When we speak about getting your marketing practices in order before the GDPR deadline, we often get asked: “what about my B2B contacts?”. In order to answer this question, we should look not only at the GDPR but also at ePrivacy law across Europe. What’s important to consider is that there is a difference between your legal basis for processing, for example consent and an opt-in from your contacts to receive marketing emails.Processing versus consent
When you ask your website visitors for their information such as name and email address on a webform, you need to take care of two things; the GDPR end the ePrivacy Directive. You need to make sure you document your legal basis for processing this information in the first place. In the case of a web visitor this will most likely be consent or potentially legitimate interest. When you want to obtain consent, the GDPR gives us a number of conditions. The consent has to be freely given, it has to be specific and you need to make sure you make certain information available to your data subject, for example in your privacy statement.
Currently, according to the ePrivacy directive, email marketing requires an opt-in as well. This should be documented through a separate action (checkbox). Why? You can’t make the opt-in required. Technically you aren’t allowed to make giving consent required either but in my opinion, there is no way having your visitors go through a webform without some sort of processing of the personal data. This is a clear expectation your visitors will have so I recommend being careful with how you treat the data after you do so and always respect the opt-in choice.
What does the GDPR say about B2B VS B2C contacts?
The GDPR doesn’t refer to B2B or B2C contacts. The GDPR speaks about data subjects residing in the EU and a data subject is an identified or identifiable natural person whose personal data is processed by a controller or processor. Your leads, customers, employees and anyone who’s data you process. This means that when you are processing information about me, there is no difference between email@example.com and firstname.lastname@example.org. This data still points to me as a natural person. It would be different if I give you a non-personal email address such as email@example.com. With this last example we don’t know who we’re talking about, this email address could belong to anyone in the organisation.
How about exceptions?
So what is the discussion around B2B exemptions based on? It's routed in the ePrivacy Directive (also called PECR in the UK). It’s a directive which means that individual EU countries make their own laws based on it. This results in different local laws all based on the one EU directive. When it comes to direct marketing, the ICO (this is the Supervisory Authority in the UK and an excellent resource) provides guidance for the UK. They state that you do not need opt-in for B2B contacts:
“GDPR Update If you are processing an individual’s personal data to send business to business texts and emails the right to object at any time to processing of their personal data for the purposes of direct marketing will apply. The right to object to marketing is absolute and you must stop processing for these purposes when someone objects. See our right to object guidance for further details.
142.These rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.
143.However, it serves little purpose to send unsolicited marketing messages to those who have gone to the trouble of saying they do not want to receive them.
144.Corporate subscribers do not include sole traders and some partnerships who instead have the same protection as individual customers. If an organisation does not know whether a business customer is a corporate body or not, it cannot be sure which rules apply. Therefore we strongly recommend that organisations respect requests from any business not to email them.
145.In addition, many employees have personal corporate email addresses (eg firstname.lastname@example.org), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.”
What does this mean for your marketing practices? It means that you can send marketing email to your contacts in the UK. You will however need to comply with local EU law. In Germany for example, you are still required to not only obtain an opt-in but even use a double opt-in.
This complicates your marketing efforts across Europe enormously. You might get away with not using opt-in for marketing emails in one country, but you need to adhere to opt-in rules in other countries. This has consequences for the data you need to collect on your contacts, such as location, and it means that you need to keep a close eye on the lists you maintain in order to comply.
The new ePrivacy law coming in 2019
It’s great that the GDPR gives us one single piece of legislation to deal with when it comes to data protection and privacy. Unfortunately, the EU is playing catch up when it comes to privacy and electronic communication. The good news is that there's a final draft of the ePrivacy law, which has been approved by the EU in January 2018. The initial plan was that this piece of legislation would be implemented together with the GDPR. But delays have meant that it's now expected to come into force sometime in 2019.
As we know this new ePrivacy regulation is coming and you are likely working on cleaning up your marketing practices in light of the GDPR, we recommend already looking into the new ePrivacy law now.
So what does the new ePrivacy regulation say about B2B versus B2C contacts?
1.Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent.
2.Where a natural or legal person obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.
3.Without prejudice to paragraphs 1 and 2, natural or legal persons using electronic communications services for the purposes of placing direct marketing calls shall:
(a)present the identity of a line on which they can be contacted; or
(b)present a specific code/or prefix identifying the fact that the call is a marketing call.
4.Notwithstanding paragraph 1, Member States may provide by law that the placing of direct marketing voice-to-voice calls to end-users who are natural persons shall only be allowed in respect of end-users who are natural persons who have not expressed their objection to receiving those communications.
5.Member States shall ensure, in the framework of Union law and applicable national law, that the legitimate interest of end-users that are legal persons with regard to unsolicited communications sent by means set forth under paragraph 1 are sufficiently protected.
6.Any natural or legal person using electronic communications services to transmit direct marketing communications shall inform end-users of the marketing nature of the communication and the identity of the legal or natural person on behalf of whom the communication is transmitted and shall provide the necessary information for recipients to exercise their right to withdraw their consent, in an easy manner, to receiving further marketing communications.
7.The Commission shall be empowered to adopt implementing measures in accordance with Article 26(2) specifying the code/or prefix to identify marketing calls, pursuant to point (b) of paragraph 3.
That’s quite a bit of legal text, but what is important to me, is that the text references ‘end-users who are natural persons who have given their consent’. This means there is currently no differentiation between B2B and B2C contacts. Just like in the GDPR, in this piece of legislation, we identify both email@example.com and firstname.lastname@example.org as information that links to an identifiable natural person.
I’m interested in hearing what you think about this. Are you sending marketing email to B2B contacts without recording an opt-in? Do you plan to continue doing so or are you changing your marketing practices?