Explicit consent and the GDPR
Consent is one lawful basis for data processing in the GDPR, but what is changing? Well, it's now explicit and dynamic because it can change at any time.
GDPR is real (and enforceable) to anyone that does business with EU residents, even if you’re halfway across the world. Time just flew by in all this prep work to become GDPR compliant, and no one had any fun – except for the data privacy experts. Those guys had all kinds of fun and an early Christmas. Everyone else had real talk and real confusion.
Disclaimer: EU data protection laws, including the GDPR, are complex. This blog post should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.
So, why has this whole thing been so painful?
You could say that enforcing these EU laws is basically the equivalent of calling someone’s baby ugly. It points out that there’s something wrong with data collection and processing if businesses are not following best practices. And the truth hurts.
GDPR doesn’t seem to offer straightforward guidelines on how to correct course either. So, yeah…it’s been rough. And somewhat ironic, too. Those same laws call for change in the way we obtain consent, stating that it can no longer be assumed. Explicit laws with vague implementation directives, calling for explicit consent. Let that sink in for a sec.
Consent is dynamic
GDPR covers several lawful basis for data processing, and consent is one of them. We need to shift our understanding of consent from permanent to dynamic. This means that consent under GDPR depends on the situation and is only specific to the activity. Especially on the marketing side, we have to start asking ourselves: do I have permission to send marketing messages to you? Are you expecting my emails? Even a wealthy, Nigerian prince who wants to share his fortune with me would need my explicit consent to continue sending me spam email!
While someone unsubscribing from your emails isn’t quite the emotional roller coaster of an in-person breakup, it still freaks most marketers out. But really, why would you want to talk to someone who doesn’t want to listen to you in the first place?
With GDPR, customers must have the option to withdraw consent (objecting to use of information for direct marketing) if they decide they don’t want to hear from you anymore. And they need to have the choice to opt-out on an ongoing basis, the choice to update their consent status at any time, and the right to have their data eliminated. Oh, and if they want to take their data with them, you have to provide it to them.
This focus on explicit consent targets the prevailing offender: pre-checked boxes that are set up as the default option on forms, using some blanket statement in the terms and conditions of service. If you want to reach your contacts, offer them only what they’re interested in, and engage in a safe space where you have to ask for permission directly before engaging with them. A good example of this is the InMail feature on Linkedin. You’re only talking to someone there for a business purpose, and they decide whether or not to respond.
What is Mailgun doing about data collection?
In all of this, we did a lot of work on the data processing side of things to update our DPA and make changes before the deadline. But data collection was not overlooked… we’ve had to take some action to meet the requirements of GDPR on our marketing communications as well.
We asked ourselves (and our lawyers) some hard questions to decide what to do. You know, the stuff of nightmares for a marketer: do we re-engage contacts and ask them to explicitly say they opt-in? Do we delete our entire database because we think we can’t obtain explicit consent? Do I really need things like phone numbers and mailing addresses?
After some thought, we came to the conclusion that it makes sense to do the hard work upfront – even if we lose a big chunk of our email lists. We made updates to our web forms to make sure checkboxes were there, and they weren’t checked by default. This also included separating out each type of communication into its own checkbox.
This is to make sure we capture explicit consent moving forward, regardless of geographic location. For existing contracts, we are re-engaging them by sharing our new opt-in form and letting them choose their communication preferences by type. Once GDPR kicks in, we will sunset those contacts that did not submit their opt-in preferences (you’ll know what I mean by this if you watched our webinar on email list practices).
GDPR is going to have an impact beyond EU borders, it’s just a matter of time before other countries implement similar provisions in some shape or form. We figured it’s better to get ahead of the game, even if you have a few short-term drawbacks.
There’s a silver lining though. Your engagement with customers and contacts will be much improved, which is a great thing for email. It can lead to better conversations and also have a positive impact on your email deliverability overall.