Thank you for Subscribing to CIO Applications Europe Weekly Brief
GDPR Anniversary; GDPR Consent & Emerging Litigation?
By Emma Hall LLM, Solicitor, Group Data Protection Officer (GDPO), Domestic & General Group
Requests from companies for “consent” for direct marketing, on paper or through email, were very visible and easy to spot by us as recipients and also by regulators. The “May 2018 consent rush”, as I will call it, had the result that many companies experienced a sudden and significant reduction in the volume of direct marketing campaigning because legacy databases of customers were unable to reach GDPR standards, and collection of fresh consents were yielding low opt-in rates. As a result of this, marketing campaigns appear to have made less money. Simultaneously, through my network of privacy professionals, I saw that many companies procured, designed or redesigned expensive technological solutions and platforms to integrate these requirements under many “GDPR project work-streams”. Both financial income and expenditure were impacted through choice of mechanism and application of approach.
You are likely to have noticed your email in-box filling up with tick-boxes, requests for your consent to direct marketing, in reliance on GDPR valid “consent” during “consent rush”. I for one received a tsunami of “consent” request type emails in the run up to May 2018!
The new GDPR rules for acquiring “GDPR valid consent” were many and varied and, in general, were applied stringently
Consent was, and remains, one of the two foremost mechanisms potentially available to companies to conduct direct marketing activities on their customers. If we think of consent as a tick box, the other mechanism called “legitimate interest” is more recognisable in practice as a pre-ticked box or “opted in” unless de-selected. The difference in choosing between the two, was that at that time, a required action from a customer (ticking a box) generally resulted in a company being able to market to significantly less of its customers than where it had required no action (pre-ticked box type approach under legitimate interest). This is likely to have delivered less revenue back to the company from “consent rush” which is thought to have reduced volume in “GDPR permitted” direct marketing campaigns and percentage return money from those campaigns.
From what I saw through working in the area of operationalising GDPR through strategy, within my network, and working in privacy management, I saw companies and charities struggle to understand the legal alternative (“legitimate interest”) or properly consider any alternative to “consent”. In many circumstances, a more appropriate and available opt-out mechanism, for direct marketing campaigning under “legitimate interest” could well have been available. This approach to direct marketing activities was compounded by GDPR fear which may also have influenced very conservative legal advice from law firms. This advice was generally operationalised into the foundation of a conservative and restrictive marketing strategy, and acted as the driver for procurement or evolution of arguably appropriate technological components to support it.
On 4th March 2019 the Law Society Gazette reported that the chief executive of the marketing network DMA Group told a Westminster Legal Policy Forum conference that many of the 1,000 DMA members had been wrongly told to focus on consent as the basis for processing data. The Law Society also reports that a legal compliance expert has warned lawyers to revisit advice and identify any mis-application of the law to the direct marketing sector. Putting two and two together, could this be the start of a niche area of data protection litigation? We are already seeing the start of the long-awaited and, by most, long-feared emergence of individual type DP claims, and this adds another intriguing potential facet to this rapidity evolving area of law.
As a lawyer this is a very exciting and specialist area of potential litigation bringing perhaps a new commercial bubble to slip into the fading Payment Protection Insurance (PPI) space on an individual level and platforming privacy attitudes of companies even further than we saw during the “consent rush”. In terms of the privacy evolution, and the reason I was inspired to focus my career in the space, there are positive aspects emerging, one being because it focusses the privacy profession on the human element - people and respecting their rights.
This type of development stands individuals right where they should be, at the heart of operational privacy management activity, technology solutions and corporate DP legal strategy. They also complement an important operational balance of risk proportionality supporting legal and respectful, commercial functionality and consequently development for the privacy profession.
IOT Edge Computing - Opportunities and Challenges
Marwan Tarek, Director—IoT and Digital Transformation (EMEA), Hitachi Consulting
Getting to know you?
Andy Wall, CSO, Office for National Statistics
Data Breach Readiness and GDPR: The Goalposts Have Moved
Jim Steven, Experian’s Head of Data Breach Response Services
How Value-Creating Experiences Allow Customers to be Connected?
Grant McBeath, GM Consumer & SME Channels, Spark NZ