Category Archives: News

Opt-In & Opt-Out – Definitions of Consent according to the draft EU Data Protection Regulations

Leave a reply

As a consumer, I am always in favour of legislation which seeks to protect individual freedoms, and reduce ambiguity in what organisations can and cannot do with my personal information. As a marketer too, it is important that the availability and use of a consumer’s personal information be governed by clear guidelines, and ends in a mutually beneficial result – at the bare bones of it; providing a customer with timely, relevant communications based on the data they have provided, at the same time as (hopefully) making a profit for the organisation I am working for.

The real worry is that the current draft of the European Union Data Protection Regulation, does the opposite by introducing more complexity and ambiguity than already exists, and potentially creates further issues which would not have surfaced if the status quo were maintained.

The verbatim definition of consent within the Regulation is as follows:

“…’the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed…”
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 4 (8)]

Furthermore, the “Conditions for Consent” are laid out as follows:
1. “The controller shall bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes.

2. If the data subject’s consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.”

[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 7]

In the above, I have highlighted the key elements here – the Regulation is essentially saying that organisations need to obtain a clear and explicit statement/action by which a data subject provides consent. From an email permission-marketing best practice perspective, this is fine – however the Regulation does not address whether or not this would need to be retrospective for existing databases, and whether or not organisations would be able to contact customers with whom they have had previous interactions (as is currently permissible under the existing Privacy and Electronic Communications Directive – and, the majority of the time, expected by consumers).

This is completely disregarding whether or not those consumers actually want to be contacted, and if the “burden of proof” detailed above is an enforceable requirement (in a worse-case scenario) – then the Regulation is effectively saying organisations must delete said data if they cannot prove consent has been given explicitly! Then there’s the possibility of dispute over the meaning of “informed & explicit”… well, you can see where this is heading to – more ambiguity and less clarity.

Furthermore, there is an argument out there that this Regulation does not take into consideration the low risk use of Business-To-Business (B2B) data for marketing purposes – where, more often than not, a organisation would hold and process information on another organisation or group of members of staff, with perhaps multiple key decision makers – not an individual.

In summary, the intention is good but the detail is lacking – I strongly urge the legislators in Brussels to revise and alter the Regulation so that it can sit with the existing Privacy and Electronic Communications Directive They also need to focus on what the effect of the changes in the draft Regulation will be for both consumers and organisations.
To find out more about the consequences of this legislation passing unaltered, and the potential impact on your own business, take a look at http://dma.org.uk/eu-data-protection This site also provides information on how to take immediate action, by lobbying your regional MEPs.

EU Data Protection Regulation – Subject Access Request

Leave a reply

A lot has changed in the world since the EU Data Protection Directive was first introduced in 1995. The internet was just beginning and much less data was stored and transferred electronically than today. It is no surprise then that the legislation is being updated to meet the challenges of how global business is conducted in the 21st century.

The Data Protection Act of 1998 followed the EU Directive and one of the key rights for individuals was to give them access to their personal data on request. By making a “subject access request” any individual can request all personal data held about them to check the accuracy. The current Act states that the data controller can charge a fee of up to £10 when supplying individuals with a copy of their personal data. The £10 fee does not cover the cost of collating and supplying the information but does, at least, act as a small check to discourage frivolous or vexatious requests.

Under the new proposed EU Data Protection Regulation, organisations would have to supply this information free of charge.

In 2009, the Ministry of Justice estimated that UK businesses spend £50 million a year in fulfilling subject access requests through additional manpower costs alone. If the ability to charge for a request is removed then this figure could increase massively and put a huge financial burden on UK companies.

If we consider that the volume of data held by organisations now is significantly greater than when the original Directive was passed in 1995 and the fact that collating all the personal data relating to an individual is more difficult now than it ever has been, then removing the charge for a subject access request would seem to be the exact opposite of what is required.

Some organisations hold a vast amount of personal data in many different formats and in many locations. You have live data that might be online and backup archives in various formats. Much of this data in the past would normally have been in a structured format such as a database. This made searching the data simpler. Now data controllers have to deal with unstructured electronic data, such as emails, with no indexing and try to identify what data refers to the individual and therefore falls within the definition of personal data. Consider an organisations’ email records. One person might be referenced in these emails by many different names. Not only that but these emails also might refer to other records stored in other formats i.e. paper files.

On the positive side, the proposed Draft Regulation does allow the data controller to provide the personal information asked for in a subject access request to the data subject in electronic format, if the information is held electronically and the data subject agrees. This makes perfect sense and would save a lot of unnecessary printing of information which when received by the data subject may be then transferred back into electronic format.

One of the aims of the changes in the draft Regulation is to put all EU countries on a consistent footing, but removing the charge for a subject access request surely cannot be good for anyone.

A look back at email marketing in 2012

Leave a reply

Well. Another year has passed by and sitting here pondering 2012, the first thought that comes to mind is just how much happened last year. It really was a busy year for marketers with so many events happening and email played a big part throughout – from the Olympics emails to the heavy use of email in the US elections.

The biggest topic in the first half of 2012 though, was the cookie law. Having been passed back in May 2011, it finally came into force in May 2012. It generated plenty of discussion here and was by far our most popular post in 2012. If you missed it, you can find the latest guidance from the DMA here and watch Skip Fidura, Vice-Chair of the Email Marketing Council look back on the law here. The latter part of the year saw the discussion start around the new EU Data Protection Regulations, which I encourage you to get involved in – if only through commenting on the various blog posts you can read here.

The most widely covered topic in email marketing last year was of course mobile email design. Christmas Day alone saw 17.4m new smartphones being activated  and mobile email usage grew throughout the year with Litmus showing 38% of all opens were on a mobile back in September. Just don’t forget that people click through from those mobile friendly emails – and the last thing they want is an unfriendly mobile website!

Screen Shot 2013-01-03 at 15.19.39

You should definitely have seen some of these special characters hitting your inboxes last year. There were plenty of marketers making use of them to increase the amount of readable information in subject lines and a few that.. well just took it too far ;)

One of the popular predictions at the end of 2011 was for HTML5 video to take off in emails and whilst there were a few examples of it early in the year, it wasn’t till the end of the year that several  retailers and media companies really made use of it. So it is no surprise then that understanding autoplay and video in emails was our second most popular post in 2012 and similar to Chad’s prediction, I expect to see even more usage in 2013.

Less exciting maybe was the new draft version of DMARC being released - a technical specification that aims to reduce the potential for email-based abuse backed by Google, Microsoft and AOL amongst others. Just before the holidays, Microsoft announced its support for DMARC inside Outlook.com and so the momentum continues to build towards its submission to the IETF  sometime in 2013.

Finally, it was Tim Roe’s approach to developing an email marketing strategy that took the third most popular post gong last year helping marketers to get started using just three different stages. Sometimes it is hard to just get started and this post helps you do that.

So 2013 will of course be another exciting year for email marketing – not least because we are starting to see more and more innovation in the email client space. Gmail (now 8 years old) is finally being challenged by new webmail clients like Outlook.com and AOL’s soon to be launched Altomail.

Related articles

EU Data Protection International Transfer of Data

Leave a reply

The development of technology has enabled businesses to act globally and be less limited by geographical boundaries. From our sofas we can shop online from almost any country in the world, companies can achieve a market presence in a country without having a single employee there; and in the world of iCloud and Dropbox we can access our files wherever we are, yet have no idea where they are actually stored.

So, as digital “borders” blur, how is the EU Data Protection Legislation evolving and what are the implications for marketers?

Let’s look firstly at the existing legislation. The existing UK 1998 Data Protection Act says that “Personal data shall not be transferred to a country or territory outside the European Economic Area (the 27 Member States of the EU plus Iceland, Lichtenstein and Norway) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

Of course that’s not quite the whole story. You still have to adhere to other principles of the Act, informing individuals that their data is being transferred, and ensuring that you do it with the right security. Also, in the UK our current legislation allows a data controller to transfer data outside the EEA based on their own assessment of adequacy of protection – and this difference highlights another key challenge – that there are differences in national implementation of the 1995 European Data Protection Directive across the EU. Complaints have also been voiced about the complexity of the 1995 Directive regarding data transfer.

Those hoping for some advancement with the new European Draft Data Protection Regulation are, however, likely to be rather disappointed.

While some of the rules on transferring personal information to countries outside the EEA have been made more business-friendly the Draft Regulation arguably also takes a step backwards, and raises many more questions.

One of the proposed key changes is that the laws of the country where the data is held become less important than the question of whose data it is. So, for an EU Citizen, no matter where their data is processed, the law that would apply under the Draft Regulation is EU law. It’s nice to feel protected, but one wonders just how practical it will be to enforce implementation of this globally. How will organisations around the world even be able to identify that they are dealing with EU Citizens? In a digital world, nationality is not always obvious, and even if it were, why should organisations really care about laws in another country?

The differences in interpretation of the 1995 Directive between Member States were one of the key catalysts for the revision of the legislative framework. And, indeed, one of the key provisions of the Draft Regulation is for there to be co-operation between the national data protection authorities in the Member States to ensure consistency in the way the Regulation will be enforced. But in the revision, there has been an element of prescriptiveness which is actually more limiting for UK organisations than the current data protection laws – for instance, the Draft Regulation now removes the ability of an organisation to make their own risk assessment on data transfers to countries outside the EEA. Instead it reinforces the need to adhere to sanctioned processes and the Draft Regulation’s own definition of adequacy.

And this is one of the key areas that the ICO felt was not going in the right direction. The ICO have doubts about the way the Draft Regulation bases “adequacy” on the nature of the law in a particular country. It feels that “adequacy should be assessed more in relation to the specific circumstances of the transfer and less on the adequacy or otherwise of the law of the country the recipient is established in.” So, in other words, if I am transferring data to a reputable global firm in a country whose national data protection legislation is not adequate, why would that really be a problem?

Aside from the general concerns about the practicality of many of the proposed changes, the question of adequacy seems to be the hottest topic to debate. This is one of the aspects of the Draft Regulation that the ICO believes most needs to be amended to deal more realistically with current and future international data-flows. It (and we) believe that a future data protection framework should focus much more on risk assessment by the exporting data controller and that it should be clearer about data controllers’ responsibility, wherever they choose to process personal data.

Related articles

EU Data Protection Regulation – The Right to be Forgotten

1 Reply

Continuing with our series of posts reviewing the potential effects of the proposed EU Data Protection Regulation, one of the areas it addresses is an individual’s “right to be forgotten” by a business.  The specific wording is as follows:

“The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data”

This has clearly been written with Social Media in mind, for example, ensuring that Facebook users are able to completely delete their profiles if they so wish.  However, the effect on email marketers and direct marketers in general could be disastrous.  If somebody unsubscribes, or asks to no longer receive an advertiser’s communications, then clearly that individual’s details need to be held by the organisation in order to suppress them from future comms.  Forgetting them completely, i.e. erasing all their data could have the polar opposite effect from that which the consumer is expecting!  A individuals details need to be held in order for the organisation to “remember to forget”.  Also, industry suppression files, which are there to benefit consumers, could be put at risk by the Regulation.

The problems do not end there.  There would also be an issue with information that has already been passed on to third parties, e.g. via list brokers or through partnerships.  Also, consumers risk being mis-led.  For example, some data in financial services has to be kept for a specific period of time in order to meet with legal and FSA regulations.

In summary, not only does this section of the Regulation risk failing to achieve what it sets out to do, it could also damage consumer trust and increase the complexity and volume of data processing which needlessly increases the financial burden on companies.

Related articles

A further chance for your input on the proposed EU Data Protection Regulation

Leave a reply

For some marketers the very mention of future legislative framework changes and the mind immediately begins to wander. Add to that the words ‘Data’ and ‘Protection’ and it could instil fear, uncertainty and possibly a fair amount of doubt. The fact that the EU is involved is likely to add further concern. Such themes or topics as data portability, the right to be forgotten and how personal data is defined impact directly on many of us in marketing and these proposals are just too big to be ignored.

The DMA has put itself at the very forefront of the debate and led a cross industry working group bringing together many other industry bodies including; IAB, IMRG, Federation of Small Businesses, COADEC and other bodies. This initiative has been led by the team at the DMA along with lobbying efforts on multiple fronts headed by the Director of Public Affairs, Caroline Roberts. All DMA members have been both asked for input into the information that went to the Ministry of Justice at the start of this year which was submitted in September, the DMA’s Chair Scott Logie chaired a meeting with government late in October.

This is possibly the single biggest issue facing all DMA members, irrespective of channels used to communicate to customers, which is why at the Email Marketing Council level there have been discussions on the impact and we plan to use this blog to collect some of our thinking on the various elements of the proposed legislation.

This is where you, the readers of this blog as email marketing constituents come in – as elected representatives we want your input. As with any elected group, we have our thoughts and ideas which we’ve debated and discussed at council level. The proposed legislation presents some very evident challenges for email marketers. What we, as a council agreed to do is post a series on the key themes over the coming months which debate some of the key points – each written by one of our council members. Specifically debating a subsection of the proposed regulation along the lines of; here is what the EU’s proposal says and here is what it could mean for email marketers.

I am proud to serve a very active council and such a vibrant interest group as email marketing. The council has been active on a number of fronts and this blog is itself very well-read. The discussion and debate from within the email industry (which is you!) is what makes this an exciting and dynamic industry to be part of. I’d therefore urge and encourage all stakeholders to provide feedback on the forthcoming blog posts – I’d love to hear your thoughts and feelings on these themes. You are of course also welcome to contact either me directly or any member of the DMA team.

Richard Gibson, Chair Email Marketing Council and Director Client Services, Return Path.

Google continues to ignore email

2 Replies

Google recently announced it is to close the long running Google Friends newsletter. Launching in 1998, whilst Google was still on Stanford’s servers it has been delivered monthly. That is until now. From next month, the newsletter will cease to exist because subscriber numbers had stalled. But a wider look at Google suggests it doesn’t pay much attention to using email as a channel to communicate with its users.

First, lets take a quick look at the Google Friends newsletter.

Google outgrew this newsletter a long time ago. Each month, the newsletter provided a mix of tips and news across Google’s vast array of products. One month it was Google Toolbar, a Daily puzzle, Google Docs, Earth Day and a power tip for Google Map Maker. Another month it was a power tip on Google Voice and news on Google Places, Youtube, Google Translate and a Doodle for Google contest.

Unless you were interested in everything Google, this newsletter was not for you.

There are perhaps a small niche of people that might like the vast array of news updates across the whole of Google. Given the size of Google, and Larry Page’s new more autonomous business unit approach. Collating and combining these centrally may just have become too expensive versus the benefits. Of course these are their most ardent fans, so ignoring them is an interesting approach.

Overall though, Google’s approach to email is scattered and unorganised at best.

Google pushes out a huge amount of information, highly targeted not just by product but also by country. You can find the full list here, it is truly impressive in scale. You can subscribe to receive this information via Twitter, Facebook, RSS and (of course) Google Buzz! Surprisingly there is no mention of email at all. Given the scale of email (3.1 billion email accounts – click for more stats), its ability to remind users of your products/features and persistently store your message so you can come back to it, not promoting email subscriptions seems like a lost opportunity. Sure, it can be misused but so can all channels.

Relying on Twitter or Facebook for Google updates can easily lead to missed updates as unless I spend all day watching for their updates (not likely!) or proactively remember to visit their profiles on these network, Google is merely hoping I catch their updates in my newsfeeds.  Further you cannot search the Facebook newsfeed at all and searching  Twitter only results in tweets going back a few days.

Subscribing via RSS is an option for me as I am a heavy RSS user, but the usage numbers are low generally especially with a mainstream audience. So low in fact, that the last metric I can find on RSS numbers is from 2005. A rather tiny 275m wordwide.

Finally there is Google Buzz! Is anyone still using Google Buzz?

So where is email? It is there, but to find it you have to click through on some of the blog links where you will sometimes bring up the option of subscribing via email. There is obviously no standardised approach to this. The Blogger buzz blog had it in the right sidebar, the Google Analytics blog doesn’t have it anywhere. It is hit and miss based on the template used.

Email is different.
Different channels offer different benefits. Twitter and Facebook are great for offering casual connections to brands. Brands you really want to hear from? Not so good. For those situations, email is the right tool for the job.

If you are spending all that time creating content, getting in front of as many people who want to read it would seem to be a good thing. People can always unsubscribe. Google even provides that service inside Gmail.