A matter of consent: What is the GDPR and what does it mean for you?
Europe’s new data protection law is meant to give us power over our inbox – but will we tick the right box?
The anti-consumerist organisation Adbusters believes that each of us is subjected to 3,000 marketing messages every day. We have a rather fraught relationship with those messages; sometimes they’re more useful than we’d care to admit, but we generally condemn them as intrusive and unwanted.
Email marketing messages tend to be thought of as particularly bothersome, but this week consumers have had an opportunity to register their displeasure. As new regulations come into force in the European Union, thousands of organisations have been frantically emailing their entire marketing database to ask nicely for permission to continue sending out emails.
Giving people more control over their data
In a world where we often feel powerless against the marketing onslaught, it feels unusual and rather refreshing for companies to be begging us for approval. But the result of this exercise has been rather predictable: if you ask people directly if they want to be marketed at, they relish the opportunity to demonstrate their indifference.
These new regulations, known as the General Data Protection Regulation, have caused consternation among businesses worldwide, large and small. Their attempts to comply with a European law that carries enormous fines for non-compliance have been frantic, almost panic-stricken. Consumers, meanwhile, have regarded their beseeching emails as just another form of spam. As these digital pleas fall on deaf ears, it’s estimated that some marketing departments may have to shed up to 80 per cent of their email databases, denying them a very useful and direct method of peddling their wares.
In some ways, this is what the GDPR was intended to do: shift the balance of power away from businesses and give people more control over their data, who uses it and for what purpose. But the legislation is dense, complex and poorly understood. Businesses, charities and even amateur theatre groups are gripped by the fear that their possession of an email database represents a kind of ticking timebomb, and this fear has resulted in plenty of bad advice and overly hasty actions. Some online businesses, wanting to be safe rather than sorry, have even stated their intention to entirely purge any online accounts belonging to customers they do not hear back from, erasing all trace of them from their system. But this, according to data protection experts, is likely to be an extreme overreaction.
So what's the issue?
The thorny issue at the centre of the GDPR panic is one of consent, and it’s one that we’ve all had experience of when shopping online. Since the dawn of e-commerce, firms have used subterfuge to get us to agree to receiving marketing messages. The most common form of this is the pre-ticked box accompanied by a convoluted phrase such as: “Don’t untick this box if you don’t want not to hear from us again.” Rather than work out what that actually means, we leave the box ticked, and a few days later we discover that we’ve unwittingly signed ourselves up to a marketing campaign. This, according to GDPR, does not constitute consent any more than leaving your front door open is an invitation for strangers to burgle your property.
No, consent has to be unambiguous, which involves asking us a question and giving us the opportunity to make a clear decision to opt in. (If GDPR has only one lasting effect across the internet, the clearing up of online forms to rid them of these so-called “dark patterns” that force us to behave against our will would be very welcome indeed.) Many organisations, of course, have collected email addresses in a perfectly legitimate way. If they already had unambiguous consent to send marketing emails, they did not need to ask again, but this has not been made very clear.
And so the current deluge of email hurtling around the planet is a combination of blameless organisations misunderstanding their responsibilities, and others desperately trying to clean up their act before tomorrow’s deadline.
This action by the EU may herald the moment when all organisations are forced to take individuals’ online privacy more seriously and pay greater respect to our right to not be pestered and cajoled.
But while the GDPR has beefed up laws and the penalties for breaking them, many countries have had such laws in place for years, and the current emailing spree by GDPR-fearing companies is highlighting previous misdemeanours. Take the Japanese multinational Honda: in 2016 it sent out 289,790 emails to obtain clarification from customers on their email preferences ahead of GDPR, but British regulators ruled that they did not have permission to send those 289,790 emails, and fined them.
Therein lies the irony of GDPR: emails sent in an attempt to comply with the law may, in fact, fall foul of it. The law tends to have a reputation for failing to keep up with the internet. This time, however, it appears to have real teeth.
Updated: May 24, 2018 12:16 PM