May 25, 2018 is a date that has been circled for quite some time now in the agendas of marketing managers in Europe. On this day the General Data Protection Regulation (GDPR) will come into force in the entire European Union (after Brexit, the United Kingdom will have regulations in place that mirror the GDPR). The GDPR will have a sweeping impact on how businesses can acquire and manage personal data from European citizens. GDPR rules will be applicable to any and all companies that do business with European citizens, whether they are based in the EU or in the U.S.
GDPR stipulates that companies need to maintain adequate data records, notify regulators in the event of data breaches, ensure customers the right to be forgotten and allow for customers to take their data with them. In what follows we address what GDPR has to say about the consent procedures for email marketing. We compare the GDPR requirements to the CAN-SPAM consent rules that are in place today in the United States.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. (GDPR article 32)
The consent given needs to be explicit, like checking an opt-in box on an online form. Consent can also be given orally. Silence, a pre-checked box or inactivity do not equate to consent. Folding information on personal data handling in general terms and conditions will not cut it either. Consent needs to be freely given. It can’t be a part of requirement to receive a service, unless of course the personal information is necessary for the service. It should also cover all the processing activities. If the process has multiple purposes consent should be given for all of them. In other words, blanket consent is out of the question. Consent should also be documented and whoever gives consent should be able to withdraw it (opt-out) at any time.
How the GDPR consent rules work is laid out in a handy English language brochure (pp. 15-20) that has been prepared by the German national direct marketing association DDV.
If a recipient makes a request […] not to receive some or any commercial electronic mail messages from such sender, then it is unlawful for the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message that falls within the scope of the request (CAN-SPAM Sec 5)
The CAN-SPAM Act of 2003 does not require the senders of commercial email to obtain the consent of recipients prior to sending them commercial email. Businesses do need to allow for opt-out processes and need to honor within 10 business days any such request. Some means of acquiring addresses are explicitly forbidden, chief among them being the use of data harvesting software that scrapes the Internet.
GDPR versus CAN-SPAM
The U.S. and EU rules on privacy protection diverge strongly because the principles that undergird them are very different. The protection of personal data is considered an important basic right in Europe while First Amendments rights of businesses are sacrosanct in the United States. This means that the GDPR is opt-in legislation (citizens need to explicitly give consent) while CAN-SPAM legislation is opt-out legislation (commercial mailings are allowed till the recipient says he or she no longer wants them).
Impact for American businesses
Research recently conducted by Censuswide has shown 35% of American organizations are not ready to meet the GDPR requirements in time for the deadline. Despite how American companies may feel about about GDPR, if they want to operate in Europe or acquire contacts from EU citizens they have no alternative but to become compliant. Companies that fail to do so run the risk of steep financial penalties that can reach €20 million or 4% of global annual revenue.