{"id":2610,"date":"2022-10-26T11:35:00","date_gmt":"2022-10-26T17:35:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=2610"},"modified":"2024-10-10T13:18:33","modified_gmt":"2024-10-10T19:18:33","slug":"essential-guide-marketing-under-the-gdpr","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/essential-guide-marketing-under-the-gdpr\/","title":{"rendered":"Your Essential Guide to Marketing Under the GDPR"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tArticles<\/strong>\n\t\t\t\t\t\t\t\t\t\t

Your Essential Guide to Marketing Under the GDPR<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\"\"\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tAnnie Greenley-Giudici<\/strong>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/span>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Although the GDPR is not new, its effects on business marketing activities continue to puzzle practitioners. Marketing under the GDPR with consumer information is still possible, but you\u2019ll need to understand the regulation thoroughly.<\/p>\n

What is the GDPR?<\/h2>\n

Implemented in May 2018, the European Union\u2019s\u00a0General Data Protection Regulation (GDPR)<\/a>\u00a0claims to be the\u00a0toughest privacy and security law in the world.<\/em>\u00a0And you don\u2019t have to be based in Europe to be impacted by it.<\/p>\n

As long as your organization targets or collects data related to individuals in the EU, you must abide by the regulations. If you don\u2019t,\u00a0you can expect penalties reaching into the tens of millions of euros.<\/strong><\/p>\n

The GDPR is large and far-reaching and may impact many areas of your company, including your marketing strategies.<\/p>\n

Consent and marketing under the GDPR<\/h2>\n

Can my company capture consent in exchange for content? For example, can I collect an email address to download a white paper or register for a webinar?<\/h3>\n

Yes, but\u2026 to do this, you must be very clear on the specific uses of the information you collect. Businesses must clearly state the purpose at the time information is collected. It\u2019s unlikely any non-disclosed purposes will be consented to if challenged.<\/p>\n

For example, a company can\u2019t use email addresses obtained solely for contest entry purposes to then market to the individual or, for that matter, share that information with partners. The exception is, of course, if the consumer was asked and specifically and actively agreed to this.<\/p>\n

Essentially, businesses need to be very specific when it comes to the intended uses of information collected.<\/p>\n

How should companies manage vendors?<\/h2>\n

What are the key questions a marketer needs to ask email service providers (ESPs) to help them comply with GDPR requirements?<\/h3>\n

If you\u2019re just beginning your business dealings in the EU, you need to ensure your email service provider can comply. In short, ensure your ESP is aware of their obligations under\u00a0Article 28 (3-f) of the GDPR<\/a>\u00a0and that they can help you demonstrate compliance.<\/p>\n

Setting up a comprehensive vendor assessment is also a good idea and it\u2019s recommended companies put in place a data protection agreement, incorporating standard contractual clauses.<\/p>\n

Can companies still market to consumers with legitimate interests?<\/h2>\n

Does \u201csoft opt-in\u201d still exist under the GDPR?<\/h3>\n

The term \u201csoft opt-in\u201d is often used to describe how a company can market to existing customers. Provided you have fulfilled certain criteria, under existing regulations you can market to customers without their explicit consent if:<\/p>\n

    \n
  1. You have already sold your goods and services to that individual<\/li>\n
  2. They gave you their details and did not opt out of marketing messages<\/li>\n
  3. You are emailing them about goods or services that are the same or similar to previous goods or services<\/li>\n
  4. You give them a clear chance to opt out with every message you send them. If individuals have unsubscribed, opted out, or otherwise indicated their desire that your organization stop using their personal information, your organization may not contact them to seek their consent to marketing.<\/li>\n<\/ol>\n

    The \u201csoft opt-in\u201d rule means you may be able to email or text your own customers.<\/strong><\/p>\n

    However, it does not apply to prospective customers or new contacts, such as those from bought-in lists. It also does not apply to non-commercial promotions like charity fundraising or political campaigning.<\/p>\n

    Seeking GDPR-compliant consent<\/h2>\n

    What is \u201cstale\u201d consent, and how does it impact my business?<\/h3>\n

    There\u2019s a lot of buzz around \u201cstale\u201d consent. Stale consent is consent that was previously obtained, but that may not meet the GDPR\u2019s new standards.<\/p>\n

    For instance, let\u2019s say your marketing department had pre-ticked boxes for individuals to receive newsletter updates when they filled out a form to download a white paper. That previously obtained consent may no longer satisfy the clear, affirmative action requirement under the GDPR.<\/p>\n

    For any instances that do not satisfy GDPR standards, companies should seek GDPR-compliant consent. Or, they should no longer use the earlier, acquired personal data.<\/p>\n

    Requesting consent from individuals whose previously obtained consent doesn\u2019t meet GDPR standards is known as a \u201cre-permissioning\u201d or \u201cre-engagement\u201d campaign.<\/p>\n

    How does the GDPR impact data sharing between the EU and the U.S.?<\/h2>\n

    Are there any legal or other issues with accessing EU databases from the U.S.?<\/h3>\n

    In short, yes. The GDPR impacts data sharing between the EU and other parts of the world. As described in\u00a0Chapter 5 of the GDPR<\/a>, companies in the U.S. and elsewhere outside the EU must have a legal transfer mechanism for receiving or accessing EU personal data.<\/p>\n

    This means\u00a0companies must evaluate the methods they use for receiving, transferring and importing EU personal data<\/strong>. They also need to document their transfer basis.<\/p>\n

    Many U.S. companies self-certify to the EU-U.S. Privacy Shield Framework. In fact,\u00a0TRUSTe<\/a>\u00a0has verified thousands of them.<\/p>\n

    GDPR impact on lead generation and business cards<\/h2>\n

    How does the GDPR apply to attendee lists, either provided via email or business cards? Will trade show vendors need to change how they share attendee information?<\/h3>\n

    Attendee lists and delegate lists such as those provided at conferences and trade shows, webinars, webcasts and workshops can be used if:<\/p>\n