What the u-turn on EU data law means for marketers

Brussels has completed a u-turn on the new EU data law that would have threatened to wipe out huge numbers of customer data files.

The latest official communiqué on dialogue between the EU Parliament, Council and Commission, the bodies responsible for the forthcoming new law, indicates that the current UK marketing data regulation will be the template for what is to come. 

The previous official report of progress on talks suggested customer marketers would face draconian type rules that would entail new compliance rules that would threaten to wipe out millions of customer files. The report stated opt-in permission would need to be based on consumers electing to receive messages based on given subject matter and given communications channels. According to the latest statement this is no more, and data regulation will be more or less what we have now.

For loyalty managers the previous stance of requiring consumers to agree to opt in to revised consent criteria based on specific subjects and forms of communication before any messaging could take place post March 2018 has been replaced with consent needing to be ‘unambiguous’ as the key qualification.

The latest official communiqué indicates that the current UK marketing data regulation will be the template for what is to come. 

If consumers had ignored or refused requests to opt in to the previously proposed complicated consent rules their information would have been placed out of bounds as far as further use was concerned.

The key qualification for consent now is being clear in proposing that communication will take place with an emphasis on transparency and plain language.  

The policy change is based on the technicality of legitimate interest now being considered reason for companies to use personal data for marketing purposes.

The revised draft of the law more or less mirrors existing UK rules regarding consent, though all opt-in terms and conditions will need to be rewritten. Plus there are non specific warnings that data users will have to more rigidly abide by the law, and make careful assessments of relationships with individuals. Quite what this means, and how it will manifest itself is unclear.

Friendlier for marketers

In addition, plans detailed in the previous announcement would have prohibited use of tracking data, and no profiling or segmentation without explicit consent. Now, any data that cannot directly identify an individual is considered to be within the boundaries of use. However, in terms of profiling there will be the right of consumers to opt out.

Whether online identifiers such as cookies fall into the definition of personal data depend on where they are placed in the online ecosystem. A cookie placed by an internet service provider will be classified as personal data as it could identify the individual, but a cookie placed by an advertiser that cannot be linked to an email address or any other personal information is not likely to be presumed personal data. This represents a massive about face by the European authorities. 

Punishment for breaches of the new law are proposed as being as high as 4% of turnover, which for major corporations applies to global income.

The was also concern that companies would be forced to appoint internal data protection officers, but any thoughts of mandatory appointments for SMEs has gone. For larger companies, and those that specialise in processing data, such a position will be compulsory, though most within these two categories will already have a data protection officer.

Punishment for breaches of the new law are proposed as being as high as 4% of turnover.

There will be a right to be forgotten, and free access data provision, but the latter only applies in reasonable circumstances yet to be defined.  

These two changes to the law may have the biggest impact for some companies. The right to be forgotten involves creating an easily recognisable way of requesting personal information is erased, and the request will have to be acted upon promptly. For most companies this will involve creating a new data protocol, plus many CRM systems do not have an erase facility. Software changes may have to made.

Access data will be free rather than the £10 than can currently be charged. For major users of consumer data, such as financial companies, providing members of the public with details of their data files could add up to be an expensive procedure.

The latest announcement from Brussels is a great deal more friendly for customer marketers than the previous one, and it is unlikely at this late stage in developments that there will be further change, but there is no guarantee until full and final publication of the regulations at the end of March.