GDPR and PECR and Verschlimmbesserung
As we continue to get bombarded with dubious emails demanding ‘consent’ before GDPRmagendon on May the 25th, I am realising quite how little understood data protection and communication regulations are understood.
The GDPR is not PECR and PECR is not GDPR
At this point the majority of people are probably saying “What is PECR?” (and a smaller minority are saying “What is GDPR?”). If you work in digital marketing and you don’t know what PECR is, you’re like one of those drivers who got through their driving test without actually reading The Highway Code. Except worse. Much worse. The PECR (Privacy and Electronic Communications Regulations) sit along side the UK’s Data Protection Act and, in the words of the ICO website, they govern “…marketing calls, emails, texts and faxes” — I’ll just take a short pause here while our younger readers google what a fax machine is, and the older ones re-live the joys of whistling to a fax machine (come the singularity/robot revolution you are in SO much trouble).
In case you still aren’t captivated by “PECR”, this might be the moment to point out that fines for breaches of PECR account for most of the penalties recently issued by the ICO (the UK’s data regulator currently enjoying the spotlight as it investigates Cambridge Analytica). Most recently Flybe and Honda got ‘whacked’ for £83,000 in fines for emails they had sent. I’ll come back to them in a minute, I’ll just watch your eyes widen for a moment (83k is about $115,000).
GDPR is now but not yet — PECR is now and has been — for a decade and a half
GDPR (The The EU General Data Protection Regulation) is in the spotlight right now, as it comes into force in… Oh, go on then, check out the GDPR Count Down timer on the SocialOptic GDPR resources page. There are links to a whole range of other useful resources there too. GDPR’s older, wiser and considerably better looking sibling, PECR, sometimes know by its catchy nom-de-plume “European Directive 2002/58/EC” or “the e-privacy Directive’” also has another younger upstart to deal with, in the form of the proposed “Regulation on Privacy and Electronic Communications.” A sibling 15 years younger is always tough competition, but it’s only a proposal at the moment, so time will tell what its impact will be. When it comes into force it will be a significant change to how digital communications are regulated in the EU. The UK will probably have left the EU by then, and we’ll be able to safely ignore it, just like we’ll be able to ignore GDPR. Haha… No. Just, no. Really, no, you can’t. Now, if you have been deep into PECR and GDPR, you are absolutely going to love the sequel. It is literally epic; I highly recommend the Greek translation of the draft. Translating the 40+ pages back into English will be good practice for you. Anyway, ePrivacy is tomorrow’s problem, GDPR is today’s problem (though there is still time — it isn’t here quite yet), but most importantly PECR is today’s and yesterday’s problem.
Mind Your P’s and C’s
Hopefully you have it by now: GDPR is about the ‘P’ — the processing of data. Processing here is meant in the way that lawyers use the term, not the way that IT geeks and computer engineers do. ‘Processing” includes storing a fax (I had to go back there) in a filing cabinet in the basement, just as much as it means using the latest AI on your big data. PECR is about the ‘C’ — the communication. So, every time I receive an email saying that they need “consent” to continue to send me emails because of GDPR, I literally scream. Literally — ask my neighbours. Firstly, GDPR isn’t, contrary to popular opinion, all about consent. GDPR is about lawfulness, fairness, transparency, limitation, minimisation, accuracy, security, accountability and more. That is before you get to “consent” — which is just one of six different lawful bases for processing information. That is just within GDPR. There are other bases, because GDPR isn’t the only regulation that covers the use of data. Now, generally, you do need consent to send emails. However, that consent isn’t GDPR’s “consent”. It is PECR consent. We are talking about the world of “soft opt-in” and double opt-in here. The ICO, and PECR, understand that you have a reasonable right to contact customers. It is also not without irony that GDPR itself actually requires you to contact customers in certain circumstances, for example in the event of a data breech.
Verschlimmbesserung all over your email
All engineers owe it to themselves to learn a bit of German. What other language offers you gems like “Verschlimmbesserung” — meaning an attempt to improve things that actually makes them even worse. Right now, lots of marketing folks are at peak Verschlimmbesserung. If you have an email marketing list, it is currently in one of two states: It is up to date, segmented and maintained, or it is in breach of PECR. That’s it. But, you say, but… “I have this email list and its mostly, good. Yes, there are some email addresses in there that I picked up in 1983, which a nice person in a dark coat at a trade show copied on to a floppy disk for me”. *pulls stern face* Really? Best practice requires that people “opt-in” to your emails, but confirming their subscription. Europe operates a different to the model in the US, where users have a protected right to opt out, which is a great source of confusion.
There’s a knock at my front door. I open the door to a friendly looking face, “Hello!” They say. “I stole your car a couple of years back and I’ve been joy riding it up and down the streets and using it as a get away car. I’m pretty sure you said it was ok, but I was a bit drunk at the time and can’t remember. Anyway, I was just wondering, could I have the spare keys and a note from you to say that you are ok with all that?” Without too much exaggeration, that is what many digital marketing folks are doing right now with your email address. They should get a T shirt that says “I’m an idiot” and put it on their brand. Do you have permission to use my email address, or do you not? You just put your hands on the steering while pressing the accelerator. Sending an email using an illegally obtained email address is proof of the offence. Here’s a better idea: Offer me a lift to the shops and give me some cash. Seriously, if you are sending me a marketing email — and you almost certainly are by the way, whatever is in it — then make it count: give me a special offer I’ll want, or tell me something I didn’t know that is useful or helpful. I’ve opened your email, make it worth my time.
Marketing folk aren’t Incompetent — We have machines to help us with that
It’s true. Some marketing folk are just plain genius. You need to grow your email list? No problem. What better way than a ‘viral’ marketing campaign around GDPR which gets some attention and some new email list sign ups. You might think my advanced years have made me overly cynical, but you know who you are, I am looking at you, and I see what you just did. Dark arts. For the rest, think carefully about the emails you are sending right now. Let’s get back to Flybe, Honda and that 80 grand fine again. Both good companies by the way, with a large amount of cash and enough expertise to know better. In the words of Steve Eckersley, ICO Head of Enforcement:
“Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.”
“In Flybe’s case, the company deliberately contacted people who had already opted out of emails from them.”
“Businesses must understand they can’t break one law to get ready for another.”
One of the clearest and largest risks of sending “re-permissioning” emails is that you run the risk of contacting people who have already opted out, unless your email opt-out process is totally watertight. Which, of course, it is. Isn’t it? One nice, clean email list. *cough* Not only that, once you have sent an email saying “unless we receive your consent we will not contact you again” you need to jolly well make sure that you don’t. At best, you’ve made a brand promise, at worst you are setting yourself up for some angry users and a possible fine.
The ICO’s draft guidance on consent is a useful read, if you are going to use the ‘c’ word, read it. The ICO is clear: You are not under any obligation to refresh permission on your marketing email lists if you already have permission, and you have a record of that permission. To be clear, you will almost certainly need changes to your terms and conditions, and many other processes, to be compliant with GDPR in terms of how you process data, but that is a different problem space. If you have an email list that isn’t up to scratch, there are other quicker, cheaper, less annoying ways to get yourself compliant. “But my email list is SO valuable!” you say. Really? Has it made you 80k of profit? Right now there are people filing those “we will not contact you again” emails for a rainy day. There are also customers who want to hear from you, but are far too busy and… Ooo… What’s that page in another tab doing? …Sorry, where were we? Hello? Anyone there? Was I meant to have clicked on something?
This is based on a post originally written on https://benjaminellis.org/
The ICO now offers this advice around GDPR and business-to-business marketing under the GDPR and PECR: https://ico.org.uk/for-organisations/marketing/the-rules-around-business-to-business-marketing-the-gdpr-and-pecr