR).

 

“Legitimate interest” as an ally

From a marketing perspective, “legitimate interest” is definitely the most interesting and easy option to use. Section 6 (1) (f) of the GDPR defines it as treatment “necessary for the legitimate interests of the controller or a third party unless the interests or fundamental rights and freedoms of the person concerned prevail, which require protection of personal data, in particular where the data subject is a child.” 1

In other words, your interest in developing your business justifies that you collect and use the relevant personal information of your contacts for your email marketing campaigns as long as it does not affect the rights of your contacts. For example, if you use the name and email address that someone has provided to you, to send them interesting promotional information and give them the opportunity to unsubscribe, you are in the justified under “legitimate interests”. On the other hand, this would not justify collecting and processing irrelevant personal information such as his Social Insurance Number or his sexual orientation.

Think strategically

It’s not because email sendout providers like MailChimp or Cyberimpact are offering you a consent request email template that it’s relevant to use it. Unfortunately, these companies often have limited knowledge of these regulations and their compliance requirements. It’s better to put yourself in the shoes of the average consumer who has received 23 emails of this type this week and who is expecting you to have more interesting emails.

If you are afraid that some of your consents are not in compliance and you need to get a confirmation, go step by step to reduce the impact on your database.

Start by separating all your European contacts from the other contacts in your database and group them according to the different legal bases that may correspond to them. If some contacts do not fit into any of the six legal bases and you have not obtained them by a consent form, you must send a consent confirmation message only to those contacts, making sure to do so in a tone that corresponds to relationship style that you develop with your customers. A too “legal” tone will bother your customers or at worst scare them.

In short, the GDPR should not push you to make mistakes in panic mode but is an issue that you must take seriously if you do business with Europeans. It’s also an opportunity to structure and enrich your databases and digital marketing strategy by building the trust of your customers.

As with CASL, it is not enough to have “consent” to comply with the GDPR. All other regulatory requirements must be met, which only a formal compliance program can provide.

If you want to comply with the GDPR to strengthen the trust of your European customers or avoid fines and legal proceedings, contact one of our advisers today. The Certimail team offers GDPR compliance programs tailored to the constraints of Canadian SMBs that can even be combined with a CASL compliance process, saving you time and money.

 

GDPR & CASL: When to use “Legitimate Interests” or “Consent” as a lawful base

/0 Comments/in , , , /by

If you are a Canadian marketer and you send emails to the European Union (E.U.), under GDPR you’ll need to justify why you collect and store data for each of your contacts. And by data, I’m referring to contact information (first name, last name, email address, etc.) and how you use this data (marketing, transactional, etc.).

The lawful bases

Because GDPR governs data security and protection, an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

From a purely marketing perspective, there are two lawful bases that one will cite regularly in their records and documentation: “Legitimate Interests” and “Consent”.

  • “Legitimate Interests” as a lawful base can be relied upon for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
  • “Consent” as a lawful base is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement.

Which lawful base to apply for email marketing purposes…

Knowing that:

  • Under CASL, which governs commercial electronic messages, a consent status needs to be attributed to and documented appropriately for each contact, for you to have the legal right to send them electronic commercial messages. Either “express” or “implied” consent.
  • Under GDPR, which governs data security and protection, a lawful base needs to be attributed to and documented appropriately for each contact, for you to have the legal right to store and use a contact’s information.

Hence as a Canadian marketer (sending marketing messages to the E.U. ) , you must take into consideration and comply with the rules of GDPR -AND- CASL , thus adding a certain complexity.

Despite this complexity, there are totally legitimate, quick, and easy solutions for you to use:

For B2C email marketing

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR.

However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as “implied consent” under GDPR) moving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

This process, not only enables you to comply with GDPR, but also gives you “express” consent under CASL.

For B2B email marketing

Particularly for those in sales, many of our contacts can be filed and recorded as “Implied Consent” under CASL, and as “Legitimate Interests” under GDPR.

You are required, however, to document the Legitimate Interests Assessment for each contact (LIA):

Whoa, that’s a lot to take in and document! But wait… whether you’re marketing B2C or B2B, or both, the arrival of GDPR is a great opportunity and occasion to convert “implied consent” Canadian contacts to “express consent” contacts, and classify E.U. contacts under “Consent” as a lawful base. See this article, “How to Write Emails to Get Consent for GDPR (and CASL)“.

Disclaimer:

Understandably, different sized organisations and types of messages need to be taken into consideration. Be sure to adapt accordingly to your organisation’s structure, operations, and unique situation.

Applying both CASL and GDPR legislations responsibly and taking the appropriate action is not at all an easy task. There are many details to pay attention to and to follow. It can be a difficult, time-consuming, and frustrating task if you are not completely versed in both legislations. In addition, mistakes can run costly fines for individual executives and companies alike.

If you need help or have questions, you can leave a comment or contact us at any time.

How to Write Emails to Get Consent for GDPR (and CASL)

/0 Comments/in , , , /by

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th. From that date onwards, an organization must be able to demonstrate they are being lawful and prove compliance with this regulation.

Because GDPR governs data security and protection (unlike CASL with governs commercial electronic messages — for more information on the differences between GDPR and CASL click here) an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

Because email is such a key medium for our business transactions and marketing communications, it’s important to note that any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

Now then, specifically for your marketing contacts, you’re going to want to know about Consent as a Lawful Base, to justify the collection and storage of your marketing contacts’ information.

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as implied consent under GDPRmoving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

For those marketing contacts that you already have in your database (that are not clients, partners, members, employees or associates —as other lawful bases are easier to use for those contacts, although you can still send them the following email to ask them for their consent as there’s no harm in being safe than sorry) here is how you are going to want to ask them for consent.

N.B.: For those doing business in Canada, under CASL, if you already have implied consent for your contacts, and if you are still within the allowed time period (ex.: A person, who fills out a web form on your website, is considered to have given you “implied consent”, and you have a 6-month time frame in which you can communicate with them), the following email is valid to obtain explicit/express consent.

From name and subject line

These are the two elements that are the most crucial part of any email, as these items determine whether we’ll open an email or not.

For the “From” name, you’re going to want to make personal (from a real person, because as humans we prefer interacting with other humans) and professional (company name).

Ex. Rebecca Coggan | CompanyName, or Rebecca @ CompanyName, or use your full name and add the company name to the subject line.

For the subject line, you’re going to want to include the words “action required”.

TIP: Typically, when these words are surrounded by square brackets and in all caps, ex. [ACTION REQUIRED], we tend to take it more seriously.

And of course, in the subject line, you’ll also need to add the reason why you are contacting the person.

Example of all the elements together:

Other variations are possible. Be sure to make it your own.

Body copy

The three most important things when it comes to body copy is that it needs 1) to be brief, 2) to clearly demonstrate the “what’s in it me” for the recipient of the email and 3) written using an empathetic tone.

N.B.: By the way, if you respect these three key elements in your body copy, your open rates will steadily increase and your audience will trust you more and more.)

TIP: When it comes to these specific types of communications (updating information, account status etc.), text-based emails tend to be taken more seriously, are read more than scanned, and are acted upon more than ignored.

Example of all the elements together:

The body copy also includes many essential items: person’s name, deadline, the action required, incentive, instructions for future requests, a warm thank-you, and detailed sender information.

Here too, other variations are possible depending on your own situation. You can also send a follow-up email if you don’t get a response or action as quickly as hoped for. Be sure to make it your own.

So there you have it. Simple and easy.

GDPR Compliance & Emails: What Canadian SMBs Need to Know

/0 Comments/in , , , /by

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th, and although details of the law are still being worked out, when it comes into effect, in the eyes of European law, an organization must demonstrate they are being lawful and must be able to prove compliance.

Who is subject to GDPR?

For those of us here in North America who do business with European countries, we are subject to GDPR because of international collaboration between authorities. Specifically, though, GDPR applies to:

  • Any organization that collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens. (Personal data is any piece of data that, used alone or with other data, could identify a person).
  • Any person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data, known as the “Controller”, is accountable under GDPR.
  • Any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

What are the two main DIFFERENCES between CASL and GDPR?

  1. Commercial Electronic Message vs. Data Protection

The biggest differentiator between CASL and GDPR is that CASL governs Commercial Electronic Messages (CEMs) while GDPR governs data security and protection.

  1. Compliance Program vs. Lawful Bases

When proving compliance, a CASL Compliance Program that meets the CRTC’s eight requirements is one’s only defense in Canada. For GDPR, an individual or organization may reference one of the six lawful bases, as long as one can prove and demonstrate that they respected all the details and took all the action required of the lawful base cited.

About Consent

Some lawful bases don’t apply to all businesses and marketers, but if you send emails, you’ll want to know about Consent as a Lawful Base.

Remember, a company must be able to fully justify why they are collecting the information of an individual or organization, to what means they are using it, and how that information is being protected.

Consent is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent moving forward from all your subscribers or from anyone that fills out forms on your web pages to receive communications from you, if you use Consent as a lawful base.

Important: unlike CASL there is no implied consent in the eyes of GDPR nor are there B2B exceptions. There is only explicit consent. Note that:

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

Access, Rectify, and Erase

Additionally, as you collect an individual’s data through your online forms (ex.: first name, last name, email, etc.) under GDPR an individual must able be to access, rectify and erase their data at any given time. Thus, we suggest that you include a section in your Privacy Policy as to how an individual may go about this (ex.: by sending an email with the request to [email protected]).

Record keeping and a centralized database

Within the rules and regulations of both CASL and GDPR, good record-keeping practices is not only necessary to establish a due diligence defense in the event of complaints against your business, but good recording keeping helps businesses (i) identify potential non-compliance issues, (ii) investigate and respond to consumer complaints, (iii) respond to questions about the business’s practices and procedures, (iv) monitor their corporate compliance program, (v) and identify the need for corrective actions and demonstrate that these actions were implemented.

Additionally, in order to meet the requirements of GDPR regarding Data Privacy and Consent, a centralized database for contact management, processing and documentation are helpful, not only for client relationships, smooth and efficient operations, but also for proving lawfulness and compliance.

As an individual or organization that sends emails, for marketing or business purposes, what’s your best bet?

A CASL compliance program is considered the gold-standard and best in breed where it comes to protecting yourself against hefty fines. Remember CASL applies to individual emails as much as group emails and newsletters regardless of whether there is promotion content or not.

Implementing a CASL compliance program, that meets all the requirements of the CRTC, is not only required by the law in Canada, but by doing so, you’ll increase your protection with regards to GDPR.