Posted by: Malcolm Jarvis CIPP/E
Unless you’ve been living under a rock for the last few years, you’ve no doubt heard that the GDPR is coming and will soon update and enhance many data protection laws across the EU. And yes, even though the UK is leaving the EU, these laws will be adopted into UK law and you’re kidding yourself if you think they’ll get rolled back shortly after Brexit. They’re broader, more strict, cover modern technologies and ways data is now used, and have much, much bigger fines. If you were the ICO, responsible for enforcing data protection laws in the UK, what would you do?
So, as of May 25th 2018, these new laws will be reality. As custodians of vast amounts of personal data, call centre managers need to be particularly aware of how these changes will effect their businesses. In this article, I’m going to look at just one aspect of the GDPR, but one that is highly relevant to outbound call centres, the new rules for opt-in consent. As we’ll see, taking action now will make life a lot easier for your business come May 2018.
Before we start, just a quick disclaimer that I'm not a solicitor nor a legal expert. All advice given here is a result of my own research and discussions with data protection professionals. Where possible I've included references to my sources so you can draw your own conclusions, but seeking your own legal advice ahead of 25th May is strongly recommended.
Things As They Are Now
Laws relating to marketing consent, commonly referred to as “opt-ins”, are currently legislated through the Private and Electronic Communications Regulations (PECR), with the ICO providing additional guidance on their website.
As you no doubt already know, numbers on the Telephone Preference Service (TPS) list, are considered to have notified all businesses that they do not wish to receive marketing calls, and the ICO is doing an increasingly effective job of shutting down companies breaking the rules.
However the rules also state that if a person notifies a company that they don’t object to being called, for the time being at least, then they can be. In other words, the individual has “opted-in”, and without further action to “opt-out”, their presence on the TPS list doesn’t prevent them being called.
Regardless of what the ICO’s guidance recommends, the current definition of consent means that the following has become the standard way of achieving opt-in consent:
“I would like to receive updates and information on products and services provided by Company X and trusted third parties.”
This can be a check-box on a website (more often than not, pre-ticked), or a line in a verification statement at the end of a call centre script. Once the statement is agreed to (or not disagreed with, if pre-ticked) that individual is treated as having “opted in”. While clearly not in the spirit of the law, this is commonly treated as being an opt-in to all marketing communications, from any company you share the opt-in with. For life.
While provisions exist for consumers to opt out of consent once it’s given, the nature of the opted-in data market has made this largely meaningless. Essentially, it’s practically impossible at the moment for consumers to opt out, once they’ve opted in.
The key part of the opt-in phrase here is “trusted third parties”, and this, from May 2018, is going to change and with it, the entire consumer data market in a very big way.
For individuals not on the TPS, no such opt-in is required provided the call is made in pursuit of “legitimate interests” that are not outweighed by harm to the individual’s rights and that the business acts in a way that is “fair, transparent and accountable”. Cold calling to offer an individual a product or service that you believe offers them a genuine benefit and good value is considered a legitimate interest. This means it will still be OK to cold call someone to offer them genuinely beneficial products and services provided they haven’t registered their telephone number on the TPS list.
Note that “legitimate interests” is one of the five reasons that an organisation can process an individual’s data without consent and has a specific legal meaning. We’ll not get into it here, but if you need to process personal data as part of your organisation’s activities whether an individual gives consent or not (credit checks are a good example), then there’s plenty more to consider, with further guidance and information available on the ICO’s website.
However, for individuals who are TPS registered, outbound calling companies will need to introduce a whole new layer of opt-in rules and tracking requirements for their consumer data. As fines are increasing from the current £500,000 limit to €20m (or 4% of turnover, whichever is greater), all organisations should take this very seriously.
The Changes That Are Coming
So, what are the changes that are coming in May 2018? Along with the GDPR, we're yet to see how the Data Protection Bill will incorporate the GDPR into UK law, the PECR is still to be updated by the forthcoming ePrivacy Regulation and a lot of the specifics won't be known until they're tested in court. With that minor disclaimer in mind, here’s how we understand the changes will affect opt-in marketing consent, specifically in the context of outbound call centres:
Consent Must Be For A Named Organisation
The GDPR states that any organisations to whom consent is being granted (the “data controller” in data protection terminology) must be named as part of the consent agreement. In other words “trusted third parties” consent is no longer valid. If an individual opts-in for marketing communication from Company A, then only calls initiated on behalf of Company A count as being opted-in.
There’s no get-out clause relating to types of company either. For example, “ourselves and selected insurance brokers” doesn’t clear the bar either. Only specifically named companies or organisations count as having been granted opt-in consent.
Consent Must Be Given Clearly and Explicitly
When opting-in an individual, there can’t be any doubt in the person’s mind that they have opted-in. If the individual doesn’t realise they have opted-in then the consent is invalid and you will be unable to rely on it for your direct marketing activities.
This means that to be compliant under the GDPR, you’ll need to be able to demonstrate that individuals had no doubt they were opting in to receive marketing communication from the named company, and that any marketing that makes use of that opt-in is relevant to the wording of the opt-in.
If using website opt-ins, checkboxes which are ticked by default are definitely not going to be acceptable. This is known as “consent by default” and is explicitly banned under the GDPR.
It doesn’t stop there. If the opt-in was agreed in relation to a specific offer or time of year, for example a winter sale or a World Cup promotion, then the opt-in only lasts as long as the event itself. Come springtime, or once the final full-time whistle has blown, any such opt-ins will automatically expire. This means that, where relevant, the expiry date of any opt-ins must also be tracked and individuals removed from further marketing once the date has passed.
There’s no mention that I could find of the ICO’s current recommendation that entries on bought-in marketing lists must have been opted-in within, say, the last 6 months, but it will be worth keeping an eye on the ICO’s updates to see if something along these lines appears.
Lastly, you must ensure that the process of giving consent is separate from any other terms and conditions. It can’t be bundled up alongside other T&Cs but must be stated and agreed to separately from any other statements that form your agreement with the customer.
You Must Maintain Clear Records of Consent
Not only does the opt-in need to be specifically for the company on whose behalf calls are being made, you also need to be able to demonstrate when the opt-in was given (no change there), and also the exact wording of the opt-in at the time. For example, if you’re using website opt-ins, then the new guidance advises that the full text of the opt-in be stored against each opt-in record as the text on the website form itself may change over time.
For verbal opt-ins, call recordings would be the most logical solution, but where this isn’t practical, I’d imagine the content of the opt-in agent script would be a reasonable substitute.
It Must Be As Easy To Opt Out As It Was To Opt In
Opt-outs have always been part of the regulations around marketing consent but as opt-ins are now company-specific, opt-outs will now be much more useful from a consumer standpoint. The GDPR states that it must be at least as easy for individuals to opt-out as it was for them to opt-in. This means that individuals must be told at the point of giving consent how to withdraw their consent, and it must be just as easy as opting-in.
For example, where individuals opt-in over the phone, companies can’t demand that individuals request to opt-out via e-mail or that they need to send a letter. They must be given a phone number they can call that allows them to easily withdraw their consent and also given the option to withdraw their consent on any future calls. If opting-in online, through a company website for example, logically the individual must be able to opt-out using the website as well.
The one silver-lining of this requirement is that in explaining it to customers, it should (hopefully) be easier to gain their opt-in consent in the first place. If the risk of giving consent is only that they will be contacted by the named company or companies, and that they know they can easily withdraw their consent at any time, then over time the general public attitude toward giving marketing consent should begin to improve.
Consent Cannot Be Made a Condition of Sale or Service
The GDPR rules state that you cannot make consent a condition of sale or service unless the consent is essential to carrying out that service. In the case of marketing consent, these situations will probably be very few and far between, so it’s safe to say that you simply can’t make marketing opt-ins a condition of sale.
One exception is that while giving opt-in consent can’t be made a condition of a contract or sale, you can still offer incentives in exchange for opting-in. For example, offering individuals the chance to join a membership scheme that includes opt-in consent and also money-off vouchers is fine, just as long as individuals who don’t give their consent couldn’t be seen to be being penalised for not joining.
Consent Only Relates To Your Existing Business With The Individual
Consent is specific to your business at the time that the individual opts-in. If your business evolves or grows and offers new products or services, then existing consent to do with your previous business with the individual will not grant you consent to market significantly different products and services to them.
For example, if your opt-in relates to energy related services but your business plans to expand to include home telecoms, you’d be better off with an opt-in that explicitly mentions contacting customers to discuss domestic utilities, and not just gas and electric. In this regard, a bit of forward planning here is likely to be time well spent.
Fail To Prepare and Prepare To Fail
So what to do? If your business is wholly or partially reliant on marketing consent to reach potential customers, you still have time to act. Time, however, is running out and the 25th of May will be here before we know it. Here’s what we think outbound calling organisations should be doing now in order to give themselves the best chance to survive the changes both compliant and (mostly) unscathed.
1. Change your opt-in statements today
Don’t put it off any longer - if you’re currently opting-in customers at the end of each call then now is the time to ensure your opt-in statement is compliant with the new regulations. This means that you also need to fulfil all the requirements to document when and how each individual was opted-in and the exact wording of the statement they opted-in to.
If you’re planning on relying on your opt-ins for future products and services, make sure that your opt-ins cover these as explicitly as possible and include mention of any other companies or organisations that may need to use them in the future. Of course, there’s a balance here. If your opt-in statement is too broad or too long, the chances of actually getting any opt-ins is going to decrease dramatically. If it’s too specific, you’ll get more customers agreeing to opt-in, but you may find that the opt-ins are too restrictive for future business opportunities.
And if you’re not opting-in customers at the end of each call (successful or otherwise), now would be a really, really good time to start doing so.
2. Start refreshing your opt-ins now
Until the GDPR rules come into force, your existing valid opt-ins are still valid. This means that you still have time to call through your existing opted-in data and “refresh” the consent. This involves contacting each individual and opting them in again, following the rules that will come into force at the end of May. When the new rules take effect, not only will your existing opt-ins be valid (for the individuals you’ve got in touch with at least), you’ll also already have compliant processes in place.
A small team of agents working on an opt-in refresh campaign for data that is currently not being dialled will naturally incur additional costs, but could be worth its weight in gold once the rules have changed.
3. Start talking to your data providers now
If you’re currently sourcing opt-in data from outside your organisation, now is the time to start discussing life after the GDPR with your data suppliers. A conversation about what they plan on doing once the GDPR comes into force to continue to source opt-in data for you will give you the chance to plan ahead and help them understand your needs and budget.
Remember that the responsibility is with the company on whose behalf the call is being made to demonstrate opt-in compliance, so just as now, if you can’t demonstrate the data wasn’t properly opted-in, you can’t blame your data supplier for not doing so properly.
4. Look for alternative means of lead generation
As consent will need to be specific to your organisation (or the organisation you’re calling on behalf of), it’s likely that you’ll need to be much more active in generating leads specifically for your business. There are plenty of companies specialising in Google, Facebook, and other forms of social media based marketing, and TV, radio and direct mail still provide traditional options to generate inbound enquiries from which you can gain broader marketing consent.
5. Talk to your clients/stakeholders now
The cost of opted-in data is going to increase, and the amount of opted in data available to buy is very likely going to decrease. If your current business model is built on “trusted third parties” opt-in data, and you’re carrying out calls on behalf of your clients, you probably need to start setting your client’s expectations now so that you can plan together accordingly.
This also applies if you’re running an outbound calling operation on behalf of your own organisation. It’s possible that you’ll need an increase in your marketing budget in order to accommodate these changes, and the more notice your finance team gets, the better chance you have of not being caught short.
Just to reiterate, there may still be some changes to how opt-ins work for cold calling. While the GDPR itself was finalised way back in 2016, the Data Protection Bill and ePrivacy Regulation continue to change. Until some enforcement action is taken in the UK, exactly how these will be interpreted is uncertain. However, just the GDPR itself will enforce far more restrictive rules around opt-in consent come 25th May 2018. The clock is ticking…