Skip to main content

What not to do with your GDPR consent request emails

(Image credit: Image source: Shutterstock/Wright Studio)

Consent. The word on the lips of every organisation across the UK, but what does it mean? In relation to GDPR, consent means ‘offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement and enhance your reputation.’ How can organisations gain consent through emails responses and maintain a contact database effectively?

Firstly, what is consent?

Building a contact database based on who, when and how consent was given prevents individuals being bombarded with information they do not want. To have, effectively given their consent. This allows a company to feel confident that they are staying in line with the GDPR. Many opt for more than just a feeling of ‘staying in line,’ preferring to use a GDPR compliant consent management system. To make absolutely sure your company is compliant, the act of taking away the pressure to manage the consent ‘lifecycle’ is a smart move. While using consent processes effectively enables organisations to increase opt-in rates and drive revenue growth, moving forward on a steady foot is now not just important legally, it is key to becoming known as a trusted brand.

Check your GDPR consent request emails are compliant.

If you are up to your eyeballs trying to decide how to word consent emails you are not alone.

First, in terms of legal reasons to adhere to GDPR email compliancy, think back to previous big data breaches. Did you know, if the Information Commission Office (ICO) fined the same three British companies breaching data protection laws today which it fined in 2016, under the General Data Protection Regulations (GDPR) these fines would total £69 million? This is why it is more important than ever to adhere to the ICO rules for GDPR compliant emails.

When a GDPR consent email isn't compliant

Not every fine is connected to how you word your emails, yet with using new technologies and data analytics to micro-target people or micro-exclude people who don’t wish to receive emails any longer, there really is no excuse for continuing to email customers who don’t wish to hear from you. However, Honda, Morrisons, and Flybe, (fined only £880,500 in 2016) were fined for this very infringement. Albeit in slightly different ways. The common thread in all three cases concerned their failure to determine whether the people they emailed actually wanted to hear from them at all and/or storing that information.

With companies with large databases, large mistakes prove costly. Being in breach of the privacy and electronic regulations aspect of the GDPR today is worth up to 4 per cent of a companies’ global turnover.

  • Honda sent 289,790 emails clarifying whether customers wanted to receive marketing at all, which was seen as an infringement of how people’s personal information should be treated. The ICO could not find any evidence the people Honda emailed wanted to receive an email asking them to receive marketing emails!
  • Morrisons sent 131,500 emails to people who had opted out of receiving loyalty card related emails. This was viewed as flouting customers’ marketing wishes as the emails were sent deliberately to entice them back by offering money off coupons, extra More points and the ‘latest news’ from Morrisons.
  • Flybe just asked 3.3 million customer emails if their details were correct and to amend any out of date information and update their marketing preferences. In the same email, Flybe offered these customers a prize to update their preferences, which the ICO viewed as a marketing email, sent before consent was established.

All three were viewed as not enough, or inappropriate wordings to obtain consent. More than ever it’s a good time to know what to do if your GDPR consent email is not compliant with the regulations.

The fix for gaining consent is in the wording

Consent is perhaps, easily fixed if your information culture and consent lifecycle centres around something like, for example, football. Manchester United ran a marketing campaign called ‘Stay United’, sending their current database population information using the clubs’ players to explain the benefits of consenting and all the elements of subscribing or unsubscribing.

They emphasised the law was changing so fans must consent properly if they wanted information from the club. Done by video, this was all easily digestible and easily understandable, and of course, dependent on your interest in football. Crucially, while they offered prizes for updating marketing preferences, these were not won only if giving consent, or opting in. The prizes were open to all.

If you need a variety of consent stages

If a variety of consents are required, such as those by schools, churches, or charities for example, you might need more expert help. Varied consent requests for cookies, marketing, collective use of social media, publicity purposes, and the like, when you are dealing with different groups needs more than a blanket email or video approach. In cases were organisations deal with children and students, split family contacts, vulnerable adults, and sensitive data, a management system is ideal. It will make sure you don’t miss the little things. The ICO’s recent regulatory action against lifestyle online company Emma’s Diary is testament to the will to fine small businesses run by mumpreneurs, alongside bigger companies such as Facebook and Cambridge Analytica.

Don’t leave it to employees

Keep in mind, consent must be checked annually. For many organisations with complex clientele but limited funds, gaining consent means risking a rather lumpy process whereby one employee after another is responsible for the ‘data gathering’ project. ConsentEye provides a system which chooses which consents are required for which groups. The system keeps track of who’s consented and who hasn’t. You only need import contacts into it or connect a CRM system or database.

Building a contact database based on who, when and how consent was given, prevents individuals being bombarded with information they do not want and allows a company to feel confident that they are staying in line with the GDPR. Using a GDPR compliant consent management system takes away the pressure of companies having to manage this consent lifecycle, enabling organisations to increase opt-in rates and drive revenue growth.

Paul Tarantino, CEO, ConsentEye
Image source: Shutterstock/Wright Studio

Paul Tarantino – CEO of ConsentEye providing a cloud based Consent Management System. He is an expert within GDPR and Privacy Management arena working with key partners to provide full data management solutions.