You may be aware that on 25 May 2018, certain legal changes will come into effect concerning data protection and privacy.
Under the General Data Protection Regulation (or GDPR as it is more commonly known), we are required, as are all businesses that hold your personal data, to provide you with certain information in relation to the lawful grounds for our ongoing processing of your personal data.
In order to fulfill that obligation, we have put together a new privacy notice that clearly sets out how we collect and process your personal data, for what purposes we use your data, the legal grounds of processing such data, how we keep your data secure and your rights in relation to such data.
You have previously been receiving details of our offers and special promotions and other marketing emails because you are either a customer of ours or have previously agreed to receive such emails.
If you would prefer to not receive these emails, you can opt out at any time by going to our preference center by emailing us at email@example.com.
Although organisations can generally only send marketing texts or emails with specific consent, there is an exception to this rule for existing customers, known as the ‘soft opt-in’. This means organisations can send marketing texts or emails if:
The texts or emails must be marketing products or services, which means that the soft opt-in exception can only apply to commercial marketing. Charities, political parties or other not for-profit bodies will not be able to rely on the soft opt-in when sending campaigning texts or emails, even to existing supporters. In other words, texts or emails promoting the aims or ideals of an organisation can only be sent with specific consent.
The contact details must be obtained directly from the individual by the organisation who wishes to engage in the marketing and the marketing must be in relation to that organisation’s similar products and services. Therefore the soft opt-in can only be relied upon by the organisation that collected the contact details. This means organisations cannot rely on a soft opt-in if they obtained a marketing list from a third party – they will need specific consent. See the section on indirect (third party) consent for more on this.
The customer does not actually have to have bought anything to trigger the soft opt-in. It is enough if ‘negotiations for a sale’ took place. This means that the customer should have actively expressed an interest in buying an organisation’s products or services – for example, by requesting a quote, or asking for more details of what it offers. There must be some sort of express communication:
Example A customer logs into a company’s website to browse its range of products. This is not enough to constitute negotiations. But if the customer completes an online enquiry form asking for more details about a product or range of products, this could be enough.
The communication must be about buying products or services. It is not enough simply to send any query:
Example A customer sends an online enquiry to ask if the company can order a particular product. This could constitute negotiations for a sale. But an enquiry asking if the company is going to open more branches in a particular location would not.
Organisations can only send texts or emails about similar products or services. We consider that the key question here is whether the customer would reasonably expect messages about the product or service in question. This is likely to depend on the context – including the type of business and the category of product.
For example, someone who has shopped at a supermarket might reasonably expect messages about a much wider range of goods than someone who has shopped at a specialist store for a specialist product.
Example A customer buys groceries online from a large supermarket chain. Although they only bought bread and bananas on that occasion, they might reasonably expect emails about a wide range of products – including bread, fruit, and other groceries, but also books, dvds, kitchen equipment and other everyday goods commonly sold in supermarkets. However, they are unlikely to expect emails about banking or insurance products sold under the supermarket brand. These products are not bought and sold in a similar context.
Organisations must give the customer the chance to opt out – both when they first collect the details, and in every email or text. Organisations should not assume that all customers will be happy to get marketing texts or emails in future, and cannot rely on the soft opt-in rule unless they provided a clear opportunity to opt out first.
It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process (eg online forms should include a prominent opt-out box, and staff taking down details in person should specifically offer an opt-out). In subsequent messages, we consider that the individual should be able to reply directly to the message, or click a clear ‘unsubscribe’ link. In the case of text messages, organisations could offer an opt-out by sending a stop message to a short code number: eg ‘text STOP to 12345’. The only cost should be the cost of sending the message.
Your obligations don’t end when you get consent. You should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control. It is good practice to provide preference-management tools like privacy dashboards to allow people to easily access and update their consent settings. If you don’t offer a privacy dashboard, you will need to provide other easy ways for people to withdraw consent at any time they choose.
You should keep your consents under review. You will need to refresh them if anything changes – for example, if your processing operations or purposes evolve, the original consent may not be specific or informed enough.
If you rely on parental consent, you will also need to refresh consent as the children grow up and can consent for themselves.
If you are in any doubt about whether the consent is still valid, you should refresh it. You should also consider whether to automatically refresh consent at appropriate intervals. How often it’s appropriate to do so will depend on the particular context, including people’s expectations, whether you are in regular contact, and how disruptive repeated consent requests would be to the individual. If in doubt, we recommend you consider refreshing consent every two years – but you may be able to justify a longer period, or need to refresh more regularly to ensure good levels of trust and engagement. If you are not in regular contact with individuals, you could also consider sending occasional reminders of their right to withdraw consent and how to do so.