Legal eye Q2: B2B GDPR
Q: Can the DCA please provide guidance on what a primarily Business to Business direct operation should be preparing for under GDPR requirements. Most of the information doing the rounds seems to be based on marketing to individual consumers. We are hearing conflicting ideas when it comes to how GDPR will impact businesses like ours which market to individuals at businesses. Notably with regard to the legal difference between the treatment of contact with a human being (consumer) buying for his/her own personal use - versus a person at a business or a company who is buying for business or trade reasons.
Is it correct to assume that Business to Business communications may continue to be addressed to a named person at a business location – whether via email marketing or direct mail – without restriction or any requirement to follow new GDPR rulings? And how is a self employed business customer who trades purely in his/her own name from a home address, rather than as a limited company, LLP or trading style, to be treated – ie: is the tradesperson who buys materials specifically for carrying out his trade activities (ie: tools, parts, boilers etc) treated as a business subject or as a consumer ? Will it mean that a Business to Business marketer who supplies both individuals at companies as well as to self employed people will need to segment their customers files - rely on legitimate interest to continue to email or direct mail contacts at companies but then need to treat other customers (the self-employed) differently?
We already offer a clear unsubscribe option on all of our outbound emails which contain promotions. Catalogues are mailed to those who request them or are included in order shipments with the option to be removed from the distribution list. Is this going to be sufficient going forward to cover all of our customers?
You're right – there does seem to be a lot of confusion in the market at the moment, but hopefully we can help. Your question really raises two issues: (1) compliance with general data protection law (both in its current form and as it will be under the GDPR) in relation to your collection and use of data generally, including for marketing purposes, and (2) the sending of unsolicited (electronic) commercial communications, which is specifically covered by the Privacy and Electronic Communications Regulations (2003) ("PECR") in the UK, and by similar legislation elsewhere in Europe. There are also proposals at the EU level to reform these rules and bring in updated laws in this field at the same time that the GDPR comes into effect (May 2018) but the current draft is still being worked on and the process will have to move incredibly fast (at least by EU standards) for this to happen.
In any event, for the moment at least and as far as we can comment on the basis of the GDPR and our expectations regarding reform of the laws on Privacy and Electronic Communications, the key points to note are:
1. Current data protection law applies to the processing of personal data (as will the GDPR when it comes into force). While an email address like "firstname.lastname@example.org" won't constitute personal data, an address like "email@example.com" very likely will (and for purposes of good practice should be treated as if it is). This means that all your collection and use of such data, even though it relates to a business user, needs to comply with general data protection law requirements.
2. As you know, if you send unsolicited commercial communications by email, text etc, you will need to comply with PECR and with whatever legislation replaces it when it comes into force. In short, this means that if you are sending marketing emails to people in their individual, non-business capacity, you will need freely given, informed prior consent (i.e. "opt-in") before sending marketing emails and other electronic messages. (Note that "soft opt-in" is available if, in summary, you have a prior trading relationship with the individual). However, if you are sending such communications to businesses, as in your case, using business email addresses (either generic, like "firstname.lastname@example.org" or to a named individual, where the address may constitute personal data) you do not need prior consent. However, you should continue to include an unsubscribe link, and respect unsubscribe requests. You should note that this position may change if the current proposals for reform of Privacy and Electronic Communications law are implemented in the UK. The current draft regulation provides (somewhat opaquely) that "the legitimate interests of end-users that are legal persons with regard to unsolicited communications" must be "protected". In short, since companies are also "legal persons", it appears that the intention at the moment at least is to extend the regime that currently applies when you are marketing to individuals outside of their business capacity to marketing to businesses. Clearly, this is an area that DCA members will want to monitor.
3. Just as is the case in B2C, B2B commercial communications should also identify who the sender is and be clear that they are sent as marketing communications.
We hope this helps clarify the position in this complex area. If you would like to learn more, we will be holding a seminar specifically for DCA members on June 29th in central London and would be pleased to see you there. The DCA team has all the details and is managing the bookings.
Warm regards from Wiggin.