Episode 9: Joanna Boag-Thomson

GDPR for email marketing explained by Joanna Boag-Thomson from Shepherd & Wedderburn

Joanna Boag-Thomson is a partner at Shepherd & Wedderburn and an expert on the GDPR. In this episode she explains the rules for marketing in Europe covering the General Data Protection Regulations (GDPR) and the Privacy and Electronic Communication Regulations (PECR).

We cover marketing to European customers from other countries, the changes in the UK since Brexit, when you are allowed to contact customers, legitimate interest and soft opt-ins, how to get consent and how consumers can opt-out.

The discussion covers newsletter signups, marketing to customers and to checkout abandonments. We also cover the different rules for B2B, postal marketing and custom audiences for advertising.

Finally, Joanna gives us a checklist for marketing to customers by email.

Also available on:
or from your smart speaker.

Andrew Veitch: Welcome to the Joy of Marketing with me, Andrew Veitch. This week I’m joined by Joanna Boag-Thompson, who’s a partner at Shepherd and Wedderburn, I should also just briefly declare that Shepherd and Wedderburn are my lawyers. And indeed, they’ve actually advised us on the GDPR. Joanna is an accredited intellectual property lawyer, but her real passion is the GDPR. Welcome to the show.

Joanna Boag-Thomson: Thanks very much, Andrew.

AV: So I had a brief look at our audience last night. And as it turns out, roughly half the audience are outside Europe. So Joanna, do they need to worry about the GDPR?

JBT: If they are targeting goods or services at European citizens, then yes, because the European GDPR has extraterritorial reach. And what that means is that it applies even though you might be outside Europe, if you’re targeting goods and services to European consumers. So yeah, it’s still relevant.

AV: So obviously, you know, Brexit has happened, and we’re all enjoying the new economy with all these opportunities, like… well, all these opportunities. So does that mean now we’ve left the EU that we can also forget about the GDPR?

JBT: Absolutely not. So in the UK, we’re still subject to a form of GDPR. And it’s known as the UK GDPR. And this is effectively the European GDPR, just transposed across into UK law and slightly modified. But for marketing purposes, yes, we’re still subject to the GDPR. And there’s also the UK Data Protection Act 2018. That applies. So when we’re looking at the GDPR compliance, we need to look at both the UK GDPR and the UK Data Protection Act to find our answers.

AV: So obviously, Machine Labs, I mean, our our core businesses, is email marketing, and I think just about everybody listening will be doing some form of email marketing. So I guess the obvious place to start is, is consent from the customer to allow us to send them marketing emails,

JBT: Yep. GDPR covers consent. And people think that consent is the only legal basis that you can use. But actually, you can also do marketing under GDPR, on the basis of what’s called legitimate interests. So under GDPR, you either need to have consent, or you need to use legitimate interests. And I’m happy to talk about that just a little bit later on. And but you do need to be aware of a second set of regulations that apply to marketing emails, if they’re electronic. And these are called the privacy and electronic communications regulations. And they apply to all forms of electronic marketing. So I’d said you need to be aware of GDPR and the Data Protection Act 2018. But you also need to be aware of these privacy and electronic communications regulations, because they apply to electronic marketing. And it’s it’s maybe worthwhile just thinking about what constitutes a marketing email. So some are and some aren’t. And a routine customer service message doesn’t count as a marketing email. Even if you’ve got general branding, or logos, or straplines, that doesn’t make them a marketing message. But if there’s some significant promotional material in the message, for example, to persuade customers to buy extra products or services, or maybe to renew contracts, then that’s a marketing message. And the rules apply. And the regulations that I’m talking about the privacy and electronic communications regulations, they apply to unsolicited communications. And so one case where you obviously don’t need to get consent before you send a marketing email is where it is solicited. And what does solicited mean? Well, that’s very simple. It just means that somebody actively requests you to contact them. So if somebody asks you to send information, you can always do that without getting consent, because that’s viewed as solicited marketing. But if you’re targeting new consumers, then it’s actually quite difficult to send a new marketing email without getting consent.

AV: So I suppose just specifically on a website, just to put some of what you’ve said, into context, I guess somebody might sign up for a newsletter. So that’s very obviously, they’ve obviously given permission by doing that.

JBT: They have, yes.

AV: Somebody might buy a product. And in the process of that, give their email, I guess, would that be legitimate consent at that point, simply that they’ve they’ve bought the product?

JBT: That’s called the soft opt-in, okay, and that’s an exemption to consent. And we can talk about what consent means if you want but let’s let’s talk about this soft opt-in. Because it’s it’s really useful. So the soft opt-in often applies to existing customers, or to potential customers who have expressed an interest. So what the law says is, yes, you can send marketing texts or emails, if a consumer has provided those contact details in the course of a sale are negotiations for a sale of a product or service. And if the company is only marketing their own similar products and services. And finally, if you’ve given the consumer a simple opportunity to opt out. So if you’ve obtained the contact details in the course of a sale or negotiations for a sale, that’s the soft opt in what does it actually mean? Well, if you’ve made a sale, you kind of know that, you know, you’re aware that you’ve made a sale. And you can continue to contact your customer until they opt out. The wording “negotiations for a sale” isn’t terribly helpful wording. But that means for example, if somebody has requested see a catalog from you, you can continue to send them marketing messages. But you do need to bear in mind that those are only for your own similar products or services, and not for third parties, products or services. I suppose the final thing that we’re often asked about in terms of soft opt in Andrew, is whether it applies to charities and not for profit organizations if they want to send emails, for example, to potential donors. And it’s important to remember that the soft opt-in is only for products and services. So it’s just for commercial marketing. And charities can’t rely on the soft opt-in. So emails that promote the aims of an organization can only be sent with specific consent. But if you’re doing commercial marketing, the soft opt-in is a very useful exception to consent.

AV: Yeah, and just coming back, I suppose the third common source of email, we’ve covered signing up for a newsletter, becoming a customer, the third one is the checkout abandonment, where somebody begins to buy a product, enter their email, and then changes their mind for whatever reason before completing the sale. So I think my understanding of what you said is that that could also be covered by the soft opt-in.

JBT: Yeah, I think it probably could, because they’ve maybe, you know, it’s this funny wording negotiations for a sale, but I think that’s probably expressing sufficient interest for the soft opt-in to apply. And it’s on the cusp. But certainly they’ve obviously had an interest. And as long as you’re sticking to similar goods and services, then you would hope that the soft opt-in would apply there.

AV: Well, I think on the cusp is good enough. So if we’re actually going down the route of getting consent, what should that actually look like?

JBT: Okay, so consent is consent in GDPR terms. So a consent has to be GDPR compliant. And that means that a consent has to be freely and knowingly given. So that’s the first part of the test. And the second is that it must be clear and specific. So a valid consent has to cover your organization, obviously, and also the type of communication you want to use. And we tend to talk about that as being a granular consent. And what granular consent means is that if you want to use a number of different methods of communication, for example, a call and email or text or social media, you should give consumers the option to opt into those in a granular way. And it needs to involve some form of very clear positive action. So classic examples are clicking an icon or sending an email, or most likely ticking a box. And the person who gives their consent really has to understand that they are they’re doing that they are giving you their consent. So I always think the clearest way to get a GDPR compliant consent is just to ask the customer to take an opt in box. And if you can to do that for each type of communication, so a tick box for emails, and a tick box for each of the other types of contact, for example, social media or texts. And I guess the the thing to remind your listeners about is that they shouldn’t be using pre-ticked opt in boxes, because under GDPR, the law views that as being an opt out box. So if you do use a pre-ticked box, it’s not certain that it’s going to be good enough to demonstrate GDPR standard consent. And that’s because the action by a consumer of placing an actual tick in a box shows a positive informed consent, and that’s important. And the final point for GDPR compliant consent is that you should actually go out and refresh that consent from time to time and you shouldn’t assume that it just last forever, Andrew.

AV: Oh, I didn’t know that. So is sending an email with an unsubscribe link in it? Would that be refreshing that consent?

JBT: I think you’re better if you can to use some sort of a preferences tool. And you could view it as being a positive opportunity to reach out to refresh the consent. Now, a lot of organizations don’t go out and refresh consent, because they’re concerned that people are actually going to use an unsubscribe. So at the moment, this idea of refreshing consent is untested. And we’ll need to wait and see if the Information Commissioner’s Office comes out with something, something that’s more than guidance.

AV: Sure. And is there any view of how long you would need to wait before refreshing consent?

JBT: I think the ICO has guidance on this. I’ve not looked at it recently. And my thought is that it’s probably every couple of years.

AV: I’m going to say that as a consumer, I’m not sure I’ve received any requests to.

JBT: Do you know, I think you’re probably right about that. So in the run up to May 2018, when GDPR was coming in, you couldn’t get into your inbox for the number of you know, please consent to ongoing marketing requests that we were getting, I have seen quite a few emails, where you’re invited just to update your preferences. And that’s really a nice way of saying please, please reconsent.

AV: Yeah. And then in the event that people don’t reply to that email, don’t respond to that email, would you be able to continue contacting them?

JBT: Do you think that’s where you’re slightly at risk? So again, the question is whether you want to ask permission, or whether you want to seek forgiveness, it’s that sort of question sometimes, isn’t it?

AV: I have to say that generally, I’ve opted to go down the route of seeking forgiveness.

JBT: Yes, and you’re certainly not alone in doing that.

AV: So if we’re relying on one of these soft opt-ins, to email people is there anything else we need to do?

JBT: You need to make sure that consumers are given a simple and straightforward opportunity to opt out of ongoing marketing. So you do that, firstly, when you collect their contact details. And then on every email message that you send after that, you need to make sure that you’ve got an unsubscribe or opt out option. And that’s that’s the right practice. And that tends to be what people do.

AV: Yes. And I think, even quite apart from from the GDPR, you would want an unsubscribe link. I think anyway, and I certainly know, in other countries, there’s there’s a requirement for that, such as the CAN-SPAM Act in the US.

JBT: Yep. Yep. And I think people expect to see that and whether they use it or not.

AV: And I think I think the other issue there is how that unsubscribe works. Because obviously, unsubscribe can be a simple one click, you click on the link and you immediately unsubscribed. Or it can take you to a page that can be either simple or quite complex to unsubscribe.

JBT: Yes, yes, exactly. And the idea is that if you give consent, and then you have to be able to withdraw that consent as easily as you give the consent, and so on, and unsubscribe if you make it difficult for people to unsubscribe, I think that could lead to a complaint to the regulators.

AV: Sure. And on a practical note, certainly on Machine Labs, our unsubscribe is very simple. And our rule is that customers can’t have a spam complaint of more than one in 1000 emails. And we find that if we go over that limit, we can actually begin to have problems delivering the emails. So again, quite aside from GDPR, I think that clear unsubscribe is an extremely good practice and for commercial reasons, anyway,

JBT: Seems to make sense.

AV: I’ve kind of now mainly moved from B2C, obviously, into B2B at Machine Labs. For people marketing in B2B are the rules different?

JBT: They are so there’s a difference between emails to business and emails to consumers. And the rules on consent and soft opt-in don’t apply to emails that are sent to corporate subscribers. So that’s, that’s the magic phrase, a corporate subscriber. And so corporate subscribers means companies or other corporate bodies. So for example, a limited liability partnership or a Scottish partnership or a government body. And that’s fine. But you do need to remember that corporate subscribers don’t include sole traders and English partnerships because they’re not corporate bodies. So you just never quite know if it’s a corporate subscriber, but it is much easier to send B2B communications. Something though, that you do need to bear in mind is that obviously, most individuals will have a personal corporate email address. So for example, Andrew at machine labs.com is a personal corporate email address. And under Section 11 of the Data Protection Act, 2018 individuals have a right to stop any marketing being sent to their personal corporate email addresses. So if somebody has explicitly told you not to send marketing emails to that email address, you need to respect it. And you need to put that onto your suppression list.

AV: Great, but we wouldn’t need consent to send the email in the first place?

JBT: Correct.

AV: Great. So I can spam as much as I want. That’s good news. Stepping back to B2C, and obviously, the vast majority of our listeners are in B2C e-commerce. And there’s also you know, good old fashioned postal direct mail. And of course, the great thing about post is it can also be a little bit richer than an email, perhaps even having a sample of the product. So how do the rules for post compare to the electronic communications?

JBT: Yeah, again, it’s it’s much easier to do postal marketing from a legal perspective, there are some quite significant differences. So you don’t need consent to send out postal marketing, you do need to have a lawful basis for sending postal marketing. And under GDPR, that basis is usually referred to as the legitimate interest basis. And if you’re using legitimate interest as your legal basis, you need to be able to show that the use of people’s personal data is proportionate. It has minimal privacy impact, and people wouldn’t be surprised or likely to object to receive that marketing material. I suppose the one thing you do need to bear in mind is the mailing preference service. So obviously, best practice is to screen consumer mailing addresses against the NPS list. But no, postal marketing is much easier from a legal perspective than email marketing.

AV: Okay. Obviously, postal marketing is also a lot more expensive. So again, from a commercial point of view, you’d want to make sure it was being sent to a pretty engaged audience, or it would be unlikely to work. And so something else I’ve been thinking about is custom audiences. And again, I think a lot of people are maybe not familiar with a custom audience, I’ll just briefly explain it. But in Machine Labs, or other, other other products are available, you could create a segment. And then you could upload that segment of customers or contacts to Facebook. And then you could specifically target adverts at that custom audience. And I have to say, one of the uses I have seen of custom audiences, is that when people unsubscribe from email, I have seen people using custom audiences to then target that list for advertising on Facebook. And so what be your view of that?

JBT: Yeah. So that’s, that’s an interesting one, actually. So if we look at, you know, first of all, can you actually do the segmentation that you’re talking about? You know, the answer to that is, yes, that’s legitimate if you’ve collected the personal data in a compliant way, if you’re sending it to Facebook, on that basis of people having unsubscribed, again, I think you’re in a gray area, Andrew, and you’re probably then using as your lawful basis legitimate interest in sending the data to Facebook, because obviously, you’ve not asked for a specific consent to do so. And if you’re using legitimate interest, then you need to balance your legitimate business interests against the legitimate interests of the customer. And if people have unsubscribed, then you might have some difficulty in balancing that up, I think.

AV: Yeah, I mean, my suspicion is that the reason this hasn’t really come up is because I think when people see an advert on Facebook, for a company, they don’t understand why they’re seeing that advert. So obviously, if they bought from a company in the past, and they see an advert from the company, there are many reasons they could be seeing that advert. I mean, the advert doesn’t say on it, you’re seeing this advert because you’re in a custom audience. So I think I think it’s one of these areas where consumers aren’t really aware that it’s happening, which is probably why, you know, there hasn’t been that much debate about it.

JBT: And it’s interesting, actually, I’m just thinking about how you would try and make this as legitimate as you can. And certainly one of the things I think you would want to do is to look at your privacy policy. And just to see if the privacy policy has wording that calls out maybe the possibility of using a custom audience facility. And because if you’ve told customers about the use of their personal data, then you’re more likely to pass the transparency or fairness test under GDPR, which might allow you to pass that balancing test when you’re balancing up legitimate interests. And so I think people should look at their privacy policies if they’re carrying out that sort of activity.

AV: So Joanna, that has been absolutely great. And perhaps you just take a moment just to summarize The key things that we should be doing before emailing our customers.

JBT: Yep. So you should be, first of all, checking that you have a privacy policy that covers what you’re doing. And because that’s an important part of GDPR, then you should be deciding whether you are contacting people on the basis of consent or legitimate interests under GDPR. And I’ve talked a bit about them. And then you should be looking at the privacy and electronic communications regulations, because they add that extra layer to email marketing. And you should be deciding whether or not you can use a soft opt-in or whether you need to get consent under those regulations. If you are getting consent, you need to make sure that that is done in a positive and granular way. And you need to make sure that if you’re dealing with a soft opt-in that you’ve always got an opt out opportunity. So really, the big thing that came in with GDPR was transparency and clarity. And that runs right through all of the communications with consumers particularly. So I would say that’s a quick checklist, Andrew.

AV: Wonderful. Thank you very much. I think that’s been hugely informative, and I think I now know what I need to stop doing. If you want to grow your e-commerce business, please try Machine Labs, working within the GDPR we’ll provide you insight into your customers, products to help you sell more, and send lots of informative and relevant emails without getting you into trouble. See you next week on the Joy of Marketing.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *