GDPR: here’s the problem with giving consent

— April 21, 2018

Let’s get one thing straight – GDPR is not a new rule about obtaining consent to market to people. That law already exists under the Privacy and Electronic Communications Regulations (PECR) and the ePrivacy Directive. What GDPR does is give individuals more control over how their data is used, and if it is used.

Under privacy and data protection laws already in place before May 2018, marketing to individuals is wrong if they have not given you permission or, especially, if they have asked you to stop. Passing their data to third parties without their permission is illegal.

The biggest change that GDPR brings is that data controllers and processors are legally obliged to be transparent about what private data they hold and how they process it. Ever been annoyed that you ask for an insurance quote on a comparison site, only to receive spam from multiple vendors as a result? That is the kind of activity that GDPR is designed to prevent.

If I sign up on a site and agree to a clause that says, “we would like to send you other offers”, I am agreeing to that brand communicating with me and sending me offers. I am not agreeing to that brand selling my data to third parties or for that brand to send me third party adverts masquerading as its own offers.

Let’s examine one brand – National Express

Coach company National Express sent me an email promoting a prize draw. (I am on its list as a customer, and I haven’t asked it to stop emailing me.)

I suspected this was the company’s attempt to improve the consent it has received from customers, or perhaps start again. Here’s the main copy from the email.

National Express prize draw email | DeviceDaily.com

In the bottom segment of the email is also this text, which links to the same page as the main offer. This is how I concluded that this is all about gathering new consent.

National Express opt in promo | DeviceDaily.com

Here’s where it gets interesting for me. Look at the entry form for the draw, especially the consent form at the bottom, which is asking me to say yes or no for marketing.

National Express draw form | DeviceDaily.com

This already creates doubt in my mind as a user. Why is there a no option? Am I to believe that I have to actively tick no to STOP them doing what they say? Or am I to assume that they will only do it if I tick yes, in which case why is there a no option there? Perhaps it is to alert them to the fact that there has been some acknowledgment of the form, which would be understandable.

Let’s review this text. If I say yes, National Express will send me offers and other things. The wording suggests only they will send me these offers, but they are vague about whether these offers will be only National Express offers. What if an advertiser comes along and says, “Hey, National Express. We’ll pay you £x,000 to promote our travel insurance to your customers on our behalf?” If it isn’t a National Express product, have I given the company my consent for it to market to me in this way? (The answer, I can say, is no, by the way.)

The privacy policy doesn’t match the consent form

The prize draw, with its consent form, links to the National Express privacy policy, so I went to read that. Under the heading “how will this information be used?” is this sub-clause.

National Express privacy policy on third parties | DeviceDaily.com

So, let’s review. I, as a consumer, am asked to give active consent to what looks like a promise of occasional offers from National Express and only National Express, but if I agree to it, I am also agreeing to a privacy policy that says these offers could also come from third parties.

That doesn’t work for me. The only way I can be assured of any measure of control is if one of three things happens.

  1. I opt out and ask National Express to stop emailing me.
  2. National Express creates a system similar to the one on Amazon, that I wrote about.
  3. I contact National Express asking for a full explanation of what data it holds and how it is planning to use it.

In conclusion, how does tightening up consent make any difference?

It doesn’t. People are getting caught up on the notion that it is all about consent. Thanks to the new GDPR legislation, and the forthcoming ePrivacy reform, consumers will have more control over their own information.

That control is the key for me, because I am none the wiser when I tick a box what I am actually agreeing to.

Digital & Social Articles on Business 2 Community

Author: Steve Masters

View full profile ›

(12)