Let’s get one thing straight – GDPR is not a new rule about obtaining consent to market to people. That law already exists under the Privacy and Electronic Communications Regulations (PECR) and the ePrivacy Directive. What GDPR does is give individuals more control over how their data is used, and if it is used.
Under privacy and data protection laws already in place before May 2018, marketing to individuals is wrong if they have not given you permission or, especially, if they have asked you to stop. Passing their data to third parties without their permission is illegal.
The biggest change that GDPR brings is that data controllers and processors are legally obliged to be transparent about what private data they hold and how they process it. Ever been annoyed that you ask for an insurance quote on a comparison site, only to receive spam from multiple vendors as a result? That is the kind of activity that GDPR is designed to prevent.
If I sign up on a site and agree to a clause that says, “we would like to send you other offers”, I am agreeing to that brand communicating with me and sending me offers. I am not agreeing to that brand selling my data to third parties or for that brand to send me third party adverts masquerading as its own offers.
Let’s examine one brand – National Express
Coach company National Express sent me an email promoting a prize draw. (I am on its list as a customer, and I haven’t asked it to stop emailing me.)
I suspected this was the company’s attempt to improve the consent it has received from customers, or perhaps start again. Here’s the main copy from the email.
In the bottom segment of the email is also this text, which links to the same page as the main offer. This is how I concluded that this is all about gathering new consent.
Here’s where it gets interesting for me. Look at the entry form for the draw, especially the consent form at the bottom, which is asking me to say yes or no for marketing.
This already creates doubt in my mind as a user. Why is there a no option? Am I to believe that I have to actively tick no to STOP them doing what they say? Or am I to assume that they will only do it if I tick yes, in which case why is there a no option there? Perhaps it is to alert them to the fact that there has been some acknowledgement of the form, which would be understandable.
Let’s review this text. If I say yes, National Express will send me offers and other things. The wording suggests only they will send me these offers, but they are vague about whether these offers will be only National Express offers. What if an advertiser comes along and says, “Hey, National Express. We’ll pay you £x,000 to promote our travel insurance to your customers on our behalf?” If it isn’t a National Express product, have I given the company my consent for it to market to me in this way? (The answer, I can say, is no, by the way.)
That doesn’t work for me. The only way I can be assured of any measure of control is if one of three things happens.
- I opt out and ask National Express to stop emailing me.
- National Express creates a system similar to the one on Amazon, that I wrote about.
- I contact National Express asking for a full explanation of what data it holds and how it is planning to use it.
In conclusion, how does tightening up consent make any difference?
It doesn’t. People are getting caught up on the notion that it is all about consent. Thanks to the new GDPR legislation, and the forthcoming ePrivacy reform, consumers will have more control over their own information.
See also: Why GDPR is needed. Halfords, take note.
That control is the key for me, because I am none the wiser when I tick a box what I am actually agreeing to.