By now, you’ve probably received at least one email from a company asking you to confirm that you really do want to receive marketing emails.
These repermissioning campaigns are an attempt to bring consent up to the standard set by the GDPR, ahead of the regulation’s enforcement on 25th May 2018.
In this article, I’m going to look at 15 examples of repermissioning campaigns from brands both big and small. But first, let’s have a bit of background…
(And remember that Econsultancy provides face-to-face GDPR training for marketers, as well as online training, and an excellent Marketer’s Guide to the GDPR)
Do you have to refresh your consents?
No.
Lots of companies will be confident that they already comply with the GDPR. Others, such as in the infamous case of Wetherspoons, have simply decided to delete email data, perhaps fearing non-compliance.
However, lots of companies are repermissioning – those that aren’t confident their consent process is up to the new standard, or don’t have the appropriate records (necessary for the GDPR’s burden of accountability) of who consented, when, where and to what.
A brief note here that consent is, of course, not the only legal basis for processing personal data, but as we’re dealing with marketing communications (which require consent under the PECR) there is no other legal basis to consider (we won’t touch the slightly warmer potato of ‘soft opt-ins’ in this article).
What constitutes consent?
According to the GDPR, consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
That phrase ‘clear affirmative action’ is arguably open to interpretation, and there is lots of debate about consent. But the ICO’s guidance is pretty clear – “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.”
How to refresh consents?
Fairly obviously, do not use email to repermission those who have not given some form of consent already. If individuals have opted out or unsubscribed already, you will likely be in breach of the PECR if you contact them by email again.
It’s worth pointing out that repermissioning doesn’t have to be done with a broad brush. You can take different approaches with different customers, for example you may want to segment your database before undertaking phased repermissioning.
A blog post by automation company Ometria advises segmenting customers for repermissioning along the following lines:
- Opens emails and regularly buys
- Opens emails and infrequently buys
- Opens emails and clicks through to browse items
- Opens emails – no activity
- Receives email – no activity
- No activity after 6 months
- No activity after 12 months
- No activity after 18 months
In this article we are mainly dealing with consent for email marketing, but marketers should think about what consents they want to refresh – cookies for example.
The most important things to consider when constructing an email campaign are whether your privacy policy is well written, whether the consent mechanism you choose conforms to the definition of consent in the GDPR, and how to keep a record of these new consents (when, how, what etc.).
On to the examples!
1. ASOS – bold and on-brand
As usual, ASOS’ approach is impressive. The subject line is simple and clear – “The law is changing. Are you set to get your ASOS emails?”
Take a look at the email content below. Lots of things stand out:
- There’s a tickertape GIF at the top announcing “the law is changing” which helps to grab the attention of the recipient and impart the import of the message.
- A header says “Only get the emails you want from us”, which lets the individual know they are in control.
- Funnily enough, the next line says “You’re in control”.
- There’s then a clear blue button and call to action – “opt me in”.
- Next the email lets me know what I am already opted in for, a nice touch, with a bit of copy and some icons to make it extra clear.
- Finally, there are three more calls to action in the footer – again the option to opt in, as well as to opt out and to update your preferences.
This email is by no means the only part of ASOS’ comms effort around the GDPR. The retailer also has excellent pages on it website, such as this one on contact changes, as well as its updated privacy policy, featuring video content, clear headlines (in ASOS’ tone of voice), and a concertinaed policy which is easy to digest.
Bravo, ASOS.
2. Money Supermarket – a softer approach
The subject line on Money Supermarket’s repermissioning email reads “[Name], don’t forget to tell us if you still want our money-saving deals and tips”.
So far, so normal. It looks like this is a standard repermission email which will go on to ask the recipient to consent once again.
But a look at the email content below reveals that Money Supermarket is asking those signed up to its emails to “let us know if you’d rather not get these emails from us any more”. The call to action at the bottom is then to “update my preferences”.
Money Supermarket is not seeking consent from recipients of this mail, but giving a chance to check preferences and opt-out.
It could be argued that this approach creates a catch-22 scenario – to opt-out, users have to be somewhat engaged with Money Supermarket emails, but it is the recipients that are not engaged with these emails that are most likely to want to opt out.
I’m not arguing here that Money Supermarket has taken the wrong approach – the brand’s marketers may well be confident that they already comply with the GDPR and are simply taking the opportunity to reconnect with their database and increase their awareness about their contact preferences. Such activity is a good idea.
All this aside, the imagery and copy is nicely done.
3. Nucco Brain – confusing copy
To properly inform a data subject, companies must excel at clear, straightforward language (see the ICO’s guidance on privacy notices). Though the ICO does say that privacy information should conform to house style, that shouldn’t preclude clarity.
In the example below from Nucco Brain, a London-based storytelling studio, the analogy between consent and of a cup of tea is stretched a little too far in my opinion.
The subject line (not captured below) reads “GDPR is coming, and we’d still like to offer you a cup of tea”. Read the full email and it is really is a bit wishy washy. Even the important question of whether recipient still want to receive emails is disguised by analogy – “would you like to keep drinking our cup of tea?”
Whatever you think of this copy, it might not matter too much, as Nucco Brain takes the same approach as Money Supermarket, not asking for people to opt in, but to opt out.
4. PwC – bang on the money
You wouldn’t expect anything less from PwC, but its repermissioning email includes everything that the ICO would want to see. Namely:
- Description of what marketing emails may include
- The option to opt out within every marketing email
- A link to the PwC privacy statement
- Notice that transactional/servicing emails will be unaffected
- Right to withdraw consent at any time
- Notice that recipients will be opted out if they do not respond
- Two clear and equal-sized buttons to opt in or opt out
Any marketer wanting to include all the right information in their repermissioning campaign would be wise the follow the lead of an email like this, in my opinion.
Inkeeping with the brand, the subject line is professional and easy to understand, too.
5. Destination KX – confusing competition?
Destination KX is the newsletter for the newly happening Kings Cross area of London.
The subject line for its repermissioning email is “We care about your data”, which to me is a bit ambiguous. Once you open, however, there’s a lovely clear message and call to action inside.
But there’s one issue for me – consenting to marketing is incentivised with entry into a competition to win two tickets to an event. Does this perhaps confuse the opt in slightly? Is it really unambiguous when the recipient may be more interested in winning than receiving marketing? The competition should really be open to all, whether they opt in or not, and that should be clear on the email.
I’m not passing judgment here. But simply from the perspective of achieving clarity, the competition element doesn’t seem ideal to me, even some may argue it’s no different to the discounts that retailers offer to those signing up to email newsletters.
6. South Western Railway – weak call to action
South Western Railway takes the tack of telling recipients “the power is in your hands” before giving some brief information on the GDPR and including a call to action to “update preferences”.
It’s unclear to me from this email whether those that fail to respond will remain opted in. I also think the call to action is a little weak (‘update preferences’) – there is no suggestion of resolution within the email itself. To me, this is asking quite a lot of customers, particularly the apathetic, and relates to the catch-22 I mentioned earlier with Money Supermarket.
The 21 day processing time also seems quite lengthy, and is the sort of thing that those who unsubscribe may get annoyed by.
GDPR: Six examples of privacy notice UX that may need improvement
7. Little Green Sheep – straight to it
Little Green Sheep, a retailer that sells natural bedding, mattresses and sleepwear for babies, is a model of brevity, which is a good thing in my book.
First off, the marketing team has opted for a more intriguing subject line, obviously keen – because they are asking recipients to opt-in – that as any people open the email as possible.
Once you get into the email, it’s all very straightforward:
- A clear header – “let’s keep in touch”
- Two sentences explaining what’s going on
- Two clear calls to action (to consent or not) with the opt-in button larger and more inviting than the opt out (which is still visible, for sure)
- An ecommerce header menu just in case the recipient fancies doing some shopping
Fair play to Little Green Sheep for asking for repermissioning, and for doing it with confidence.
8. Guardian – reminding logged in users
Not an email now, but a nice footer featured on Guardian articles viewed by logged-in readers.
There’s not much to say about this, other than the contrasting colours highlight the key message and button to continue. There’s also a link to find out more.
Lots of companies are doing more than just emailing their database to establish consent – Manchester United, for example, has been using a combination of email, print handouts at games, video content and even advertising hoardings to get its fans to opt in (which our former editor, judging by the tweet below, clearly thinks is not necessary, though anything that can keep people from lapsing is surely a wise investment?).
Desperate approach to GDPR… Man Utd using their ad hoardings to ask people to opt in for emails pic.twitter.com/Jm7M3yhaBO
— David Moth (@DavidMoth) February 25, 2018
The Guardian, though it doesn’t seem to be repermissioning, is making sure users are getting to grips with their preferences. A wise move.
9. The Candidate – missed opportunity?
The Candidate is a marketing recruitment agency in Manchester, England. It has taken the admirable approach of repermissioning its email newsletter.
Those that receive the newsletter will have to actively opt in to continue receiving it. As discussed in the intro to this article, this means that those who miss or disregard a repermissioning email will be opted out automatically. Therefore, you would imagine that where companies take this approach, asking for consent would be front and centre in any repermissioning email. However, that’s not the case with The Candidate.
Opt in is lost in a cacophonous subject line which reads “Top Jobs, Opt in, Candidate Case Study, New Consultants and lots more!”
Then once on the content proper, partly shown below, opt in is only one of the main messages. Even if you do read it, there’s a very weak call to action – “read the full blog here!” – so the anyone scanning the email will not get the main message i.e. “if you want to keep hearing from us, you need to opt in”.
This email shows the need to put the repermissioning message up front, as blatant as possible. You just can’t afford not to.
10. Imperial Enterprise Lab – more of the same
Here’s another newsletter that doesn’t draw enough attention to the need to opt in. Yes, the subject line does have a kooky pun and emoji (see below), but does every reader know what the GDPR is? Would the subject line better asking “want to stay in touch?”
Imperial College’s Enterprise Lab has the same issue that The Candidate has – the GDPR and opt-in message is buried within a very noisey email (show in two columns below to save space).
I’m not on this email list (it was forwarded by a friend), so I can’t be sure if Imperial Enterprise Lab has previously sent messages dedicated to opt in. If they have done so, then this newsletter perhaps isn’t as problematic.
11. John Muir Trust – does what it says on the tin
Of all the emails featured here, I really like this subject line (A quick question for you…) and headline (Can we stay in touch?).
The copy is clear and the call to action speaks for itself, using language the customer understands. There’s clear text saying “You can unsubscribe from our emails at any time”, too.
Extra points for snow hare, or whatever that member of the Leporidae is sitting within the email.
12. Knight Frank Finance – risking apathy
I thought I’d include a simpler example, with less HTML going on. I have no objection to plain text at all, especially in sector such as finance where customers may be paying more attention.
However, I do think that a simple hyperlink on the word ‘here’ is making life unduly difficult for both Knight Frank’s customers and marketers. Those that don’t click with be removed, after all.
13. The Waterside – the old bait and switch
A Young’s public house in Fulham, London next. The Waterside example is notable because it is the only email I have seen where the subject line (“Win two nights in Bilbao”) doesn’t even attempt to hint at contact preferences.
Rather, the top of the email content is reserved for a big message (in flashing colours no less) and a “yes please” call to action, available to all those tempted in by the completely separate competition. I don’t think this is a bad approach to getting the message in front of punters.
14. MRS – nice subject, nicer chipmunk
Is this a chipmunk? Either way, here’s a really clear example of repermissioning. Subject (“GDPR: We need your consent”), copy (“we want to keep you up-to-date…”) and ‘yes’ and ‘no’ options are all beautifully simple. Kudos for giving equal prominence to both options, too.
15. Guidebook – written by a marketer too close to their job?
I really like the simplicity of the email below from Guidebook, a company that makes mobile apps for events. The button is in the brand colour and the text is mostly simple to understand.
The only bum note for me is the line “please opt in so we can maintain your record in our CRM database”. Luckily, Guidebook is a B2B company, so many of its recipients will understand this language, but it did stick out to me. Why not just ask people to opt in to “continue receiving the great content”.
I’m probably being harsh, the company’s motivation is transparency after all, which is admirable, but it does allow me to again make the point that B2C marketers need to do their best to make all of this easy to understand for their customers.
Note that this article represents the views of the author solely, and is not intended to constitute legal advice.
Just want to fix one omission. If marketers cannot “repermission those who have not given some form of consent already”, then this would be a catch-22. They would need consent before they could ask for consent. (Bit of a hot button issue for me.)
https://en.wikipedia.org/wiki/Catch-22_(logic)
So I think you mean, “Fairly obviously, do not [use email to] repermission those who have not given some form of consent already. If individuals have opted out or unsubscribed already, you will likely be in breach of the PECR if you contact them [by email] again.”
Email is great for the people who you can contact in this way. But you need to do more. A repermissioning campaign on other channels, such as your marketing website or app, can market to all visitors, even those who have not given consent, because it uses legitimate interests. Visitors expect you to show marketing on these channels – that’s their purpose – so the legitimate interests assessment is very clear-cut. The ICO has confirmed that the GDPR lets you take on another data processor to do all the work for you.
https://www.linkedin.com/pulse/gdpr-myths-reality-peter-austin/
There are lots of ways to repermission using your marketing website or app, including popover forms, banner messages, or forms in the header/footer. The important things are the value proposition, to limit the number of times the message is shown, and not show it at all to people who have already given an answer. We and others provide a service for this:
http://content.freshrelevance.com/gdpr-package-permission-pass-service-brochure2
Thanks, Pete, and nodding in assent.
PS. I’ve updated to make clear I was referring to email. So much for the clarity of my own copy.
I particularly love the emails asking you to reply to the email to give consent – not a link to a profile page where you can control your data, not even an explanation why they’re emailing you in the first place (because you never signed up for newsletters). And cherry on the pie, when specific members of staff you’ve had dealings with send you a personal email asking you to reply with your consent – who’s the data controller/processor in this instance exactly?
I believe the Waterside example is one effort in a longer campaign (this effort being 3rd or 4th) – all of which are part of newsletters. I receive the exact same emails from a different pub. The first email subject line was “We don’t want to lose you”.
@Daniel Thanks and makes sense.
@Hero I, too, have had a few refresh consent emails where I have no memory at all of interacting with the company in question. Risky stuff if those companies don’t have record of consent.
The Nucco Brain’s cup of tea is referring to the “No, means No” campaign that uses offering a cup of tea as an analogy to explain sexual consent… Not the best taste from Nucco, in my humble opinion…
Hi Guys. Thanks for sharing some nice examples!
How are APPs dealing with GDPR consent? Some examples/analysis on this would be very well received.
Thanks – Jamie
Here’s a question… I may have missed it – but for those companies which offer an “I do consent” AND an “I do not consent” option in the repermissioning email…. what happens to those who don’t open / reply one way or the other?
It seems like those emails will get a higher click through rate… as they’re giving both options and people will inherently want to click on one or the other. but people who don’t open at all?
The companies could justifiably bucket them as consented … because they don’t need to repermission. but equally, to your point: those who don’t open the email at all are probably more likely to be un-engaged …
Would be interesting to know what they are planning (I doubt it is “keeping sending emails to those who haven’t replied until everyone has replied one way or the other”)
If you don’t reply, you’re considered as having said no consent.
Which just begs the question… whats the point of having the no consent option? Belt and braces approach I guess!
Maybe just in case some have very small prints saying that if you don’t answer they’ll consider it as a yes?
Indeed – could go either way. i guess its odd to me because in a world where everyone’s trying to create greater clarity… they’ve gone and given themselves a massive grey area. Maybe that was the plan… maybe it was an oversight!
@Charlie @Ingrid Just a thought. With the option to say “no”, the company gets an extra data point i.e. number of people that actively want out, who hadn’t yet unsubscribed. It shows how healthy or otherwise the list was, and how engaged or otherwise the recipients are.
I’m hoping to complete an interview with one of these companies so potentially more to come.
@Ben I agree. I’m more likely to consider letting them sending me emails if I feel that they’ve been honest and given me a real choice rather than pushing me to say yes by not having a no button. Let’s hope this works: have you noticed how many companies “unsubscribe” page doesn’t actually work (page not found)?
The problem with repermissioning emails or emails in general, you can’t guarantee delivery to their inbox. One persons inbox might be another persons spam folder. A lot of these repermissioning emails are wordy and can trigger spam filtering and you’ll likely never get permission from those that would still want to remain. You will lose a lot of people, that you wouldn’t otherwise.
You also have the problem of existing users that opted in, then flagging your repermissioning
email as spam and thus you get a mark down on your reputation with the email providing you are sending via, if you get enough of those your reputation is hit, especially if you are doing segment sending (breaking into different groups), then eventually all emails will go straight to spam. especially when spam DNSBL’s start becoming aware. Generally most providers only allowed 1 in 1000 spam complaints. I run free community site, i get users registering, then when they’ve got the welcome email after completing the activation email, they’ve flagged the welcome email as spam. No marketing whatsoever, just welcome to our service with useful helpful site information. As i use a third party service, i get notification of the address that clicked spam and they’re instantly removed and blacklisted then from using our service via that email address again, simply as spam law states, we’re not supposed to engage with them, even though they joined our service.
You also have old age recycling problem, as the database grows and years pass, many email addresses have been dropped by the original user and been assigned to new users (thus recycled), now you email them, you get flagged as spam. Keep engagement going to keep it fresh is the only solution.
You can’t do what flybe and honda, they broken existing law to ready themselves for new law, by sending repermissioning emails to people that had opt’ed out (unsubscribed) prior.
begs the question, if they are already opt’ed in using existing law, why are we asking to opt in again or opt out? Any future email should comply and let them opt out. Surely business as usual? We just need to ensure we comply and our T&C’s are concise, comply and our privacy policy is clear on how we use their data in simply form with no legal jargon.
One thing that appears to be absent from a lot of GDPR talk is how is impacts many free sites that like forums, free lost and found pet services and the like.
having an email address and password for a registered system is grounds for GDPR even for community websites like mine, that are free, don’t trade and don’t market any product or services. We talk about emailing mailshots from a marketing point of view, what about just good old simple email newsletters, with links to articles on our site, just to keep people informed and educated. 2 schools of though, people thinking GDPR revolves around businesses and marketing and they are excluded when they’re not due to data privacy laws still apply and people panicking and repermissioning for existing users for their existing database. These are the groups that need the most advice and clarity on it.
On Destination KX you question bundling a competition with consent, however this is consistent with ICO guidance that a benefit can be given to motivate consent and goes onto to state, “The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal, however, you must be careful not to cross the line and unfairly penalise those who refuse consent.”
The ASOS example uses ‘exclusive discounts and treats’ as it’s benefit to consent. After communication with the ICO they’ve made it clear that offering a 20%, 30%, 50%, etc discount is equally acceptable as stating ‘get an exclusive offer’, so it’s surprising more companies have not followed this route. I would argue the huge amount of email’s offering vague benefits like ‘exclusive discounts’ is much more unclear that simply stating exactly what the benefit is e.g. 20% off.
Perhaps the best example and most well known is BrewDog using the benefit of a free beer for consent – https://www.brewdog.com/lowdown/blog/one-million-beers-on-us
I’ve recently received a few examples of quite bad customer experience: H&M and Dyson. The emails I’ve received offer me to review the Privacy Policy and make opting-out or in complicated to find. Shame that they thought the complicated and time consuming way was the best option… Another extremely annoying experience is when you click on a link (opt-out for example) and then they ask you to connect to your account… If you ever bought only once it’s very likely you won’t remember your credentials and here again, you end up annoyed and wasting your time…