On a recent trip to Chicago, I had brunch with a college friend. When I told her what I do, she asked me about all those privacy emails she got. I told her about the new European – ok, global, really – privacy regime, the General Data Protection Regulation (GDPR), and its importance to her as a consumer. During subsequent exchanges with my colleagues, I thought about the true scope and impact on our industry.
Before we go any further, there may still be some confusion about what exactly GDPR is. Cheetah Digital compliance expert, Alex Krylov, offered the following explanation:
At its core, the GDPR tasks organizations to bake privacy into their business operations and core products by design. It requires processing activities to be justified as lawful, transparent, and proportionate, and balanced against the rights and interests of individuals whose personal data may be processed. The issue of ‘specific, freely-given and unambiguous’ consent – when and how data should be collected – is a key issue and remains an ongoing area of adjustment by the industry. While consent is just one of six co-equal ‘legal bases’ that companies can lean on to legitimize their processing activities and is not mandated under GDPR for direct marketing, the specialized ePrivacy Directive, which specifically covers e-marketing and interactive advertising, does.
Everything goes back to the data, and data is the lifeblood of any digital marketing program, regardless of the level of sophistication. The range of personal data covered by GDPR includes everything from a person’s email address to a cookie ID to their precise location. It is anything that would enable someone to follow a trail back to a person, even if they are not known by face or name.
Marketers should think about the following considerations in a world with GDPR:
While the initial frenzy has settled a bit, the coast is not completely clear for American marketers. According to a study by Janrain, 68% of US consumers said they would like to see similar data protection laws passed in the United States. Given the rash of data breaches and insecurity about how personal data has been managed, this is not surprising.
The pre-checked box could be extinct
The ePrivacy Directive requires consent for e-marketing and for storing or accessing data on a user’s device – for example, in a cookie – but does not prescribe how this should be done. In turn, the GDPR now defines the standard for qualifying consent for ePrivacy covered uses, but still leaves much room for interpretation. What is clear is that consumers must knowingly and overtly consent to things like email marketing.
Many common acquisition tactics would be a hazard in Europe – and Canada. Yes, we are talking about the venerable pre-checked box. It is often small, placed in obscure areas, and discourages subscribers from unchecking it. Krylov calls it “the peeve of privacy pros and deliverability warriors alike.” Tread lightly and err on the side of clarity with regard to consent.
The (third) party is over
Cheetah Digital, along with its fellow industry coalition members, does not condone email list purchases or rentals. And with the GDPR now in effect, the practice may expose marketers to higher risks.
Consent – if collected by a third-party – will simply be harder to prove to the higher “unambiguous” bar. In a Marketing Land article, Krylov stated that
Consent requirements under GDPR will be one of the biggest reasons companies will reconsider use of third-party data. There are many reasons for B2B marketers to focus on organic data collection and engagement. They have enough to worry about: being filtered out of inboxes, wasting marketing spend, missing out on more personal connections, and tarnishing their reputation when the world is focused on privacy abuses.
Smaller list size
For better or worse, many brands gauge success by list size. Since subscribers must now actively opt in, many had to re-permission their entire database. If that’s you, you likely feel like you’re starting from scratch, as subscribers either ignored the confirmed opt-in (COI) emails or simply missed them. I even read a column where the writer was stoked that he didn’t have to do the work of unsubscribing from brands. The COI promised that he would be taken off the list simply by not replying. While we don’t want customers to go, it’s better to purge them or allow them to unsubscribe, rather than face a lawsuit (which is already happening).
Reduction in revenue
A smaller list could result in less revenue. If you’re getting your message in front of fewer eyeballs, then fewer clicks yield fewer conversions. On the other hand, those who are most engaged and likely providing the bulk of ongoing revenue are likely to have opted in again. For those who may have missed that opportunity, consider asking purchasers to sign up for marketing emails within order, shipping, and delivery confirmation campaigns. This is something that was already happening with new customers, but this re-engagement campaign should be considered for keeping in contact with existing customers.
Sensitivity to personalization
How do we let consumers know that we know them, without making them uncomfortable about how much we know about them? While this doesn’t mean you should revert to static campaigns, it does mean that you need to include content in an organic way that adds value – like real-time, interactive content – and adheres to the tenets of GDPR of upholding data privacy and transparency. Krylov summed it up well.
The truth is that much is still unsettled and no one is compliant, or will be compliant for another 2-3 years as the dust settles and gray spaces are clarified. It’s going to be an ongoing, iterative approach for everyone in the digital ecosystem, which is particularly fluid.
GDPR and its effects are here to stay as both a challenge and opportunity for marketers.
Note: The content in this blog post is this is for informational purposes and is not legal advice.