Each of the ‘Privacy Fails’ we discuss in this series of short articles are real. They are based on things we have seen at the The Privacy Compliance Hub. They are based on reports from regulators of the complaints they have received; the data breaches reported to them; and the fines and other enforcement actions they have levied. These things do happen. A lot. Don’t let them happen to you. Don’t be a numpty.
The privacy fail
In short, sending emails (or other forms of electronic communication) to individuals when the law says you can’t, or when you don’t have the right to do it.
We recognise that there is an inherent tension between marketing and data protection law. This is not helped by the confusion created by current data protection law as it applies to email marketing.
One important responsibility of a marketing professional is to generate qualified leads and sales prospects. To generate qualified leads it helps to create and maintain a very long marketing list of unqualified leads to which you can send content which hopefully converts an unqualified lead into a qualified lead or sales prospect.
Data protection law is in place to protect individuals (some of whom may be vulnerable) from unsolicited marketing communications.
One person’s interesting direct marketing content, is another person’s spam. You get the idea.
A privacy statistic
E marketing complaints were the fourth most common complaint to the Irish Data Protection Commissioner in 2019. There were 532 complaints comprising 8% of the total number of complaints made under the GDPR.
Real life example(s) with real life consequences
Just-Eat– in 2013 a number of complaints were made to the regulator in Ireland about unsolicited marketing emails. In 2018 another complaint was made by an individual who despite unsubscribing from receiving marketing emails, received a further marketing email from Just-Eat. Just-Eat was successfully prosecuted. It claimed that the failure of the unsubscribe was due to a technical problem.
Vodafone – a 2019 Irish complaint from a user alleging that Vodafone had ignored the user’s preference settings and sent an unsolicited marketing email and text message. Vodafone had previously been prosecuted in 2011, 2013 and 2018 for direct electronic marketing offences. Vodafone acknowledged that the 2019 complainant had opted out of receiving electronic marketing, but had been sent the communications due to human error. Vodafone pleaded guilty and was prosecuted on five charges.
ClickQuickNow – fined around £40,000 for its withdrawal of consent mechanism being too complex.
How to avoid this privacy fail
Train your marketing team. A good place to start would be to get your marketing team to read the short article we wrote on the topic entitled, ‘How to send marketing emails under the GDPR’.
Don’t let human error cause your organisation to be prosecuted. Make your team understand the consequences of getting it wrong and the benefits in terms of trust and increased response rates in getting it right. Make them care by explaining the possible consequences of a complaint to the regulator. And make them do what they are trained to do. This is all part of creating any culture of continuous privacy compliance.
Think very carefully about your lawful basis for sending your marketing communications. Have a short policy on how to build and use email marketing lists. Consider how you deploy any CRM that you use. Whilst some features of CRM solutions sound really attractive, if you put yourself in the shoes of an individual on the end of those features they may start to feel a bit creepy.
Make sure that emails have unsubscribe links. Make sure that they work. Test them! And make sure that your privacy notices make it clear how you use personal information for marketing purposes.
A culture of continuous privacy compliance
At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and do their bit to protect personal information. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to build that culture and comply with privacy rules including the GDPR and the CCPA. It reduces the risk of data breach.