GDPR, competitions and compers
You’ve probably heard the letters GDPR mentioned an awful lot lately! It’s General Data Protection Regulation and came into force across Europe on 25th May 2018.
What is GDPR?
GDPR is a regulation on data protection and privacy for all individuals within the European Union. If a business processes personal data, they must have a lawful basis to do so – obtaining consent is just one of these. Another, simpler, lawful basis which many businesses are relying on is legitimate interests where it’s OK to send marketing to existing customers, as long as there is a clear opt-out included.
Businesses should obtain consent from new customers to send them marketing materials (email or post), or have their details stored. In addition, businesses must be able to show how and when they obtained consent. Because it’s a regulation, it is legally binding – meaning a business that fails to comply could get a huge fine of up to €20 million or 4% of global turnover!
Individuals can ask businesses exactly what information they have about them, who it is shared with and what it has been used for. They can also ask for all their information to be deleted (the “right to be forgotten”).
If you subscribe to a lot of mailing lists you’re probably already receiving emails from quite a few! They want to check that you’re still interested in hearing from them – and you will need to complete an affirmative action in order to continue to receive email updates (ie. you will be asked to click a link to subscribe, rather than to unsubscribe!). In most cases, you will automatically be removed from their records UNLESS you take action by clicking a link, replying to an email, etc. However, as mentioned above, the legitimate interests basis means that businesses do not have to ask you for consent – as long as they provide an option for you to opt out or unsubscribe from future correspondence.
Will GDPR affect prize draws and competitions?
One of the things we commonly see on an entry form (online or printed) is a tick box stating ‘Please tick if you want to hear from us in future’. Confusingly, on many of these forms it might say ‘Please tick if you DON’T want to hear from us in future’. Or the box itself might already be ticked – and you have to untick it if you don’t want to subscribe to their mailing list!
This has always been misleading and confusing, and GDPR aims to simplify things by only allowing an affirmative opt-in action. ie. You MUST tick a box to allow the company to contact you – they cannot assume that by entering a prize draw or competition, that you want to be contacted again in future (unless of course, you’re the winner!)
Most importantly, this will see the end of pre-ticked boxes or small print that states your details will be passed on to third parties – the awful feature on many survey websites (please note the examples below are from two websites I would NEVER recommend you use!)
So, a prize draw entry form with ‘By entering this prize draw, you will be subscribed to our mailing list and can unsubscribe at any time’ in small print below will no longer be permitted (see example below from Myoffers.co.uk).
Instead, there should be a empty tick box which the entrant must tick to opt in to further communication. Entering a prize draw and joining a mailing list should be treated as different actions, and not combined – the entrant completes a form to enter the prize draw (and accepts the T&Cs), then if there’s an option, they can choose to tick a separate box to receive further information.
So, prize draws where you can’t enter without ticking a box to opt in will no longer be allowed (see the example from TopFox below).
It remains to be seen how GDPR will affect automatic entry prize draws too – Swipe to Win as an example, where you’re entered to win simply by purchasing a product (and might well be unaware that you’re even entered into a prize draw!). All Tesco’s current promotions are now text to win, suggesting that their ‘Buy Scan Win’ promotions have been retired.
Unfortunately, the GDPR regulations won’t be able to do much about the vast amounts of spam email we get – much of which is from outside the UK. You’ll have to rely on junk mail filters, and also flag any dodgy mail as spam when it arrives in your inbox. If you’ve received a spam email from a UK-based company, you can report it to the ICO.
If you have a concern about the way an organisation is handling your personal information, you can contact the ICO to investigate.
I’ll keep this blog post updated as we discover more about the effects of GDPR on running prize promotions. Please leave a comment to let me know your thoughts!