Jump to content

Recommended Posts

Posted (edited)

I've no idea whether this conforms to the new GDPR consent requirements, but I just changed  the wording of 'Subscribe to Mailing List' to the follwoing.

 

Under the new 2018 GDPR guidelines, it's now a legal requirement that we seek permission to contact you outside of any contractual arrangements. Please tick this box if you agree to us contacting you.

 

I had mine checked by default (opt out was a  physical action), it's now unchecked.

 

I've no idea how I'm going to contact 50,000 previous customers and ask for thier consent moving forward.

Edited by keat

Share this post


Link to post
Share on other sites

On 28/03/2018 at 4:07 PM, keat said:

I've no idea whether this conforms to the new GDPR consent requirements, but I just changed  the wording of 'Subscribe to Mailing List' to the follwoing.

Under the new 2018 GDPR guidelines, it's now a legal requirement that we seek permission to contact you outside of any contractual arrangements. Please tick this box if you agree to us contacting you.

There is no need to do this but it should be covered in your Privacy Policy.  Having any consent pre-selected will not be allowed under GDPR.

You were part of a previous discussion where I summarised the basic points - see 

 

On 28/03/2018 at 4:23 PM, Noodleman said:

CubeCart 6.2 will take care of a lot of these things

It will from technical point of view but the main area of work is down to each customer to update their Privacy Policy and Terms and Conditions based on the decisions taken as to data use and retention.

  • Like 1

Share this post


Link to post
Share on other sites

What are your thoughts on the following.

Take away the option to opt in or out of the mailing list all together.

Write something in to a privacy policy stating that we have a legitimate interest to use your data for statistical and marketing purposes, giving the customer the right to opt out during the marketting campiagn.

Share this post


Link to post
Share on other sites

Just had a bit of a GDPR meeting and they guy said we could use 'Legitimate Reasons' to use the data for marketing purposes, so long as it's stated in our privacy policy and that the customer has the rights to opt out.

Is there anything that states, the customer must be given to option to opt in/out at the time of sign up.

 

 

The example privacy policy he supplied states:

 

There are occasions when we will use your name, address and email address for marketing purposes, to develop our business and to extend the level of services available to you we believe that this is in our legitimate interest.  We always provide an ‘opt out’ option in all our marketing correspondence with you.

 

So if I take away the mailing list option on the web site, but give them the option when we mail them, that's taken away the grey area.

If a customer were to find us by accident, made a phone call and placed an order over the phone, he has no opt in/opt out option to choose in that scenario, unless we asked. That's not going to happen, so why not take away the option from the web site.



Share this post


Link to post
Share on other sites

Consent is only one of the principles.

Legitimate Interest is another.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

 

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

Share this post


Link to post
Share on other sites
6 minutes ago, keat said:

So if I take away the mailing list option on the web site, but give them the option when we mail them, that's taken away the grey area.

If a customer were to find us by accident, made a phone call and placed an order over the phone, he has no opt in/opt out option to choose in that scenario, unless we asked. That's not going to happen, so why not take away the option from the web site.

I agree with @Noodleman - my take is that the advice you are being given is incorrect.

Also, from your wording above, a customer placing an order is entering into a contract with you and the reason for collecting the information is totally different and the length of time you need to keep it is also totally different.  Contractual and marketing reasons are totally different.

5 minutes ago, keat said:

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

Legitimate Interest doesnt apply to marketing newsletters !

  • The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

Share this post


Link to post
Share on other sites
Posted (edited)

But the legitimate interest states:   The legitimate interests can be your own interests.

 

It's highly likely to cause debate, but as there's no hard and fast rules "so to speak", we could argue that way we interpretted the rules,  was that we have a legitimate interest to market our customers.

However, marketing someone we never had contact with to from the onset, ie a mailing list, we would need to obtain consent.

let me interpret the following. (my interpretation in blue)

 

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

We have an interest to email and send catalogues to customers as a duty to keep them informed on price increases, special promotions and our new catalogue.

 

 

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

The processing via email or snail mail is neccessary as we are unable to convey the information by any other means

 

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

How could one determine that a regular known customer, would not want to be kept informed, so we give the customer the ability to opt out during the communication campaign.

 

 

I'm still working on the example, but if anyone wants to take a look and make any use of it, or any snippets of it, feel free.

 

https://www.beal.org.uk/privacy-policy.html

 

 

There are occasions when we will use your name, address and email address for marketing purposes, to develop our business and to extend the level of services available to you we believe that this is in our legitimate interest.  We always provide an ‘opt out’ option in all our marketing correspondence with you.

Edited by keat

Share this post


Link to post
Share on other sites

Debate

 

 

So the mixed up interpretations continue.

Today we received an email with a pdf attachment explaining GDPR and that the company requires our consent.

It went along the lines.. "if we don't hear back from you, we will assume that we have your consent"

 

I can argue, if you don't hear back from me, that we never received the communication, therefore you don't have my consent.

Secondly, it was addressed to 'Dear Supplier' and then 'Dear Sir/Madam'

Dear supplier or sir/madam is not personal identifiable data, so therefore in my eyes does not constitute GDPR protectional data.

Share this post


Link to post
Share on other sites

I doubt very much that the ICO will do anything, there's so much woolyness and mis-interpretation that many companies will fail.

We can only do what we can do to satisfy that we appear to be doing.

Share this post


Link to post
Share on other sites
Posted (edited)

On the subject of consent.

 

I'm still waiting for Google, Ebay, Facebook, Twitter, Microsoft and any other huge corporate I've had dealings with to physically ask me for my consent to be contacted.

I've had lots of communications from them, but not a single one asking for me to complete a check form saying that I consent.

 

or, Tesco, Asda, B&Q, ScrewFix, ........................ CubeCart 🙂

Edited by keat

Share this post


Link to post
Share on other sites

FYI

 

Not one mention of requiring my consent.

 

At Spotify, we want to give you the best possible experience to ensure that you enjoy our service today, tomorrow, and in the future. It is also our goal to be as open and transparent as possible with our users about the personal data we collect to provide that service, how it is used, and with whom it is shared.

We are contacting you today to let you know that we will be making some changes to our Privacy Policy, which will be effective from May 25th. These changes will reflect the increased transparency requirements of the EU General Data Protection Regulation (known as the ‘GDPR’).

We have always strived to provide you with clear and simple information about the personal data we collect and use and how we protect your personal data in our Privacy Policy. Today we are simply announcing enhancements to the Privacy Policy which clarify and provide additional information about:
 
  • your privacy rights and how to exercise them;
  • how we collect, use, share and protect your personal data, and
  • the legal bases we rely on to process your personal data.

Over the next few weeks, we will also be rolling out new tools which include a new Privacy Center at Spotify.com and a new Privacy Settings page in your Account to help you more easily understand and manage your privacy choices, including a new ‘Download my Data’ button.

Please click here to read the revised Privacy Policy, which will be effective from May 25, 2018. We have also prepared this blog post which summarizes the key changes to the Privacy Policy in more detail.

If you have any questions, please contact us using the Contact Form.

Thank you for using Spotify.

Enjoy the music!

Share this post


Link to post
Share on other sites

email today from ACAS, with no reference to me consenting or opting in.

Hopefully, everything will be back to normal on Monday.

 

 

 

Hello 

In line with GDPR, we have updated our privacy policy which can be viewed on our website

We look forward to contacting you in the future, however if at any time you would like to stop receiving communications please unsubscribe using the links provided within our emails.

Share this post


Link to post
Share on other sites
On 3/28/2018 at 9:07 AM, keat said:

I've no idea how I'm going to contact 50,000 previous customers and ask for thier consent moving forward.

I thought I'd start working on this with our Wordpress sites. One has no comments, pages only all written by me. So that one is a no brainer. One has comments, so I'm using a GDPR plugin to get an appropriate Privacy page. I tweaked the wording just a bit to fit the site. I've sent a policy update email to all of the commenters.

But the third site is a doozy. It was created many years ago, has over 16k comments and over 2,600 members. It got too big for me to handle alone a few years ago. So I shut down all comments, access to accounts, etc., and moved to Facebook. I notified all 2,600 plus at the time about what I was doing. Because there is so much valuable information not available anywhere else on the internet among the many posts and comments - I have kept the site open and up to date security wise.

NOW I needed to provide ex-members a way to ask for deletion of all personal data. Luckily I found a WP plugin that made it somewhat easy to delete. I downloaded all members name and email address. I ended up using the free email sites online - MailChimp and BenchMark - to upload parts of the membership list and send out an email about how to have their personal data deleted.

I'm now in the process of deleting said data for those who requested it. But the crazy part is - about all I had was name and email address for anyone. So, with their website data "deleted", I then had a databased list of all the names and addresses of the deleted names and addresses!! How crazy is THAT!

I decided that for this situation it made more sense to delete the databased list of those who requested deletion and also delete all email correspondence we had concerning the posts, etc. That may not be the "legal" way to do it, but it was silly done any other way.

Thank goodness the GDPR rules make it clear that data that needs to be retained for financial, etc., purposes is OK . Our CC mailing list was always optional, so that shouldn't be an issue for us on CC sites.

To deal with your 50k+ list you will probably have to do something similar on a larger scale - creating a list and throttling sending them a chance to opt-out and/or delete non-essential data. WP made this easier by having an easy way to create and download the customer list. And then the WP plugin made it easier to confirm their request for deletion and then the actual deletion of data (not perfect).

Good luck with whatever you decide to do!

 

Share this post


Link to post
Share on other sites
Posted (edited)

In the case of the closed down comments site, I would have just deleted the email addresses and IP's (if gathered).

A user name isn't particluarly identifiable, some may argue that it is, however, i'd struggle to work out who, dirty butter is. 🙂

If a user is foolish enough to put his full name and address online, in a comments field in full view, then that's his own fault, you can't be expected to proactively audit this.

 

With so much confusion about consent, some believing it's required, others believing not so, we are not seeking any consent.

Microsoft, Google, Spotify, ITV, BBC even ACAS haven't specifically asked for consent to contact me, they've just sent me links to thier updated privacy policy.

We don't purchase mailing lists, we learnt a long time ago that they are just harvested rubbish with little return.

 

For this reason, we are also not seeking consent, instead choosing 'legitimate reasons' as our basis to contact our customers.

We have created a new privacy policy, which is clearly linked on our web site, it's linked in all email communications from all staff, and linked on the bottom of each customer invoice.

When we run our seasonal mailing campaign, there will be reference to it in there, and I guess when we send our next years catalogue, GDPR will be mentioned.

 

It seems, more emphasis has been more about consent, than actual data protection.

In fact we received an email this morning from a customer or supplier stating that they inadvertantly divulged email addresses on a recent correspondance.

Without me delving too deeply, I wouldn't be surprised if the CC'd thier own privacy policy to a huge list rather than BCC. 🙂

 

 

I wonder how many customers or suppliers may think that it's now illegal to call us to order something because they didn't seek our consent.

Edited by keat

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×