RE-PERMISSIONING. Helping you prepare for the GDPR

Transcription

1 RE-PERMISSIONING Helping you prepare for the GDPR

2 Table of contents Introduction 1 What is re-permissioning? 2 When should you think about repermissioning? 2 What are the risks associated with repermissioning? 4 What are the benefits? 5 So, what can you do now? 6 Re-permissioning tactics and strategies 6 Best practice for all re-permissioning tactics 9 Conclusion 10

3 Introduction Re-permissioning has become a buzz word in the last few months due to the upcoming General Data Protection Regulation (GDPR) changes. Marketers are panicking trying to answer questions such as: Did I gather appropriate consent? Where did all of my data come from? Do I have proof of consent for all my customers? Did we use incentives five years ago to acquire customers? The answer is likely to be that no, your current data doesn t appear to meet the new GDPR standards. Marketers must show that all personal data was obtained with consent and that they have the appropriate permissions to send marketing communications. In this paper, we aim to help you understand more about repermissioning and its potential role in helping you prepare for the GDPR, which goes into effect in May We will discuss when re-permission might be necessary, its potential risks and benefits, the steps to tackle a re-permission campaign and, lastly, some tips to ensure you attempt re-permission to a best in class standard. Note: This paper does not constitute legal advice. Any repermissioning tactics and strategies should be carefully reviewed and approved by your legal team or advisors. 1

4 What is re-permissioning? Re-permissioning is a method used to regain permission where subscribers are prompted to review their level of consent. This tactic comes in many forms such as an campaign, a web banner, a piece of direct mail, a push notification, etc. It would usually contain some information and context about the request (to re-permission) and a link to a preference centre where customers could alter the level of permission they ve provided to the brand, along with a reminder about privacy terms. Permission applies to personal data and communications preferences (consent). The output of the tactic will leave brands with either re-permissioned data, a no-response, or a permissioned set. Marketers are expected to then abide by those preferences or the outcome for future marketing. Re-permissioning consent is also often described as reviewing consent, verifying consent, checking marketing opt-in status or even refreshing consent. When should you think about re-permissioning? You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent. (GDPR Consent Guidance, March 2017). This leads us to understand that if existing consent does not meet the GDPR standard, then brands should start to think about potentially re-freshening/modernising/re-permissioning consent. 2

5 What is sufficient consent? Any freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. You used clear, plain language that was easy to understand You specified why you requested that data and what you were going to do with it You provided granular options to consent to independent processing operations Your request for consent was separate from other terms and conditions You asked people to positively opt in (tick a box or equivalent) Individuals were able to refuse consent without detriment What is insufficient consent? Customers did not positively opt-in (pre-ticked box, silent, default, etc.) You can t prove the opt-in mechanism used at the time (soft opt-in, silent opt-in, positive opt in, etc.) Your customers were incentivised to sign up to Customers signed up during a competition and were not told they would be receiving marketing s from you Your data wasn t intended to be used for marketing purposes (i.e. List of customers who bought warranty that you ve started ing because they bought from you once) Your data came from a third party and your brand name wasn t mentioned Someone forgot to add marketing preferences when loading the data in your system You haven t sent marketing communications to these customers for 12 to 24 months but had gained sufficient opt in at the time Consent was refused And the list goes on... 3

6 What are the risks associated with repermissioning? Legal Risks Depending on the tactic you choose to use and who you target (we will discuss these two aspects in more detail shortly), there will be varying levels of legal risks based on what the Information Commissioner s Office (ICO) deems as appropriate. Remember the examples of Honda & Flybe from our previous paper, who received very painful fines from the ICO for attempting to verify consent. Steve Eckersley, ICO Head of Enforcement said: Both companies sent s asking for consent to future marketing. In doing so they broke the law. Sending s to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law... Businesses must understand they can t break one law to get ready for another. Note that your legal team or advisors will need to be brought in ahead of any re-permissioning initiative. The ICO is also keeping its doors open, should marketers have any queries. Poor deliverability Besides the legal risk, a low response rate may be expected for some of the tactics, such as sending a mass re-permissioning campaign, or when, and if, contacting dormant customers. We know that low engagement on big volumes has a negative impact on deliverability. This risk can certainly be minimised by splitting sends or spreading your send across different IPs. A deliverability expert will be able to advise on the safest strategy to ensure limited impact. Poor customer experience We then have the danger of upsetting customers who have radical views about direct marketing. These customers may complain, so it s important to make any re-permissioning as client friendly as possible (and this will be discussed in more detail in the best practice section). 4

7 What are the benefits? Many marketers dread asking their customers for consent for fear they will say No. However, a well-designed re-permission campaign will not only help you comply with GDPR regulations, it can also help remind your customers of your brand. Compliance Firstly, your brand will be acting in alignment with the law. Improved customer experience Genuine control is given back to customers which is excellent customer service: it puts people at the centre of the relationship, helps build trust and customer confidence. Enhanced engagement in the long-term The engagement rate from re-permissioned customers will severely increase as customers are being put in charge of their own communications. Customer lifetime value is expected to increase over time. Reduced costs Reduced sending costs by only sending to truly engaged customers. 5

8 So, what can you do now? We have identified four steps which may help you in tackling consent, lack of consent and refreshing consent. 1. IDENTIFY: Identify the levels of consent risk that currently exist within your data (in accordance to GDPR standards) 2. SEGMENT: Segment the data into four levels (High+ Risk, High Risk, Medium Risk, Low Risk) 3. DESIGN: Identify, design and agree on the tactic you might want to deploy to each segment where you want to refresh permission 4. APPROVE: Speak with your legal team or advisors with your plans (and potentially the ICO) to avoid muddying waters Re-permissioning tactics and strategies Content block in campaign For customers with sufficient consent in today s law, but who don t quite meet tomorrow s GDPR standard, it may be interesting to target customers with a dynamic block (until they meet acceptable consent standards). The call-to-action would take your subscribers to the preference centre where consent may be updated. Note that some mailings may be more suited than others for instance, a loyalty campaign may be more beneficial than a promotional campaign because the former can build a closer bond between your brand and your customer, thus helping maintain your customer base. If you already have a re-engagement programme, be sure to include a message that emphasises the fact that customer data will be removed if there is no response. Be careful to follow the definition of consent ( freely given, specific, informed and unambiguous etc.). 6

9 Check-out page This method is particularly interesting for brands who have a high number of repeat purchasers, resulting in a significant number of customers being exposed to the consent update request. The check-out process could contain an additional step (page or content block) where the customer could amend their preferences and save. Do remember that consent should not be bundled with other terms. In order to increase uptake, it is advised to run creative and UX tests to optimise its performance week-on-week. Our Terms and Conditions are changing campaign This passive campaign is aimed at informing customers of upcoming changes, without directly prompting for an action. Response rate can be expected to be low, but may help bring you somewhat closer to GDPR standards. This tactic may be best supported with web activities. Be careful not to venture outside of the law when sending this campaign! You will be removed. Please opt back in one-off campaign This aggressive re-permission campaign is particularly risky. The creatives for those campaigns are usually to the point, with a single clear call-to-action to opt back in. Customers who do not respond to this should not be contacted again via the channel. Response rates are expected to be high due to the urgency of the message, but likely to be low if your current engagement rates are below 5% click-to-open rate, as this is a sign of little interest. Web banner Your website is a great tool for you to start informing customers of those changes and to gain updated consent. A web banner or pop-up display may be triggered for all existing subscribers, prompting them to visit the preference centre to update their details. This is a good long-term solution that is not likely to alter the customer s experience with your brand. Push notification If you have a mobile app, a good way to gather or update consent may be via Push notification. Only customers opted-in to Push notifications should be contacted. Ensure that the message is geared to providing your customers with a great brand experience and takes them to the preference centre page. 7

10 SMS Very similar method to the Push notification, an SMS may also be the right method for you if a good proportion of your customer base is opted in to this channel. SMS can be used to warm up your base regarding upcoming changes and a request to visit the preference centre page to update personal details. Depending on the loyalty of your customers with the SMS channel, you may see high response rates. Direct mail Direct mail can be effective in gaining visibility and reaching large numbers of your customer base. Try to explore what current direct mail options are available to create a high impact repermissioning campaign. Make sure the process you are asking customers to follow to update their level of consent is rapid and painless. The expected response rate here may not be the highest but when planned and executed correctly, you can create highly targeted communications with tangible and measurable results. In-Store / in-person Brands who are already requesting enrolment in-store may find this to be the right approach. As customers interact with the brand live, an employee might verbally inform the customer of changes and request updated consent, or even use an ipad for the customer to do so themselves. Be sure to train your teams appropriately with a script, depending on current level of consent. Call Similar to the in-store tactic, brands with call centres may use it as a channel to inform customers of their current consent details in order to gain (more) valid consent. When writing your script, be sure to exclude seeking this information from un-happy customers. Remove And lastly, you may choose to do what Wetherspoon did and decide to wipe your entire database. This is not the wisest decision, as this would undo years of work, with zero returns, so we do not recommend this option unless you re encountering severe data quality issues. 8

11 Best practice for all re-permissioning tactics Freely given, specific, informed and unambiguous consent; which informs subscribers about the brand that s collecting the consent and provide information about the purposes of collecting personal data (ICO, May 2017). Regardless of the approach you plan on taking with your data, best practice still applies. We have listed some tips below that should help you. Remember to always seek advice from your legal team. Tip 1: Only contact those who are opted in Verify and be confident with whom you choose to contact for re-permissioning. Should something go wrong, the ICO will be asking to justify your call. Tip 2: Do it for the benefit of the customer Work towards improving the relationship so updating consent is beneficial for the customer. Give them some of the power in determining what kind of content or messages they receive from you. Remember that consent is not freely given if it is incentivised. Tip 3: Avoid bundling with other message, terms and conditions There should be no attempt to sell or promote products and services at the time of consent request. Other terms and conditions should be unbundled from the marketing opt in. Tip 4: Clearly outline the process Don t forget to inform your customers of what happens next whether they update their consent today, or request to be removed. Examples of this may be: By clicking on Update Your Preferences below, we will take you to our preference centre site where you will be able to choose the sort of s you d like to receive from us, what channel and how frequently. Note that by not taking action, we will not be able to contact you past May Tip 5: Offer an explicit opt-out option Regardless of the method, it is best practice to offer a way out to customers. Make sure that you always have an unsubscribe button, but also that you include a clear, simple, unambiguous call-to-action for customers who may wish to unsubscribe. Remember that it s better to have customers unsubscribe than it is to have them press the Spam button! 9

12 About the author Jalna Soulage is a Digital Consultant at Cheetah Digital. Working with a number of brands across a variety of industries, Jalna is experienced in helping brands design and deliver strategic digital solutions. Conclusion Most brands may have to use some sort of re-permissioning tactic to verify or update consent, and precious attention is needed to avoid fines from the ICO. Be clear on the current level of consent you own, and devise your strategy from there. Always seek advice from your legal advisers and the ICO for further guidance on the best next step for your particular case. Published: November 2017 The information in this paper is offered as best practice guidance only. The information is based on available guidance (at date of publishing) from the Information Commissioner s Office (ICO) and other sources, which you can review from their website. This does not constitute legal advice and you should contact your own legal advisors or legal team in the event of a query. You should not rely solely on the information in this paper. If you have any questions about this paper or would like to discuss how we can help you improve customer excellence and meet GDPR consent standards, please get in touch: Website: 10

13 Cheetah Digital The Heights Weybridge Surrey KT13 0NY CheetahDigital.com