This article has just been passed to me by a colleague. It claims that "marketers face a ‘double legal whammy’ as on the horizon is another set of restrictive rules and regulations that look like becoming law across all 28 Member States of the European Union.
The author predicts "even more red tape with potentially damaging consequences for millions of businesses and organisations that depend on DM"
There is a tendency when reading such articles to over react and go into "we're doomed" mode. So, I've dissected some of it it to try and understand whether it really does affect email senders who are already acting legitimately.
I'm no legal expert, so I'd be interested to hear what others think and whether my interpretations are valid.
This is my analysis of the key points only, not the full article. My comments prefixed with " > ".
(A) Regarding the "recent changes implemented by the ICO (UK)" mentioned in the article.
(1) Marketers will now need to keep a detailed record of how and when customer consent was obtained; what was actually said at the time of data collection and these records must now be available for inspection by the authorities on an ‘on demand’ basis, irrespective of the retrieval costs to business;
> As responsible CM customers we do of course ensure that our own customers are ensuring subscribers have opted in. The question here is, is the email marketing agency or the customer (or both of them) responsible for maintaining these records of when and how consent was obtained? If it's the agency's responsibility that potentially means we have to inspect our customers' own CRM systems (if they have one) to ensure they're retaining such records and not binning them.
(2) Marketers won’t be able to use any form of incentive as a condition to encourage customers to sign-up to receive information about products and services;
> This is a new one on me. No mention of it on the ICO's website. If it's true it means we can no longer offer a free e-book, MP3 or whatever in return for subscribing.
(3) List brokers and list owners must now comply with a higher burden of proof that consent was obtained from every person on that list
> And a good thing too. Regarding list brokers, potentially cleans up the industry to some degree. Not an issue for legit email marketing agencies.
(B) Regarding the so-called double whammy of restrictive rules and regulations referred to in the article, which are "on the horizon" (ie. not actually law yet).
(4) Where more than 5,000 records a year are processed or where those records are of a ‘sensitive’ nature, it’s likely to become compulsory for companies to appoint a Data Protection Officer;
> Presumably this refers to our customers, or does it refer to agencies who are also processing the data for the customer? If so it adds additional red tape for a small agency businesses.
(5) Mandatory risk analysis and compulsory Privacy Impact Assessments are likely to be required as part of a company’s data protection procedures;
> Again does this apply to the customer or the agency? If the latter then more red tape.
(6) Adequate insurance will need to be in place in order to protect Data Processors as they look like becoming jointly liable in situations where there’s a breach in data protection;
> Most respectable agencies should have professional indemnity cover in place already. However if it is deemed by insurers to be an additional risk, it could increase premiums.
(7) Individuals are likely to have the ‘right of erasure’ of personal data and this is likely to make de-duping of lists much more problematic for marketers in the future
> Not a problem, is it? We do this already.
Hi there, thank you so much for passing this on - changes in EU law are certainly of interest to us, so we've been keeping an eye on things from our end, too.
In regards to the list of obligations in the article, it looks like both our internal practices, plus our permission/anti-spam and privacy policies fulfill their requirements - as you know, we take both security and privacy very seriously here. For senders, this is probably a good opportunity to review our permission guidelines and consider questions like who your Data Protection Officer would be in your organisation.
Thanks again for the heads up and happy sending during the holiday season!
Many thanks Ros. Any UK CM users out there who want to add to this discussion?
I've had an email discussion about this with a respected UK email marketing expert.
He confirmed the legislation is in progress and does impose some challenges for direct marketers. Latest update from the UK DMA.
Regarding my point (2) above "Marketers won’t be able to use any form of incentive as a condition to encourage customers to sign-up to receive information about products and services", like me he doesn't believe it is totally correct and agrees that this is not the case.
He also pointed me towards this useful article from the UK ICO: One small step for EU Parliament could prove one giant leap for data protection, in particular take a look at the section headed "Consent".
And finally EU data protection reform could be delayed until 2015 meaning it wouldn't come into force until early 2017.
It all looks straightforward enough.
I doubt it's going to have any practical impact on the industry at all. Similar to the cookie law. A lot of fuss was made about it, but in the end it was pretty painless.