With so much noise surrounding the General Data Protection Regulation (GDPR), the equally impactful e-Privacy regulation seems to have been forgotten about.

It might only be a draft regulation at the moment, but it is due to be enacted in May 2018. So, what is this regulation and why do marketers need to pay careful heed to its contents? 

Let’s get started with what the e-Privacy regulation is 

The e-Privacy Regulation is a complementary piece of European legislation to the GDPR. It is designed to address specific scenarios that exist in the electronic communications world and at the same time ensure that the principles of the GDPR are still valid. 

Why is this regulation important for marketers like me?         

Much of the regulation is focused on securing the privacy of electronic data and communications that travel across the internet and other electronic services. However, the regulation also covers direct marketing activity via electronic means. This activity is currently regulated in the UK by the Privacy and Electronic Communications Regulation (PECR), which sets the familiar requirements for opt in, opt out and unsubscribe rights of the individual among other things. 

What is set out in this regulation will have a fundamental impact on how marketers can communicate to their customers after May 2018.

Another law! Why do we need it?

When PECR was passed as a law in the UK it needed to complement the Data Protection Act 1998 which is the current privacy law that came before the GDPR. However, the GDPR has raised the bar on privacy rights and has meant that the current laws that specialise in electronic communications do not meet the needs of the wider use of electronic communications today.    

Do we know what this law will say?

In a word, no. The current proposal is under negotiation in Europe and it is possible that some of the text may change. However, the GDPR is law, so any changes made should not contradict the GDPR or its principles. The proposal is all that we have at the moment and as the target to get it approved is May 2018, it is important to understand the possible implications and make plans accordingly.

What could be the implication to marketers?    

One of the main changes that this regulation will bring, is likely to be the impact on business-to-business marketing (B2B). In line with the GDPR’s wider scope of personal data, data relating to someone at their place of business is that person’s personal data. This is reflected in the new directive, where there is no distinction between B2B and B2C personal data. 

If we put that in the context of B2B email marketing, whereas before you could email someone as long as you gave them the opportunity to opt out, now the rules are the same as B2C.

This means that you need to use either consent, or the so-called ‘soft opt in’ principle. Both the Article 29 working party and the European Data Protection Supervisor have asked that the regulation makes this treatment of B2B personal data clear. The idea that a right can be given to you by one hand with the GDPR and taken away with the other under the e-Privacy regulation is counter intuitive.  

What exactly is a ‘soft opt in’ approach? 

The GDPR concept of legitimate interest is reflected in the e-Privacy regulation by allowing the soft opt in process for both B2B and B2C marketing, so long as the following conditions apply;

  • The business obtains the electronic contact details during the sale of goods or services
  • The business only promotes its own similar goods or services
  • The business must give the customer the opportunity to object at the time and in an easy manner 
  • The business must present that opportunity to object with each communication (e.g. an unsubscribe link)

This legal basis for sending direct marketing is valid for all electronic channels, namely email, SMS, social media and instant messaging apps. However, you must tell the customer which channels you intend to use at the point of collecting the information. 

Consent is not just a tick box

The other legal basis for sending electronic marketing is consent. Consent relating to the e-Privacy regulation is the same as in GDPR. Consent is therefore defined as;

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Let’s break that down into something we can all understand!

You will need to provide comprehensive information (specific, informed) about what the person is consenting to, as well as ensuring they wouldn’t be disadvantaged if they didn’t consent (freely given). There must also be no doubt as to what they are consenting to (unambiguous) and no doubt as to whether they have actually given consent (clear affirmative action).

Voice-to-voice marketing calls 

Voice-to-voice marketing calls can still be undertaken as long as the end user has not objected to voice calls. Therefore, all marketing voice calls must be screened against TPS as well as CTPS first, to ensure the person has not opted out of marketing calls. You will need to provide caller line identification or a mandatory prefix (yet to be decided).

Tracking technology 

The e-Privacy regulation not only covers transmission channels, but will also impact the tracking that goes on relating to many technologies. Cookies, web beacons, hidden identifiers, device fingerprinting and any other device that is developed to track the activity of the individual will need consent from the end user.

Unlike the previous e-Privacy directive, the new regulation acknowledges the usefulness of browser based settings for obtaining consent for web based tracking. Although it would mean the default settings for browsers would be to restrict intrusive cookies.

The use of beacons in store will now require that notices are placed in prominent places, informing the customer of the tracking that is going on and telling them how they can object to it. 

Regulation versus directive

Finally, the fact that the new law will be a regulation will mean that it will be more or less written into UK law in its entirety. The previous EU e-Privacy law, was a directive, so the individual member states were able to create local laws based on their own interpretation of the directives. With the GDPR, there is not much wriggle room for local Governments to water down the legislation.

You cannot make plans to change your processes and update your legacy customer data to be GDPR compliant without also taking the e-Privacy regulation into account. The fact that it is still not set in stone will make this hard to do, but those who start preparing with what we know now will be in a better place on May 24th 2018. 

Tim Roe

Published 16 August, 2017 by Tim Roe

Tim Roe is Compliance and Deliverability Director at Redeye International and a contributor to Econsultancy. Follow him on Twitter, Google+ or connect via LinkedIn

23 more posts from this author

Comments (52)

Comment
No-profile-pic
Save or Cancel
Avatar-blank-50x50

Steve Harris, Director at X Associates

Interesting reading! However, it is this kind of misinformation which is causing so much uncertainty, although I appreciate that probably wasn't your intention. If you had done your research you will know that they are distinguishing between businesses and consumers. sole traders and partnerships will be treated under the same rules as consumer data but LTDs, LLPs, the public sector, charities, etc will not need a direct opt in. They will need to be able to opt out and for there to be a legitimate interest. Not sure where you got your facts from but I would be keen to see the source. Unless you were saying that in your article, it just wasn't very clear. Your view seems to be, the b2b marketing sector is doomed which is not the case. The main threat to B2B marketing is from the uncertainty everyone is creating.

about 1 month ago

Tim Roe

Tim Roe, Deliverability and Compliance Director at RedEyeEnterprise

Steve. thanks for your comment. Under GDPR, firstname.lastname@companydomain.com would be defined as personal data (would you agree?). To compliment this, the e-Privacy regulation has defined that the same protection is given to all people (natural persons) relating to the need to opt in or not opt in (Recital 33 Art 16 COM (2017) 10). There is a small amount of ambiguity in this, but in my opinion, it is likely that the views expressed by the article 29 working party and the European data protection supervisor will be confirmed in the legislation. That is “that the recitals should clarify that whenever a direct marketing message is sent to a natural person working for a legal person, the provisions applicable to natural persons will apply” (EDPS opinion 6/2017 p32). I hope that clarifies my opinion. I would be interested in any authoritative source that disagrees with my understanding of the situation as it stands at the moment.

about 1 month ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

Thanks for the reply Steve. Please have a read of this article from the DMA when you have chance https://dma.org.uk/article/worst-eprivacy-b2b-fears-averted. The initial leaked version of the ePrivacy Directive was as harsh as your article states, but they changed their view on the final version (unless something has changed I am not aware of). Keen to hear your thoughts.

about 1 month ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

Sorry Tim, I'm Steve - It's been a long day!

about 1 month ago

Tim Roe

Tim Roe, Deliverability and Compliance Director at RedEyeEnterprise

No problem Steve, I know the feeling! That article was written just a few days after the release of the final version of the draft and before the other documents that I referenced, were published. There has also been considerable discussion on the draft since then and I believe it is now better understood. I can’t talk for the DMA author of that blog, but another blog might say something slightly different if it were written now. It’s going to be the new Data Protection Act and the ICO’s Direct Marketing code that will finally decide how things are going look in the UK, so it is possible that the UK might take a more pragmatic approach to the B2B sector than the EU regulation. Either way, the new data protection laws are still going to be a considerable shake up for many organisations.

about 1 month ago

Pete Austin

Pete Austin, CINO at Fresh Relevance

@Steve @Tim. The relevant quote is, "In this Regulation, direct marketing refers to any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services".

I think the relevant words are *directly* and "end-users". So it does not include messaging where (1) the recipient is not targeted directly but as part of a group (e.g. job-title+sector), or (2) where the message is not sent to an end-user, but a business contact address. So B2B marketing will continue, but marketers will have to be a bit cleverer than spamming a third-party list.

Here's the regulation. Click the first link, labelled:
"Proposal for a Regulation of the European Parliament and of the Council"
https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications

about 1 month ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

Thanks for the reply both. From all the research I've been doing it seems that the approach will be softer for business data including named emails at the businesses whilst looking towards legitimate interest. As you say Tim, it's for the Member States to confirm exactly how they will implement this part of the legislation. I hope for a business pragmatic approach. I am amazed that with so little time left there are still not defined answers, especially as this has been on the table since 2011/2012!

about 1 month ago

Tim Roe

Tim Roe, Deliverability and Compliance Director at RedEyeEnterprise

Thanks for that Pete. You are suggesting that B2B electronic marketing, is not direct marketing? There is feedback on the proposal from the EDPS and WP29 that the scope of direct marketing should be broadened to meet all eventualities.
I’m interested that you feel that if a recipient is not targeted directly, but as part of a group, then someone is not being targeted directly. You could use the same for B2C marketing, if you select a list with more than one person in it, in that case. End users are those people who use the equipment that receives the electronic communication. An end user, in most cases is a natural person, who if they are identified by the firstname.lastname “personal data” type email address, will fall under this regulation.
The reason for the B2B carve out from the previous regulation, was that the UK lawmakers decided that the “end user” was in fact the bill payer, which would mean that B2B data was not personal data, but business data (so not protected under privacy law). The wider scope of personal data under GDPR means that business contact data that identifies a living individual is in fact their personal data and therefore has protection under GDPR. The greater protection afforded by the GDPR should be enhanced by the e-Privacy Regulation (that’s the point of it), so therefore I believe that the scope for the B2B carve out from the regulation is limited, if non-existent.

about 1 month ago

Avatar-blank-50x50

Robert Madge, CEO at Xifrat Daten

I line up totally behind Tim Roe on this subject. The proposed ePrivacy Regulation, as published by the EU Commission, categorically defines that unsolicited direct marketing emails sent to a named person at a business email address will require prior consent (ie, opt-in).

The only exception is the "soft opt-in", that applies equally to consumers and named people at businesses, where the person is already a customer.

Since this will be a regulation, there will be no scope (until Brexit) for the UK to legislate otherwise.

The "misinformation" on this subject has come from this DMA blog (and perhaps elsewhere), due to a mis-reading of Article 16.5 that reads "Member States shall ensure, in the framework of Union law and applicable national law, that the legitimate interest of end-users that are legal persons with regard to unsolicited communications sent by means set forth under paragraph 1 are sufficiently protected." The expression "end-users" in this Article refers to the recipients of the emails, not the senders, and so allows member states to also extend restrictions on direct marketing sent to businesses without naming an individual.

about 1 month ago

Pete Austin

Pete Austin, CINO at Fresh Relevance

@Tim. The quote from the regulation that I published above says that marketing is only "direct marketing" when it's sent directly to one or more identified or identifiable end-users.

* "directly" == not indirectly. So indirect targeting by e.g. business sector is OK. I'm thinking about e.g. leadgen advertising on LinkedIn.
* "end-user" == only a natural person. So targeting a legal person (e.g. a business) is OK. I note your point about a previous perverse legal judgement where "end-user" was understood to mean bill-payer and hence often a business, but I don't think that precedent applies here. This is because, if the authors had wanted to protect the privacy of businesses (whatever that is - do businesses have the right to a private and family life?), they would have made that clear in the wording, which they didn't.

A final quibble: the situation with named email addresses is interesting.
* Clearly your example of firstname.lastname@company.com is identifying.
* But what about Peter123@gmail.com or Tim_1977@yahoo.co.uk? I would argue there are sufficient people who share our first names that those would not be identifying.

It's not clear to me where the dividing line occurs. Aside: This is a big issue because of the GDPR "right to data portability". Suppose I have data about "Tim_1977@yahoo.co.uk" and you phone me, saying it's your data and you want a copy. How on earth do I check you are the same Tim - especially as I have experience of yahoo deleting unused email accounts, so even if you control the account now, this is no guarantee of who owned it back when the data was stored?

This debate will continue until the first court judgements are announced!

about 1 month ago

Avatar-blank-50x50

Robert Madge, CEO at Xifrat Daten

Pete, the Article 29 Working Party, in their guidelines on the right to data portability, contain a section on "How can the data controller identify the data subject before answering his request?"

See: https://ec.europa.eu/newsroom/document.cfm?doc_id=44099

Most online services work with accounts, controlled with username and password etc, and provide means for people to recover one or the other if they are lost. This is normally considered satisfactory identification.

There is a difference of course between "identifying" in the sense that it is sufficient to identify someone and being personal data. Peter123@gmail.com might not give you enough information to find the person in question, but it is information related to an identifiable person and with some other database as a cross-reference you might be able to find the name and other details about the person.

about 1 month ago

Avatar-blank-50x50

Darren Revell, Founder at RecruiterWEB

GDPR and e-privacy risks being like speeding laws. Which is to say millions of drivers break the law daily by speeding and run the risk of being caught and millions of firms will break these data laws daily and run the risk of being caught. Why?

I have worked in B2B sales for 30 years, I have worked with and trained thousands of sales people and what I and people like me know is that sales are generated because of repeated sales calls, emails, mailshots, etc. taking place daily. My record is I have tracked a client for 14 years to buy a website.

Millions of sales people have to retrain to sell another way, and most sales people are under the threat of being fired because the life of a sales person is high risk when it comes to job retention ( you are only as safe as your last sale). Those are the people you are going to ask to give up tried and tested, with a leap into the darkness. In which case I predict lots of speeding sales people in the GDPR privacy highways.

Now don't get me wrong these laws are a good thing, and they are easy to digest at a technical level when it comes to keeping data secure, and if they stopped at keeping data secure, they would be adopted by the majority in a nonfuss, almost full take up. But that is not what they are; they change the principles of sales and marketing in the case of B2B which have existed for decades.

The situation is also not helped by the experts on GDPR who can't agree on what personal data is. In the last two days, I have conducted a mini survey on LinkedIn. So far all respondents are either paid by their employers to make/ensure GDPR compliance, provide GDPR consulting services, or run educational courses that cover GDPR. So far the result in just 24 hours is ten say B2B contact data is personal data, six say it is not.

This ambiguity gives rise to the second problem I see, which is with such ambiguity a simple legal defence to GDPR/ePrivacy etc is the terms and conditions set out to govern all this are impossible to understand, the proof? The industry experts who cant agree. In the same way, there are some drink drives that have lawyers who get them off; I predict a raft of law firms who defend you on this ambiguity and impossibility to understand the basics. Or worse still there are now a record number of people driving with sufficient points on their license to requite a ban, who are not banned due to layers finding new ways to defend bad drivers. Just under 18000 investigations by the ICO in 2016/17 and 16 fines according to their blog see and correlation? Or is it wishful thinking of an old sales fart?

about 1 month ago

Tim Roe

Tim Roe, Deliverability and Compliance Director at RedEyeEnterprise

Darren, I totally agree that there is much confusion out there at the moment (evidenced by your poll of experts!). Firstname.lastname @ domain is personal data under the current Data Protection Act 1998, as would someone’s direct phone number, if you can link it to their name or any other personal data identifying to it. Because of this, under the current law, someone can request that you stop using their data for marketing purposes and you must stop. It’s also the reason why you should check a number with CTPS before you make an unsolicited sales call. The ICO answers questions on Data Protection, via phone, email or even live chat! If you are unsure about what you are being told, you can get information from the horse’s mouth. Before May 2018, businesses still have opportunity to ensure their contact data is brought in to GDPR compliance. The risk of doing nothing or relying on ambiguity as a defence, is that the clock is ticking and you are able to do far more now than you will be able to under e-Privacy or GDPR. The ICO will only use the “big stick” of fines as a last resort, they have always stated that they prefer to educate and advise first (hence the correlation of fines to investigations).
They are far more likely to go after firms that ignore the situation and advice available, either from them or organisations such as the DMA. Those businesses that are actively trying to comply, seeking advice, trying to find solutions, are likely to receive support, rather than feel the “big stick”.
Please find below the link to the ICO contact us (if you haven’t got it already). I have always found them very helpful.
https://ico.org.uk/global/contact-us/

about 1 month ago

Avatar-blank-50x50

Darren Revell, Founder at RecruiterWEB

Thanks, Tim, yes I have taken my questions to the ICO thanks. They confirmed they would look at my questions for me and run them by their policy unit. The chat has been down for a few days, and while they quote 14 days, there are those waiting months for replies.

The questions I have submitted are about the recruitment industry as we have corporate contacts and candidate data. The ICO confirmed they have no focus on our industry which I think is poor given the nature of the work we do, but hey ho maybe we can generate some via the questions I am asking. Agin the issues that arise here are over consent and legitimacy of use; there seem to be lots of room for interpretation and misinterpretation.

Firstname.lastname @ domain is personal data under the current Data Protection Act 1998 cool but what about dr@ or or darrenr@ Drevell@ or d.revell @ or revelld@ etc?

Of course, the business might argue with the act that the email and the direct dial is not personal data because if and when the employee leaves they can take that with them, and it is only available for company use. I am sure all these legal challenges have been thought of made and probably failed.

It still does not solve the problem that is at the heart of all objections and/or the reason I fear people will ignore the law in their millions which will be sales and marketing rely upon speaking to people. People who when given the cold choice of do I want to be sold to will say no, but in practice buy million and millions of products and services because of cold, unsolicited marketing calls, emails or letters, etc.

In the recruitment industry, there are about 500,000 staff members who work at 30,000 firms, from work I have done in this space for the past 24 years I can say of the thousands I have come into contact with over 60% of what the industry does is take a candidate to market, by which that means the canvass employers to say we have person with X skills who can offer y benefits to your company. The UK recruitment industry generates 35 billion in income from such methods.

CRM integration with the CTPS should be easier and like £99 a year, not £2500+. Which is why people ignore it.

The problem as I say is GDPR and privacy is a good thing, the core of it is to keep me and you safe. But it's implementation is via a bubbled view of the world by people who have never sold, marketed and or had their financial security dependant on having to make cold calls. Going back to the car analogy it is the same as the delivery drivers given a company van, impossible times to get places so they are forced to speed and dont get their speeding fines or parking tickets paid but are expected still to deliver in no parking zones.

about 1 month ago

Avatar-blank-50x50

Darren Revell, Founder at RecruiterWEB

Also Tim with no sense of irony at all to sign up to comment on this blog I had to use a non GDPR approved form LOL.

about 1 month ago

Tim Roe

Tim Roe, Deliverability and Compliance Director at RedEyeEnterprise

Darren, what do you think is wrong with the sign up to make it non GDPR compliant?

about 1 month ago

Avatar-blank-50x50

James Hendrie, Director at II

Hi Tim,

Are you certain named B2B email addresses will require consent? There is so much disagreement over this topic and the ICO have not responded to my request for information which was over 3 months ago - so I have a feeling they don't know. The DMA are also noncommittal.

We are moving forward on this basis but our competitors are not, I fear we will be at a financial and competitive disadvantage because of this ambiguity.

Many thanks.

about 1 month ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

Just called the ICO to get the word direct from the 'horses mouth' about the looming Eprivacy and email marketing. Their answer... We don't know at the moment, no one does.

about 1 month ago

Avatar-blank-50x50

James Hendrie, Director at II

You couldn't make this up.

about 1 month ago

Avatar-blank-50x50

Darren Revell, Founder at RecruiterWEB

Tim the registration box had options pre-checked for me, that I had to uncheck. Given the confusion from GDPR pundits I may be wrong but do I not have to opt-in, not out?

about 1 month ago

Tim Roe

Tim Roe, Deliverability and Compliance Director at RedEyeEnterprise

@Steve, they'll only comment on current law and guidance, so they would be able to confirm the firstname.lastname is personal data under the current law DP98 but they won’t comment on a draft EU regulation.

@James I don’t think you will need consent as such, as the e-privacy directive allows a soft opt in under certain circumstances. The firstname.lastname is also personal data under GDPR, so you will need to establish a legitimate interest for the processing and communicate this to the data subject anyway. You will also need to explain to them that they have the opportunity to object to the processing. I'm not surprised that your competitors are doing nothing, I think there is a shocking lack of awareness and action throughout all sectors. I’m pretty certain that your activity will place your business in a stronger position in May 18, compared to those who are still in denial.

@Darren The purpose of the sign up form is quite clear and informative and the submit button clearly states you are signing up for the daily pulse. The pre-ticked box in this process is confusing and I’m not sure what it adds. I understand your comment, although the risk is low and if anything will cause someone to not get something they wanted, rather than the other way round.

about 1 month ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

Thanks for your reply Tim. When I spoke to the gentleman there, he was really helpful. He didn't say he wouldn't comment. He said he can't comment as it is unknown at the moment. How are you meant to plan your business moving forwards with this kind of uncertainty, especially when you look at how the GDPR changed from draft to full form and took 3 additional years.

about 1 month ago

Tim Roe

Tim Roe, Deliverability and Compliance Director at RedEyeEnterprise

The DMA have today clarified their understanding of the regulation and the latest LIBE committee report. Interesting reading!
https://dma.org.uk/article/eprivacy-lobbying-and-the-threat-to-b2b-marketing-and-telemarketing

29 days ago

Avatar-blank-50x50

James Hendrie, Director at II

Technically, it’s always constituted personal data, as an individual can be personally identified from it? However, with the distinction between private and corporate email addresses set out in the PECR (2003), companies have been able to email business addresses regardless, as long as they are processing their data fairly.

It’s been rumoured that this distinction between address types may be removed via GDPR/an update to the PECR, meaning going forward companies will need consent for business addresses as well.

However, is this is all a moot point if it turns out that ‘legitimate interests’ is actually going to be a viable condition of processing, (as opposed to consent)?

29 days ago

Avatar-blank-50x50

Robert Madge, CEO at Xifrat Daten

Tim - thanks for the DMA update!

James, you may be able to use legitimate interest as your ground for lawful processing under the GDPR but you will still need to comply with the PECR and its future replacement if you are going to use electronic communications to do your marketing (such as email direct marketing).

29 days ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

Thanks for sharing the link Tim. I read this earlier and it confirmed my thoughts. Nothing is set in stone. I imagine there will be a lot of lobbying going on from now until the final version is created. I just can't see the logic in stopping businesses from being able to email business owners and/or employees of another business about a product or service that may be of interest. If this is soon deemed to be illegal, then we'll be moving to a world where every business is trying to compete to get to the first spot in Google. This in my view greatly diminishes competition as how is a small business able to compete with a large corporation who is likely to have an in-house digital marketing team ensuring their websites rank well? In my view, email marketing creates a level playing field where SME's stand as much chance of success as large corps. I do however, completely agree that people at home and private emails should have a firm opt in. I am still hopeful the EU will come to their senses and make the distinction and keep businesses fair game for marketing!

28 days ago

Avatar-blank-50x50

James Hendrie, Director at II

Steve, so true.

The legislation is handing B2B marketing budgets to Facebook, Google and Microsoft/LinkedIn. Maybe Alanis Morrisette could re-release her famous single in May 2018?

28 days ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

Hi James, Wow! Someone who sides with me, it is certainly a rarity on this particular issue. You are completely right. I have read peoples comments on LinkedIn and there is a lot of "can't wait for unsolicited emails to stop arriving in my work inbox". Will they be so overjoyed when their employer makes them redundant due to the lack of new business coming in because of restrictive EU legislation on how businesses can get in touch with other businesses? It always amazes me how offended people get by being emailed from another business from cold. How dare they be proactive and try to make some profit?! Just who do they think they are?! I feel so strongly about this I have taken the time to write to my local MP, MEPs and the employment minister. Of course, they're all too busy at the moment on their holiday jollies to care, but I will be interested to hear their replies. This doesn't just affect data sellers and marketing service providers. This will negatively affect any business in the UK who dares to try and drum up new business by email (and from reading the latest DMA blog, by telephone). Some industries that quickly come to mind, recruitment agencies, insurance companies, marketing agencies, charities, web designers, graphic designers, estate agencies, letting agencies, accountants, printing companies, telecoms and training companies (unless you're one of those new fangled GDPR training companies... CHORTLE). I am just a small cog riding the downfall wave of the business sector and I can't wait to see all of the e-Privacy advocates seeing the beast that will be created to the UK economy. Ah, that feels better!

27 days ago

Avatar-blank-50x50

James Hendrie, Director at II

If we can't call or email to sell our products to people who have never heard of us, how on earth are we supposed to sell without using Google/LinkedIn/Facebook?

Currently we are going to have to remove 90% of our database. Which is fine, but how much will it cost me to find the next 10% of buyers?

My current plan is spend more with Google and cut out all of the small data suppliers that have given me such excellent service over the years. Which will cost me 10x more than a current conversion.... with all profit going to Google who are based in Ireland paying 10% corporation tax.

Absolutely baffling.

27 days ago

Avatar-blank-50x50

Darren Revell, Founder at RecruiterWEB

Or James you can move your email and cold call marketing to North Korea because I don't see anyone going there to collect fines for breaching GDPR, PERC (ePrivacy) etc in the b2b space.

27 days ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

I'm going to put my cards on the table and say it won't come in it's current draft form. Looking at the GDPR as precedence, it was so watered down from the initial fear mongering draft in 2012 and it was two years overdue. The e-Privacy Regulation has been in discussion since January this year. Now with a lot more exposure thanks to articles like the one above, businesses a lot bigger than mine will be putting a lot of pressure on the UK Govt. Not just here either, the same panic will be happening across the EU I imagine. The EU needs to be careful. I can foresee articles in 20 years time with titles as 'what was the major catalyst for the downfall and eventual collapse of the EU'... Pass me a pen.

27 days ago

Avatar-blank-50x50

Darren Revell, Founder at RecruiterWEB

Steve Harris, I agree with you :). I have been in sales since I was 18, now 49. ePrivacy and prohibiting cold calls is the 'Titanic of Legislation', and the water is going to get mighty cold, mighty quick. Google, Facebook, LinkedIn etc. are no lifeboats and I should know as I work in that space.

When I die, I had planned to have something like Spike Milligan "see I told you I was ill". Now I think it will be the "victim of the ePrivacy plague 2018. LOL.

27 days ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

A man after my own heart, Darren! I have been in direct sales and marketing for over a decade. From experience, the kind of people who loathe sales people and are advocates for legislation such as e-Privacy are people who have never made a sale in their lives. Don't understand how the business world works and enjoy a cushy life working for someone else who takes (or took) all of the risks.

I might have to steal your plague idea. It's better than what some others would have to put, "Died because I was offended by an unsolicited email in my business inbox. HOW VERY DARE THEY".

27 days ago

Avatar-blank-50x50

James Hendrie, Director at II

No one I have ever spoken has been able to answer this simple question.

What is the point of stopping B2B companies marketing to potential buyers, on their work email?

The only answer I ever get is that it's "mildly irritating".

27 days ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

James, that's because I firmly believe there isn't a valid reason. If I receive an unsolicited email and I am not interested, I delete it or just don't read it altogether (if I can see from the subject title it is clearly a sales email). I don't sit there and getting really angry banging my fist on my desk at the utter disbelief that another business has had the audacity to get in touch about their offerings. Maybe this is just us though, because we understand that other businesses need to sell, just as much as we do?

27 days ago

Avatar-blank-50x50

James Hendrie, Director at II

Steve, you just reminded me of an email I get each week which sums this whole situation up for me!.

I never signed up for it - definitely - as I never sign up for anything! It's basically a newsletter for small business owners.

These guys obviously spend a lot of time on content creation and have some well-known brands in there, Google, Microsoft etc..

Now, generally I never read content unless I've searched for it myself, but last year a subject line caught my eye, I requested the guide which, in order to access it, I had to give my approval for the company to contact me. So the newsletter didn't have my consent to email me, but before they passed my information on, they asked for me to give my consent!

The guide was informative and addressed a real issue I was currently experiencing. The "content" was produced by an employment law company I'd never heard of. About 3 days after I downloaded it I got a customer service call...

How did I find the whitepaper?
Am I having an internal challenges relating to the content?

Etc...

I am now signed up to an annual subscription.

So, I just looked through my emails and found the company - they have about 30 employees, most of them with job titles like "head of content" "head of user experience" "community love executive" (i made that one up...) but you get the picture etc... most of the lads have beards, topknots etc...

When I look at a company like that I think... "good work chaps" - you've created a product that is free to the user, cheap to send out (I assume they just buy data) and actually useful.

AND... the first thing on the newsletter you see is a massive unsubscribe link.

What I don't think is...

We must regulate against this blatant breach of my personal data!!!!!!

Who would?!

I would imagine GDPR/PECR will put the owners and their 30 or so employees out of business.

27 days ago

Avatar-blank-50x50

Robert Madge, CEO at Xifrat Daten

Steve and James, I completely understand your concern that this will be an impediment for B2B marketing, that will tend to favour the Googles and Facebooks of this world, but I'm not sure that it will have such a big impact on the economy. Opt-in for email marketing has been a legal requirement since at least 2002 in Germany, as well as in Austria, Denmark, Italy and Spain.

27 days ago

Avatar-blank-50x50

James Hendrie, Director at II

The German economy is weighted towards corporations who, for the most part, spend their time trying to circumvent EU regulations.

The Spanish and Italian economies have been in reverse for a decade and have some of the highest levels of youth unemployment in the developed world. They are also some of the least productive with about 50% of the workforce employed by the public sector.

27 days ago

Avatar-blank-50x50

Darren Revell, Founder at RecruiterWEB

German, Italian, Austrian, Danish and Swedish business markets and cultures are different to our own. So that is too big a guess to make about UK B2B and what effect there would be, plus where is the data on a sector by sector basis per country.

Google and Facebook do not have the capacity to take up the void; there are 500+ recruitment firms who deliver IT recruitment services in the UK. Google has room for 15 links on page one via various means of paid ads or SERPS results. So what to the 486 do? That is without your business being attacked for with Negative SEO to dislodge you from the rankings.

In data geek world a company may not call, email, post you marketing material or offers but must wait for you to find them. They will find you by adverts and who has the most spend wins or by people manipulating search engine algorithms. When they do find you GDPR enthusiasts for B2B data being personal data say you can not reapproach the person who then approached you unless you have cast iron consent for everything you might ever want to do in advance or use highly wooly legitimate interest/soft opt in the argument out and oh you have to delete the data when you get it wrong and get fined.

Utterly, utterly, utterly moronic.

27 days ago

Avatar-blank-50x50

James Hendrie, Director at II

Yep.

We are a service based economy, not industrial or commodity based.

Even if it doesn't effect the economy - it will certainly contribute to more inequality.

27 days ago

Avatar-blank-50x50

David Woolley, Country Manager at Sytorus

Hi, B2B is not managed by the GDPR and so does not fit in with the same rules as B2C.

27 days ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

Darren and Steve, great points! I would say that the direct marketing industry brings in £billions to the UK economy each year. To have a large portion of it wiped out in the space of 12 months would cause some issues. Just because Germany doesn't allow cold calling or emailing, does that mean it's not right? It may be the best way for them, but in the UK we have integrated processes, systems and staff that rely on this sector. If it disappears, what happens to those jobs? Some companies might be able to move staff to other parts of the business, others will just get rid. Higher unemployment, less revenue equates to a worse off economy in my view.

Also, another angle on this is the unseen damage it will create. Less people (I predict) will take the plunge to start their own businesses. When I started mine, the only things I knew how to do was to make cold call and run email campaigns. These processes are relatively cheap to do (or free) and gets you direct to your potential buyers. I knew nothing about SEO, Google Ads, building a website, etc and even if I did, I had no budget to spend on a hope and pray approach. I needed to be direct. I don't believe I am alone in starting up this way and if those options hadn't of been available, or were about to be taken away, I wouldn't have started.

27 days ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

*Oh no David, you're going to get us on the personal data debate again!

27 days ago

Avatar-blank-50x50

James Hendrie, Director at II

Hahaha!

27 days ago

Avatar-blank-50x50

David Woolley, Country Manager at Sytorus

Not by choice :)

27 days ago

Avatar-blank-50x50

Steve Harris, Director at X Associates

Haha, I believe you. I am of the view as others that our friends at the EU have decided to class everyone under one banner as 'personal data' regardless of b2b or b2c. if you hold information that identifies an individual then that's enough to fall under GDPR. Unless you have another view on it? I am hoping though that through the process of creating the e-privacy regulation a distinction will be made.

27 days ago

Avatar-blank-50x50

David Woolley, Country Manager at Sytorus

Unfortunately I do. Because this comes up all the time, am always double checking with the ICO in case the position changes. So, business email addresses are not personal data and do not fall under the GDPR. They are currently managed under PECR, the E Privacy directive will be the one that more likely defines it, in the same way PECR differentiates between corporate and individual subscribers currently.

27 days ago

Avatar-blank-50x50

David Woolley, Country Manager at Sytorus

Unfortunately, having seen several misconceptions presented by the DMA, I will remain with the ICO's position. I accept that they are stating the WP29, but will wait to see the E Privacy directive.

27 days ago

Avatar-blank-50x50

Darren Revell, Founder at RecruiterWEB

Germany only recently changed their laws to make having sex with animals illegal. Using Germans laws is not a great president IMHO.

Also, I am testing privacy tools that are planned to protect users from those who are not running GDPR compliant sites or to maximise your privacy settings.

Back on the Google front that now means I see no Google Adwords adverts. Which makes the mainstay of Google's income no longer viable from AdWords if users like me do no know how to reverse that setting or more likely don't bother to.

27 days ago

Avatar-blank-50x50

James Hendrie, Director at II

(sneaks off to cancel holiday to Berlin)

27 days ago

Avatar-blank-50x50

Robert Madge, CEO at Xifrat Daten

David, for clarity, to quote from the ICO (Direct Marketing guidance document): "In addition, many employees have personal corporate email addresses (eg firstname.lastname@org.co.uk), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address." So the DPA (and later the GDPR) do also apply to personally-identifiable business email addresses, but as you say the key point for this discussion on opt-in/opt-out is the PECR.

27 days ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.