What does GDPR mean for B2B email marketing?
B2B email marketing is pervasive: it can be very effective or just downright annoying.
Whatever your views, it’s generally agreed that the forthcoming General Data Protection Regulations will affect it in some way. To what extent GDPR will impact email marketing in B2B businesses depends on what you read. Is it armageddon, or no big deal?
The somewhat boring but correct answer is somewhere in between. However, there’s so much (mis)information out there, we’d like to clear away some of the confusion and get to the facts as we see them.
Email marketing in focus
In short, GDPR is about protecting personal data. And while the incoming laws are about much, much more than marketing activity, for the purposes of this piece, we’ll stick to the email marketing implications. Even more specifically, we’re talking about B2B businesses. Note that sole traders and partnerships are generally considered to be B2C and not B2B.
GDPR is an overall framework for data protection and privacy, but there are no specific mentions of email marketing within the law. However, there are specific rules on email marketing in the Privacy and Electronic Communications Regulations (PECR), which have been around for some time but are currently being reviewed. No matter the results of the review, it’s clear that GDPR gives PECR new impact.
GDPR applies to personal data, which means anything that may identify an individual: corporate email addresses, cookies, IP addresses or postal addresses stored digitally. A company employee is still an individual when at work, and therefore GDPR still applies. There is no opt-out from GDPR, for anyone.
Turn on, opt in, and opt out
The question of consent is central to the new laws, and for B2B marketers accustomed to buying huge swathes business data and marketing to people via their inbox, this creates a problem.
However, despite what you may have heard, GDPR does not explicitly require opt-in consent for B2B marketing activities. Article 6.1 sets out 6 legal grounds for using personal data clearly which includes opt-in activity. These are:
6(1)(a) – Consent of the data subject
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) – Processing is necessary for compliance with a legal obligation
6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
It’s a case of either/or for each of the 6 grounds listed above. For B2B marketers, the most interesting item above is 6(1)(f), and particularly the phrase ‘legitimate interest’.
Before we get into the concept of legitimate interest, let’s be clear: opt-in consent is permitted under GDPR, but GDPR does not specify that double opt-in is necessary if you use consent as your lawful basis.
This is contrary to the idea that businesses need to not only opt subscribers in, but also gain double opt-in – something many UK businesses believed until recently.
Double opt-in is best practise and should be followed anyway. After all, it’s better to have a small number of people on your mailing list that want to be there than hundreds of thousands that only vaguely remember opting in months ago.
Legitimate Interest is another of the 6 lawful reasons for processing personal information defined in GDPR. The regulation states specifically that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” In fact, the DMA view is that B2B marketers will be able to make use of the legitimate interest legal grounds for their marketing activity in most instances.
Keep in mind, though, that the definition of legitimate interest is still a matter of debate. GDPR requires the sender to justify that a communication is in the legitimate interest of and does not risk the privacy of the individual. ‘Legitimate interest’ should not be used as a reason to ‘catch-all-and-carry-on-regardless’. You can download the DMA guidance on legitimate interest here.
In their guidance, the DMA suggest a 3-step process to decide if legitimate interest applies:
1. Identify a legitimate interest. It’s OK if this is a business interest on the part of the sender, as long as this is clearly identified to the recipient. There is a suggested privacy wording in the DMA document.
2. Ask, is it necessary? A business objective can determine necessity, but the difference between what is necessary and useful remains a grey area. The DMA suggests necessity by asking if the communication can be achieved by other means.
3. Strike a balance. Do the recipients’ rights override the sender’s interests in sending the email?
If you think legitimate interest supports the continuation of email marketing activity, don’t only rely on the few notes above. Review the flowchart in appendix A of the DMA document above, and then complete the legitimate interest questionnaire in appendix B. File the questionnaire somewhere safe, too, so you can refer back to it to justify your decision.
Finally, it’s worth balancing legitimate interest against consent before GDPR is implemented. Relying on consent – opt-in, in this case – restricts your communications to those who have opted in. Legitimate interest, on the other hand, allows communication with those who have not yet opted in. A recipient can subsequently opt out in either case, but it may be worth thinking through legitimate interest today, rather than simply chasing opt-ins and risking opt-outs in the months before GDPR is implemented.
Thoughtful B2B email marketing will survive under GDPR. However, communication will will be more closely scrutinised and we can certainly expect confusion and debate well beyond May 25th 2018, when GDPR is first enforced.
Don’t relax too much though: with the PECR regulations currently under review, that will likely change everything again 1-2 years down the line.
We’ll keep you updated!