Kafka strikes again: GDPR requires consent, but you can’t ask for it

I’ve let this one fester for a while – partly because I’ve been angry about other things, and partly because you must be bored with my ranting about the GDPR by now. But I really can’t let this one pass.

A key principle – perhaps the key principle – of the GDPR is the requirement for explicit consent. You can only use personal data for the specific purposes to which the user has consented. Many companies have realised that this means their existing marketing databases will be useless come May 2018, so they’ve taken the apparently logical step of writing to their customers and prospects to ask them whether they consent to receiving marketing communications.

Which would be fine. Except that first of all (even under existing law) they have to prove that the customer has already consented to receive marketing communications. Because an email asking for consent to receive marketing is itself…a marketing email. So if they’ve already explicitly opted-out of marcoms, or they haven’t specifically opted in to emails asking them to opt in, you can’t write to them.

No. I’m not making this up.

Here’s the ICO fining Flybe £70,000.

Here they are fining Honda £13,000.

Flybe were evidently sailing (flying?) pretty close to the wind – if I’ve opted out of marketing emails, it seems likely that an email asking me to opt-in with the lure of a prize draw will have something of the lead balloon about it.

The Honda case is more interesting. Essentially they claimed that their email wasn’t marketing but customer service, and the ICO disagreed. Also interestingly, Honda dealers are separate corporate entities and Honda relies on a mandated policy template to cover the transfer of data from dealers; it looks as though their implementation of that policy was poor and this wasn’t picked up.

So, in summary, if you can’t absolutely, positively prove that someone has consented to receive marketing communications, you can’t send them a GDPR arse-covering consent request. And if you absolutely, positively can prove it, you probably don’t need to send them a GDPR arse-covering consent request.

So for all those customers and prospects where you currently have vague – or no – consent data, you’re going to have to think again. The advertising and social media folks must be hopping up and down with glee. I love the irony of a data protection regulation that arose in no small part as a response to fears about Facebook being likely to become a major driver of Facebook ad revenue in its implementation year.

One thought on “Kafka strikes again: GDPR requires consent, but you can’t ask for it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s