General data protection regulation guidance

/General data protection regulation guidance
General data protection regulation guidance2018-01-30T17:08:06+01:00

Data Collection – the changes to consent rules

With GDPR coming in May 2018 acquisition of data needs to change, the sooner we address this together the better. GDPR is clear that explicit consent will be needed when acquiring new data and non-compliant legacy data will need to be re-qualified, failure to comply can leave both FanFinders & our clients liable for fines of up to €20 million or 4% of turnover, whichever is highest.

We’ve been running clients’ acquisition campaigns compliantly since June 2017 so any data collected in the 12 months leading to GDPR will still be usable come May 2018.


  • Cost increases in acquisition of consented data

  • Decreased volumes from suppliers currently using pre-ticked boxes or privacy policies for third party consent

  • Increased budgets needed to meet acquisition targets across all channels


  • Better quality data, improved consumer trust, enhanced brand reputation

  • Higher lifetime value per member

  • Increased quality of communication with consumers

Changes to ensure GDPR compliance

  • Consent requires a positive opt-in, no default consent such as pre-ticked boxes allowed
  • Opt in must be obtained for each communication channel – post, email, telephone etc
  • Consent can’t be a pre-condition of service
  • Specific rights to withdraw consent must be communicated and importance on ease of withdrawal
  • Records to be kept of what people have consented to, what they were told and when

In addition to removing the pre-ticked boxes from acquisition activity data suppliers will need further specific information alongside the opt-in outlining the communication channels you want to use to ensure consent is legal

It’s not all bad…

Better quality data, improved consumer trust, enhanced brand reputation

Co-sponsorships and bought 3rd party data lists

Anywhere that a consumer has not given explicit consent for you to communicate with them may no longer be a legitimate source of data for marketing programs and could leave you liable to penalties, this includes co-sponsorships and acquisition of data where the brands buying that data are hidden in privacy policies.

The ICO clearly state the following in their guidance for GDPR:

  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default

  • Consent means offering individuals genuine choice and control

  • Avoid making consent a precondition of a service

  • Consent should be separate from other terms and conditions

  • Consent is invalid if the individual doesn’t realise they have consented

  • Consent means offering individuals genuine choice and control

  • Consent is invalid if there was no genuine free choice over whether to opt in

  • Consent is invalid if you did not tell people about their right to withdraw consent

Whilst there remains some ambiguity in the industry, when you take all of the available information and put it into context of real world acquisition programs, all indications are that this example of a co-sponsored sign up to a club would fall foul of the rules.

To be compliant one would expect an opt in for each brand including the marketing channels they wish to communicate by as well as information on where/how consumers can withdraw their consent prominently displayed.

There remains little doubt that the buying of 3rd party data lists will not be compliant and that any data acquired before the deadline will not be useable post May 2018 unless it was acquired within the new consent rules.

What does this mean for legacy data?

  • Your legacy data will need to be re-permissioned within GDPR consent requirements if you intend to keep using it as before. Unless, of course, it was originally collected in a compliant manner.

  • Given the short lifetime value of data in the mum & baby industry to most brands this is problematic, it’s advisable for those using data to become compliant ASAP so their CRM and data marketing programs don’t suffer next year.

  • If you’re currently acquiring data that isn’t compliant or if you’re using pre-ticked opt-in boxes on your own website the sooner you make some simple changes the better. As the deadline looms closer your lifetime value is shrinking.

  • Remove pre-ticked opt-in boxes, check closely with your compliance and legal teams that your data and marketing suppliers are compliant or will be ASAP. Have a plan in place that will safeguard your marketing programs.

  • The ICO have said that there will be no grace period on regulation or enforcement.

What do the ICO say

“You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – and if you don’t need consent under PECR. See our Guide to PECR for more on when you need consent for electronic marketing.”

Electronic Mail Marketing


“name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.”

“Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.”

Draft GDPR Concent Guidance for consultation


“You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.”

“You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object.”


As with most regulation there’s a certain amount of ambiguity within the 173 recitals of GDPR, what we look at here are the Explicit Consent guidelines and the actions we have to take to ensure compliance, certain organisations will be able to process data under Legitimate Interest laws but for marketing purposes this is highly unlikely to be a viable option.

What is certain is that there’s a seismic shift coming in the way we all use data, for marketing purposes this is focused on consent and unambiguous positive opt-in along with ease of withdrawal of consent.

We suggest using the ICO’s GDPR guidance and checklists to ensure compliance.

This is not a legal document and we suggest that you speak with your compliance teams about how the regulations affect you, this is general industry guidance based on information collected from various sources.

Get in touch to book your free 30 minute brand consultation