Goal

From the GDPR legislations we focus here getting permission to send campaigns via Email, SMS and WhatsApp to your audience.

Product

• Messaging

• Mobile Marketing Cloud

Background

The General Data Protection Regulation (GDPR) is a privacy and security law that enforces obligations to any type of institution collecting personal data from users that residents of the European Union or instituations that are based in the European Union.

The goal of the GDPR is to enforce institutions to take the privacy of individuals sharing "personally identifiable information" (or personal data) with them very seriously. Only collect what is necessary, only store when really necessary and keep that information secure.

As defined by the GDPR, "personal data" is characterized by any information that can be related to an identifable individual either directly or indirectly. So definitely all information gathered in the Customer Data Platform.

Is it all about consent?

First we will need to distinguish between two types of consents:

1. Marketing opt-ins (ePD)

2. Consent to process personal data (GDPR)

"Marketing opt-ins" are governed by the "ePrivacy Directive" (to be replaced by the ePrivacy Regulation when this will come into force). This ensures that you cannot "spam" people and regulates when and how you need to request opt-ins. But this is separate from GDPR consents, where you ask permission process personal data. It is possible you are able to process personal data because a person has bought a ticket to an music event at your business. But that does not necessarily mean you are able to send them marketing communcation messages. GDPR regulates the first, ePD the second.

Under the GDPR you do not always have to ask approval before processing personal data. There are also other "legal bases" for processing personal data and the data controller (in this case usually our customers) has to choose the right ground for their spefic purpose.

Other legal bases to process data:

1. Consent (The data subject has given permission for the organization to process their personal data for one or more processing activities.)

   1. Read below for the how

2. Performance of a Contract (The data processing activity is necessary to enter into or perform a contract with the data subject.)

   1. Example: when you sell tickets for an event, this legal bases is allowed to send communication around that specific event.

3. Legitimate Interest (is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms?)

4. Vital Interest (A rare processing activity that could be required to save someone’s life.)

5. Legal Requirement (A rare processing activity that could be required to save someone’s life.)

6. Public Interest (A processing activity that would occur by a government entity)

For commercial companies most of the times legal bases 1 and 2 apply.

How to ask for consent?

The GDPR states that consent must be:

1. Freely given (So don't precheck a box and always make sure people can opt-out. And honor that.)

2. Specific (Specifically ask consent for certain channels (SMS/Email/WA))

3. Informed (Tell subscriber what you are going to do with his data. This should be part of T&Cs / Privacy Policy. And those should be linked.)

4. Unambiguous (Tell it all in clear and plain language)

5. Expressed (Don't imply it, make it clear “I understand and accept…”)

6. Granular (Only claim the consent for where it is given for)

Specific Channel Guidelines

For all channels:

• Make the sender's identity very clear.

  • Email address with domain of customer.

  • WhatsApp account with name of customer.

  • SenderID for sms with customers name (in countries where senderID can't be alphanumeric, use greetings with company name)

• Offer an easy and clear opt-out option.

  • Email: unsubscribe link to CDP or address book or custom unsubscribe page

  • SMS: add opt-out tag (No-S.MS) or custom unsubscribe page

  • WhatsApp: add STOP keyword connected to chatflow

    • For all: this is done in the easiest and best way if combined with a CDP

• Do not send messages at inconvenient times

  • Email: there no real limitations

  • SMS/WhatsApp: No legislation, but more good practice. Don't send any messages between 8PM and 8AM. And if not neccesary for the purpose don't send on Sundays and public holidays.

    • In France it isn't allowed to send marketing traffic between 20:30 and 08:00 GMT+1, on Sundays, or on public holidays.

Articles to share with your customer:

• Opt-in policies for Text messaging: https://www.cm.com/blog/opt-in-text-messaging/

• GDPR: https://www.cm.com/blog/mobile-marketing-in-a-gdpr-era/

• Country specific regulations for SMS: https://www.cm.com/blog/sending-international-sms-country-specific-rules-regulations-and-habits/

  • [WIP-MMC] Is it possible to use a custom Sender name (Sender ID) in Campaigns?