On the 19th of October 2018 a new draft of the EU ePrivacy Regulation (ePR) was published and it still contains new rules that may greatly constrain B2B sales and marketing teams. The ePR was originally intended to be introduced parallel to, and to compliment, GDPR; However, it has been delayed and may now be introduced in May, 2019. Whilst GDPR is more concerned with the collection and storage of personal data, ePR is the final piece of the privacy puzzle and aims to regulate how personal data is used for, and protected during, electronic communications. As to who must comply with ePR, well it is similar in scope to GDPR and (under the current Brexit deal that is being hotly discussed) we would have to abide by it. This article explores the impact of ePR on marketing and sales teams, although the scope of the regulation itself is much wider…
The latest draft of the ePR shows a large number of changes and revisions have been made, such as clarification that non-targeted ads and targeted ads (such as website display adverts) that are not sent to identified or identifiable individuals, and do not require any contact details about the end-user, will not fall under ePR rules on electronic communications and Direct Marketing (DM) (Source: Annex 32, page 34 of document 13256/18).
This will be of some comfort for those working in digital advertising, who I’m sure are watching the development of ePR very carefully. However, what hasn’t changed in this latest document, and what I want to explore here, is the removal of an exception that Business-to-Business (B2B) sales and marketing teams have enjoyed. Currently, under the Privacy and Electronic Communications Regulation (PECR), B2B sales and marketing teams do not require consent when selling or marketing to corporate subscribers*.
*I’ve double checked this point with the ICO as the guidance itself is not clear and they confirmed it to be accurateboth in terms of their interpretation and enforcement.
A little background on PECR
Briefly, PECR regulates sales and marketing teams in their use of websites/cookies, telemarketing and the use of electronic mail. The PECR rules, as interpreted by the Information Commissioner’s Office (ICO), permits the sending of electronic mail to corporate subscribers for marketing and business development purposes without consent. Under ePR this exception is missing, therefore consent will now be required. I believe this small change will have significant implications for B2B sales and marketing teams.
ePR is being lobbied against by organisations like the Federation of European Direct Marketing Associations (FEDMA) as evidenced in a recent press release. Discussions around the draft regulation are still ongoing. So, things could yet change. However, there is no sign of that happening so far.
The soft opt-in option remains in ePR
The soft opt-in rule described under PECR does still exist; whereby, you can contact existing and past customers with information about similar and related services without explicit consent. A time limit, probably of about one year, will apply to how long after a sale you can contact past-customers. although for industries with long sales-cycles this, it could be argued, is too short and a longer time period used instead. (Source: See Chapter III, Article 16, Page 67 of document 13256/18)
ePR uses the term “Direct marketing” so, this only applies to Marketeers, right?
No – and I think this is a common miss-understanding and the key reason why I have written this piece: to gain clarity on the activities that fall under the scope of the ePR definition of ‘Direct Marketing’ (DM), and how the rules will impact upon those involved in them.
Shortly after the publication of the newly revised ePR document I got in touch with one of the ICOs case workers to clarify how they see it. Now, under PECR, the ICO interpret DM as messages sent to named individuals with the intent to promote the aims, interests, services or products of your organisation. If the purpose of your communication is to generate sales, even if those first messages that you send to a prospect do not include any sales or marketing literature, then it counts as DM. It also doesn’t matter if you wear a Sales hat or a Marketing hat, or if you are sending one email at a time or ten thousand. Currently this is no issue for B2B sales and marketing teams who don’t require prior consent for such activities; PECR extends them an exception when contacting corporate subscribers.
Whilst the ICO won’t (and, quite reasonably, cannot) at this point offer any guidance on the ePR and the definition of DM used within it, my case worker did say that it would be a very safe bet that the definition of DM “isn’t going to get any tighter” in the final regulation.
So what does the ePR say about DM?
“direct marketing communications refers to any form of advertising by which a natural or legal person sends or presents direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services.”
So, highlighting the important components of this definition: “any form of advertising “, “direct marketing communications”, “to one or more … [named] … end-users”, “electronic communications”.
OR simply, DM is: any electronic message of promotion to a named recipient.
It goes on to talk about consent:
“It is therefore justified to require that consent of the end-users who are natural persons is obtained before direct marketing communications are sent to them in order to effectively protect them against the intrusion into their private life as well as the legitimate interest of legal persons.”
So, how loudly are the alarm bells ringing for you? It quickly becomes clear that a large number of B2B sales and marketing processes will now require explicit consent (GDPR set the standard for what counts as consent and it applies here). It also places a certain amount of ambiguity on other activities that many sales and marketing people do every day, or even several times a day.
Some examples of operating under the new regulation:
Where you will need consent:
- Sending a one-to-one message (such as email) to a new prospect, even if it’s just a message to say hello and arrange to meet for coffee
- Sending an email to a historical (>2 years) customer, or former business contact
- Messaging a former colleague, if the end goal is any kind of promotion
- Emailing/messaging contacts during the course of early sales conversations – (or even at later stages, unless you can prove that you have GDPR-level consent)
- Sending news, updates and information updates electronically, either one-to-one or to lists of contacts
Where you may need consent:
- Sending a LinkedIn connection request
- Sending a LinkedIn Mail to someone we are not connected to
- Sending a LinkedIn Mail to a connection(!)
- Sending a twitter DM to, or tagging, a contact in a tweet or other platform.
For the activities listed directly above, the doubt comes from having a few unanswered questions:
- Does the act of a LI member connecting with you count as explicit consent under GDPR? (I’m currently not convinced that this qualifies as ‘explicit consent’).
- Does a ‘follow’ on twitter satisfy the criteria for consent?
- Can a social network like LinkedIn or Twitter put terms and conditions and settings in place in order to make some of the above activities compliant without the need for express consent being sought on an individual basis?
- Can the presence of LinkedIn settings, that allow members to control who can send them messages, negate the need for consent in any of the above scenarios?
You might work in a large organisation that has a rigorous, slick sales and marketing process and only small effort may be required to be compliant. You might work in a smaller team and/or not have such well-defined process. In which case you are going to have to think a bit more carefully about the changes you will need to make in order to get ready for this new legislation. Either way it’s highly likely that this will impact your sales and marketing function in some way.
With my fingers crossed I say that guidance from the ICO might be pragmatic. If a sales person is following up on an enquiry, within the course of normal business development conversations, or is just reaching out to known contacts (who, for example, could be an old friend or colleague) for coffee, then the last thing sales people will want to do is worry about having to enter the details in to their CRM app, with all appropriate boxes ticked. There would be obvious costs associated with such bureaucracy. Do we really need to get and record consent to email an old friend to catch up for coffee and talk business? (I think I already know what the reality will be, but you can live in hope…)
One approach that makes sense is to balance the costs of updated process with the risk of non-compliance (or indeed, your organisations appetite for risk). Are your old contacts going to complain about you reaching out to them? Are leads that you are currently engaged with in productive business conversation going to report you to the ICO? Highly unlikely? One would hope. But, when engaging in an online dialogue with new prospects, the risk will be far greater.
Remember, the potential fines are significant. GDPR reaches far and wide and you could find yourself in breach of GDPR for the misuse of personal information – therefore the maximum fines are those as defined in GDPR. There will be someone in your organisation feeling quite uncomfortable about such big numbers.
Seeing the opportunity in change
I’m aware that this post has so far been a bit doom and gloom; I will attempt to turn it around. It isn’t that hard to reframe this event as an opportunity to revisit your processes (and indeed your systems), make them more rigorous and bring them in to line. It will no longer just be best practice advice for B2B marketing lists to be made up of consented individuals – ePR will now require it. So, now you need to make sure that all the people you are speaking to are recorded in your CRM, and with the appropriate fields filled. You will probably need more fields…
Is your CRM fit for purpose?
You need to be able to store all this new consent information in an auditable way. Most B2B CRM systems, especially in SMEs, traditionally rely on a check-box to mark opt-outs. If you are running opted in mailing lists then you will have these to. As well as security and access issues, which I won’t cover here, you will now need to start recording consent in a much more granular way. Consider switching out the old check boxes for drop downs. Using drop downs that contain ‘Yes/No/Null’ will allow you to also establish the contacts in your database who have yet to be prompted for consent, or have been asked and have refused consent. You will be looking to record, as a starter for ten:
- One-to-one (sales) emails: Consented / Opted-Out / Blank
- Newsletter*: Consented / Opt-Out / Blank
- Marketing emails / related services: Auto Enrol** / Consented / Opt-Out
*You may have more than one newsletter
**you may wish to have your customers automatically opted into some lists for a limited time after sale. However, if you have given them the chance to opt-in at an earlier opportunity and they have not responded positively, then it would be incorrect to do this.
Yes, there will be some legwork at the outset to get things in order. But it’s also a good reason to start working systematically through your existing lists, getting back in touch with old contacts (using the telephone) and clearing out the old. So, some tips on becoming compliant:
This task doesn’t have to be the big challenge that it may initially appear to be. You can take some very easy and practical steps that will get you there. Simple things, like asking a contact you have just met, or had a positive phone conversation with,: “Could I send you a message/email about this?” Or, “Is it ok if I send you the occasional news update?” Both of these questions could get your contact opted in to one-to-one sales emails and your newsletter.
Update systems for process control
The final step is making sure that you can honour consent. In terms of systems, consider moving business development out of email clients and into your CRM. Many CRM programmes (HubSpot / Salesforce etc) make it possible to email from within the CRM. These same tools also have tools in place to prevent sales and marketing emails being sent to contacts who have not consented, specifically, to receiving those particular message types. Sales team members will then need to be trained in these new processes.
Mix up your channels
Remember, placing telephone calls does not require consent (unless you are using some sort of automation system). Your lists must still be screened against the TPS and/or CTPS directories, and a system to opt-out must be followed and honoured. So, an option is to go old school and pick up the phone a bit more.
Events and seminars are another key area where you should also be looking to record consent. By incorporating a little paperwork in the events you run or attend, it becomes easy to record consent for the people you meet. (It doesn’t have to be recorded on paper, but it can help with the admin).
Adopt inbound lead generation models
Consider changing your sales generation techniques to include inbound lead generation. This model loosely involves creating great content, promoting the heck out of it and, with appropriate offers in place, starting to generate leads for your team.
Remember that ePR’s requirement for consent for the sending of electronic communications is separate to the matter of having a legal basis for processing Personal Information (as required by GDPR). You need a lawful basis for retaining Personal Information AND consent for using it for electronic communications.
One last question: Can you contract your way out of ePR?
I’m unclear on this. You can’t with GDPR, and I would be surprised if you could with ePR. Perhaps, for example, LinkedIn will be able to write this in to terms and conditions. Will they be able to make the current LI settings, that give you control over who can send you messages, robust enough to negate the requirement for each member to have another member’s explicit consent in order to contact them.
The DMA held a great webinar this week where they explored GDPR and ePR and I raised this subject as a question, and they responded (~30 minutes in to the recording). I’m not sure their advice was 100% accurate as they seemed to also think telemarketing would require consent. I don’t think the regulation calls for this, but everything else was consistent.
Obligatory Disclaimer: I have studied the new ePR document in some detail, but I am not a lawyer. Seek your own legal advice. There isn’t a great deal of discussion and interpretation out there right now on this latest draft of the regulation, so I welcome any challenge, question or counter-argument on any of the above. Please let me know what you think isn’t accurate and why (preferably with sources) and we can further the discussion.