First and foremost, Taskeater as a provider of both data processing services as well as lead generation and email marketing has consulted with legal experts and taken steps to ensure our full and total compliance with the upcoming changes. You can read about our preparations in full here.
Selling lead generation services over the course of the last few months, our team has routinely encountered misinformation, scaremongering and confusion over what GDPR means for business-to-business communications and what compliance for companies like ours looks like after May 25th.
This article is going to take an in-depth look at what the new EU ePrivacy law actually means, and clear up some key issues for anyone in B2B sales or email marketing.
What Is GDPR and the ePrivacy Regulation?
The General Data Protection Regulation (GDPR) aims to align the data privacy laws across all EU countries.
The GDPR regulates the processing of personal data of EU individuals by an individual, a company or an organisation. It doesn’t apply to the processing of personal data of deceased persons or of legal entities (and that is the key point here).
First and foremost, the GDPR is for individuals. Enforcing an individual’s right to the knowledge of how their data has been collected and processed, their right to consent to be contacted, and their right to prevent their data being processed.
The Difference Between The GDPR And The ePrivacy Regulation
Before I get on to the question of whether a business such as ourselves or our clients can continue to email leads cold post-GDPR, I want to make the differences between the GDPR and the ePrivacy regulation crystal clear.
The EU Commission describes the overall legal framework as:
“The ePrivacy Directive and the General Data Protection Regulation provide the legal framework to ensure digital privacy for EU citizens. The European Commission has reviewed the Directive to align it with the new data protection rules.”
As the above indicates, there are two main pillars of the data protection legal framework in the EU: the ePrivacy Directive of 2003 (Directive on Privacy and Electronic Communications) and the General Data Protection Regulation of 2016.
What is the difference?
As Digiday point out in their article The winners and losers of the EU’s new ePrivacy law:
As the article further explains, the regulation takes on the privacy and data definitions introduced within the General Data Protection Regulations, and then works to further define and enhance these definitions.
The GDPR Protects Individuals, Not Businesses
What I have found repeatedly in talking to people over the last few months leading up to these changes is confusion or ignorance of one key point: the privacy law is intended to protect individual citizens, not businesses.
Let me repeat: GDPR is intended to protect individual citizens, NOT businesses.
The EU even declares: “The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business.”
I am sure anyone in the field will agree with the recent observation by the EU working parties responsible for introducing the new regulation that the wording is still quite loose when it comes to cold email.
This is because the ePrivacy Regulation specifically leaves it up to the individual countries within the EU to decide whether ‘unsolicited commercial communications’ (a.k.a B2B cold email campaigns) should be opt-in or opt-out.
What GDPR Means For B2B Email Marketing In The UK
With this in mind, let’s take a look at how the UK is choosing to implement the privacy law.
Within the UK, the PECR applies. PECR stands for the Privacy and Electronic Communications Regulations (the full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003.
These regulations are derived from European law and implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.
This is absolutely critical to understand because while the GDPR does not make specific distinctions between B2B and B2C companies, PECR does make this distinction. With a lot still left unclear by the GDPR, this offers useful distinctions between business and individual data processes for B2B salespeople and marketers.
It is worth noting that PECR is likely to be updated this year, so it is important that you keep informed about any changes or developments.
However, as it stands, cold emailing and texts between businesses come under this directive in the UK. The Information Commissioner published guidelines on cold B2B marketing outreach which includes the following sections:
“142. These rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.”
This means soft opt-in and the right to opt out do not apply to B2B sales and marketing messages sent to companies and other corporate bodies.
“144. Corporate subscribers do not include sole traders and some partnerships who instead have the same protection as individual customers. If an organisation does not know whether a business customer is a corporate body or not, it cannot be sure which rules apply. Therefore we strongly recommend that organisations respect requests from any business not to email them.”
Sole traders and some partnerships do have the same protection as individuals – see the diagram below for more clarity.
“145. In addition, many employees have personal corporate email addresses (eg firstname.lastname@example.org), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.”
You MUST include an unsubscribe whoever you are emailing. An easy and clear opt-out needs to be provided on every email you send, including business to business email campaigns. This does NOT need to be a link, it can be a response to an email, as long as it is easy for the recipient. Any outreach program or software today will have an automated unsubscribe feature as a basic part of the service.
Taskeater already provides a clear opt-out in any emails we send on our own behalf or on behalf of our clients. In contacting anyone, individual or business, this is the critical step to ensure compliance when sending your own email campaigns in-house.
* With existing customers, provided there was an opportunity to opt-in to marketing information, you can market future products to them on the basis of your existing relationship.
Mark Gracey goes expresses this in makes it pretty clear in a LinkedIn article which I recommend you read – When B2B data is personal data and what that means with the GDPR:
“an individual’s business email address can also be considered personal data as it allows you to identify them from the email address (as opposed to a generic email address like sales@ accounts@ etc.). But, PECR allows you to market to these individuals provided you offer an opt-out and the marketing relates to their role (see the ICO’s Direct Marketing Checklist). Generic business data can be used for marketing provided an opt-out is provided.”
How To Send GDPR-Compliant Email Campaigns
Now it is critical here that I highlight the importance of consulting a professional about your own services and marketing strategy. Taskeater has consulted a number of legal experts and on the basis of this have fully prepared for the regulation changes, both for our own strategy and for our clients’ – read How Taskeater is Preparing For GDPR
By way of general advice, with all the GDPR focus on personal data protection, anyone sending out email marketing campaigns to businesses should remain in-line with the basic requirements for cold email marketing:
- An easy and obvious opt-out
- Accurate sender field
- Relevant subject line
- Legitimate physical address listed
- Solely email businesses and corporations (avoid sole traders and individual business owners)
- Instantly remove people who opt-out
- Cleanse your database of out-of-date or irrelevant leads
If You Want More Information About GDPR-Compliant Email…
If you want to read the regulations for yourself, but don’t want to labour through the whole thing, check out Article 16 on unsolicited communications which speaks directly to this topic.
I would also have a read of the EU Working Party’s response to the uncertainty in the language, particularly around Section 43 (a) on unsolicited communications.
To read more about how Taskeater has prepared, have a read of our article How Taskeater is Preparing For GDPR and feel free to get in contact with any questions.
As a business we:
- Exclusively lead source and email corporations and businesses.
- Keep detailed records of the means of collection and processing of any data in the interim – we custom build fully verified and compliant lists.
- Invested heavily in the best security and safety measures for any data stored.
- Actively cleanse our own and our clients’ databases to ensure compliance.
A final word on CRM cleansing
Taskeater offers CRM cleansing and data discovery services to B2B companies of all sizes, all over the world. We guarantee complete confidentiality and security – any data we process will not be stored on a centralised database and will not be sold on. We remove leads you no longer need and replace them with active contacts with accurate contact details. We also help you become GDPR ready by tagging your data sources and replacing personal data with corporate data.
For further information about what CRM cleansing is and whether you need it have a read of these articles we have published over the last month: