Privacy and data protection issues do not present themselves in any particular order, so when starting out as a data protection officer, one has to be able to address the most pressing privacy issues “on the fly” while simultaneously moving methodically through a GDPR-readiness program.

For the IAPP, the most common method of communicating with members, potential members, Daily Dashboard subscribers, product and service consumers — everyone — is via email. Consequently, one of our most pressing privacy issues is ensuring that we respect people’s email preferences and comply with anti-spam laws.

This post for the DPO Confessional walks through the somewhat perplexing issue of email marketing. It turns out building a system that manages an individual user’s email communication preferences — consistent with a variety of privacy regulations and best practices — requires excellent internal teamwork and a fair amount of technical duct tape.

Spam

In the United States, laws to place limits on unsolicited commercial email — also known as “spam” — were among the early privacy-related statutes. The U.S. Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act in 2003, seeking to pre-empt myriad conflicting state laws and create a national uniform standard for commercial email communication.

The CAN-SPAM Act places restrictions on “commercial electronic mail messages.” A commercial email is an “electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” This excludes a “transactional or relationship” message.

Because “transactional or relationship” messages include completing or facilitating a previously entered commercial transaction, delivery of goods or services through a previously agreed purchase, and account statements and related notifications for subscriptions and memberships, many emails from the IAPP fall into this definition and are thus excluded from the act.

But, like other organizations, the IAPP is interested in attracting new customers and would like to invite all privacy professionals to enjoy membership in our organization, as well as our other products, services and events. This means reaching out to people who may be new to the IAPP. Under what circumstances may the IAPP send an unsolicited email to a new contact?

Significantly, U.S. law does not prohibit sending an initial commercial email, even in the absence of consent. The email message and its subject header must not be deceptive or misleading, the sender’s identity must be accurate and its postal address provided, and the message must announce itself as commercial in nature, but the CAN-SPAM Act does not require explicit or implicit consent before sending the message. Instead, any commercial message must contain a mechanism — such as a return email address or an “unsubscribe” link — that “clearly and conspicuously” allows the recipient to opt-out of receiving future emails.

If at any time, the recipient provides consent for receiving commercial emails, the sender no longer must notify the recipient that the message is an advertisement or solicitation, but a physical postal address and opt-out/unsubscribe are still required.

Consent required under CASL

Canada’s anti-spam legislation (CASL) came into effect in July 2014 and takes a stronger stand against unsolicited email commercial or promotional communication. CASL expressly prohibits sending a new commercial message unless the recipient has “consented to receiving it, whether the consent is express or implied.” The message must also identify the sender, contain the sender’s contact information, and have an unsubscribe mechanism.

These obligations — including prior consent — do not apply if the email is regarding or facilitating a commercial transaction the recipient has previously agreed to, delivers a product or service, or provides “notification of factual information” about a purchase the recipient has made or her ongoing membership.

Express consent requires “clearly and simply” setting out the purpose for seeking consent, which involves a “positive or explicit indication” either orally in writing. The sender must provide his identity, as well as contact information that remains valid for at least 60 days and a postal address. Express consent does not expire, although it can be withdrawn.

Implied consent is trickier, of course. Consent may be implied if the recipient has conspicuously published her email address or has provided it to the sender — without stating a wish not to be contacted — so long as the message to her is relevant to her “business, role, functions or duties in a business or official capacity.” Consent may also be implied if the sender and recipient have an “existing business relationship.”

The “existing business relationship” factor presumably establishes implied consent for ongoing email communication. Thus, if a Canadian IAPP member is considered to have an “existing business relationship” with the IAPP, we may send emails regarding membership — but also other products, services and events pertinent to that membership — under the implied consent factor. This would be simple, except that CASL imposes a time limit on such communication of two years from the date of implied consent.

Many marketing automation and customer communication services contemplate that a contact may not want to receive communication, but they tend to be binary — either the recipient can receive an email or she can’t. When CASL came into effect, the IAPP was compelled to customize its membership and customer databases (Salesforce, Marketo) to accommodate: (1.) the need to identify contacts who have given express consent (no expiration); and (2.) the need to identify contacts who have given implied consent so that the consent expiration date (two years from the initial contact) is automatically programmed. This also included adding a field to explicitly identify those who reside in Canada to trigger application of special rules.

In the case of a corporate membership account, moreover, individuals’ names and contact information may be added to our databases by a single administrative contact working for the same employer. Thus, certain members are in our database but may not have provided explicit consent, although they may be treated as having given implied consent at a minimum through their existing business relationships. Addressing this challenge requires group meetings involving IAPP staff from multiple departments and ultimately a combined technical solution (programming logic into the Marketo and Salesforce systems) and communication with individual members who are on a corporate account.

Here is an excerpt of a policy adopted by our technical team — lead by IT Manager Thomas Jarvela with input from Content Manager Emily Leach and many others — to ensure CASL compliance for IAPP members who come into our database as part of a corporate (group) membership:
Create Consent Record for Canadian Corporate Members

CASL Consent records are created for individuals with purchase history or with individual memberships. Corporate members who have done neither of these things and are not subscribed to any publications do not receive communications (even if the IAPP is allowed to reach out to them under CASL).

Managing consent records for these individuals is problematic for several reasons. The easiest solution is to create a consent record upon an individual being added to corporate membership. This provides two years of consent to contact the individual.

If individuals remain on the corporate roster, CASL consent must be extended throughout their membership through a manual creation of new consent records as necessary.

And so it was that even before I had time to launch into GDPR readiness, the issue of email communication thrust me quickly into the world of marketing and operational communication strategies, and how IAPP tackles privacy by design.

GDPR

The GDPR does not, of course, expressly regulate unsolicited email communication, like CASL or CAN-SPAM, but instead broadly governs the processing of personal data for any purpose. The analysis begins with determining that an email address is “personal data,” which is defined as “any information relating to an identified or identifiable natural person.”

Next, Article 5 requires that a controller collects personal data for a “specified, explicit and legitimate purpose” and processes personal data “lawfully, transparently and fairly.” (For purposes of this post, our analysis focuses on those prongs of Article 5 and not the restrictions against further processing or accuracy.)

For the IAPP’s email communication purposes, the bases for lawful processing under Article 6 are either: (1.) to the extent that the data subject has given consent; (2.) as necessary for the performance of a contract; or possibly (3.) for the purposes of pursuing the IAPP’s or a third party’s legitimate interests.

Many email communications, as discussed above, involve fulfilling the benefits of IAPP membership or some other order submitted for IAPP goods or services, including registering for events or subscribing to publications. In those instances, there is little ambiguity regarding the data subject’s desire to be communicated with.

For new contacts — “leads,” in marketing parlance — the analysis is slightly different. Consent is defined under Article 4 as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of” his or her personal data. The Recitals suggest that “ticking a box” on a website or another statement or conduct constitutes consent, while “silence, pre-ticked boxes or inactivity” do not. Under Article 7, moreover, a request for consent must be presented in a manner “clearly distinguishable from other matters” in a form that is “intelligible,” “easily accessible” and in “clear and plain language.” The data subject must be informed of her right to withdraw consent, which shall be as easy to accomplish as giving consent.

Whether reaching out to a new potential customer or member is a “legitimate interest” is unclear under the GDPR. Rich debates on the IAPP’s privacy listserv have explored the topic of whether a business’s fundamental interest in being financially successful and keeping its employees on the payroll constitutes a “legitimate interest” for marketing data processing. The consensus seems to be that it is a risky hook on which to hang data processing practices, especially in the absence of a consensual business relationship with the data subject, but no one is able to say with certainty how the Article 29 Working Party, the European Data Protection Supervisor, a data protection authority or a tribunal will ultimately interpret this basis.

The hierarchy of legal basis for email marketing communications seems to be similar to the way Canada approaches it, namely, that an existing business relationship generally constitutes a lawful basis for communication particularly in fulfillment of a specific request. That relationship probably also provides at least implied consent for offering additional and related products and services to the existing customer.

For the avoidance of doubt, of course, explicit opt-in to anything that can be deemed a marketing or sales communication is best practices. Under all circumstances, other than purely operational communication (e.g. order fulfillment), providing an opportunity to withdraw consent for future processing/communication is crucial.

The privacy statement — or other notice accompanying the communication — must also inform data subjects of their opt-out and other rights under the GDPR. (Not addressed in this post but equally important are compliance with requirements regarding notice to data subjects, transfers of personal data to third parties and appropriate security measures to prevent unauthorized use of the recipient’s email address.)

The GDPR does not allow controllers a period of time to acknowledge an opt-out request. One interesting issue we have already encountered is what to do with an opt-out request when it is accompanied by an erasure request (“delete my account, refrain from all future communication and confirm that these things have been accomplished”). Complete deletion of all contact information creates the risk that the contact may accidentally hear from the IAPP again, so the recommendation is that information crucial to honoring the opt-out be suppressed rather than permanently deleted.

ePrivacy Directive

The ePrivacy Directive, soon likely to be replaced by the ePrivacy Regulation, requires express consent for email marketing communication. Express consent is not necessary if the email sender obtained the email address “in the context of the sale of a product or service,” provided the follow-on email communications are for similar products or services and the recipient is given an opt-out option. The opt-out option should be available at the time of initial sale and in each subsequent communication.

The IAPP’s risk

The risk to a data subject’s fundamental rights and interests are not terribly high in the context of sending a marketing email. The data subject can easily delete the message and, if the notice and opt-out procedures are clear and easy to follow, can engage in self-help to prevent future unwanted communication. The IAPP is not, in this particular example, collecting special categories of information, and the type of products, services, and publications we are providing by email are generally of great interest to our recipients. Nonetheless, our email recipients are privacy professionals — the population with the most heightened awareness of their own rights and the IAPP’s legal obligations. We are also expected to model best privacy practices.

We are working as a team to do just that. And, as always, we count on our members to point out ways we can improve. Comment on this post, or contact the DPO at dpo@iapp.org.