Peddling myths to harry the innocent
Like wasps to a pot of jam, the buzz of experts rushing onto the GDPR bandwagon is incessant. Leading cyber security entrepreneur Jane Frankland posted just two days ago ‘Can we really trust GDPR Products, Services and “Experts”?‘ and I found myself agreeing with much of what she said.
Given that a good deal of my time at the moment is spent trying to understand the GDPR and how it applies to clients mainly in the B2B events and publishing industries, I have trawled my way through lots of different articles from “experts”. My current role involves a constant picking apart of the legislation to understand how it applies to the nuances of individual organisations and their business operations. There is lots of great advice from the ICO and the DMA but the scope of what these bodies are covering is vast and much of it is generic so it is important to supplement their information with more specific details from elsewhere.
This research process does occasionally throw some complete curve balls, and today served up an absolute belter. While looking for insight into double opt in I came across the following comment in a blog by a Marketing Automation company:
Take a really good look at the last sentence in the first paragraph… Yes – you are reading it correctly – apparently people who attend B2B exhibitions are so naive that when they give a business card to a company on a stand they don’t think this is for marketing (i.e. contact about products and services) purposes and it’s the last thing they want. Really?! If you are having a chat with a sales rep at the bar and you give them your business card, are you just expecting them to add you to their Christmas card list or would you be more than a little surprised if they called you up to ask you if it’s OK to email you about the product you were discussing with one another? Surely personally handing over a business card is the most unambiguous form of consent there can possibly be…
I’m not entirely sure where the writer of this article has been hiding, but patently they have zero understanding of the way networking happens and business relationships are built. If you aren’t interested in a product, or you don’t want to be contacted by someone, you don’t give them your business card in the first place. They also haven’t grasped that in many instances business cards aren’t exchanged at B2B exhibitions; there’s this really cutting edge technology called a scanner where visitors voluntarily allow their personal data to be collected by the company whose stand they are on with a data protection notice already printed on the badge telling them not to do it if they don’t want to. Nor, I suspect, do any of the authors of the GDPR legislation intend it to hamstring business interaction in such a draconian way.
Double opt-in or confirmed opt-in is another favourite of this same marketing automation ‘expert’:
Now, there is some merit in a double opt-in process, as described by Mailchimp:
The above describes clearly how double opt-in is a mechanism for keeping your data clean and relevant, saving you time and money. As opposed to the previous one which is peddling it as a legal necessity. Think about this – some commentators say you need double opt-in because someone might be signing you up for multiple porn sites as an act of revenge – but chances are that if they are vindictive that person also knows how to access your email account or the stream of ‘please confirm your subscription to …’ emails will cause more than enough distress. In the B2B context, is this likely?
If you are following the pathway to GDPR compliance, you should have a very clear ‘opt in’ statement on your data collection forms at the point at which the data is collected as specified in Article 7 of the Regulation. In my humble opinion this is sufficient proof that someone actually intended to sign up for an event/requested to receive a newsletter/asked to download a piece of content. Given that at every contact point from there on in, the recipient is able to opt out again, suggesting that double opt-in is mandatory is a mendacious attempt to extract fees for unnecessary services from credulous companies who have not had the time to study the legislation in detail.
GDPR will affect your organisation in one way or another, and undoubtedly you will need help along the way. But please, let common sense prevail, and make sure that you filter the advice you are being given according to the agenda of the person giving it.