PricewaterhouseCoopers has provided a solid example of what a business-to-business re-permissioning email for GDPR compliance should look like. The email clearly explains why PwC is asking permission to continue to send emails, what type of information will be sent. It also makes it clear on multiple occasions that permission can be rescinded at any time. There’s no self promotion in the email about how great their own emails are, it’s just focussed on factual information. Finally, the options are very clearly indicated by buttons on the email.
The PwC email does state that the company will try two more times – but does not clearly explain that repeated requests are related to the GDPR deadline.
Companies are not required to update their customer permissions if sign up process already was already GDPR-compliant. However, it’s unlikely many companies have the explicit permission for the specific uses. Many companies did not use permission boxes. And many companies have relied on broad permissions on the terms and conditions of their websites to collect customer data. While PWC may not fall into any of those categories, they definitely fall into the category of ‘better safe than sorry’.
The best practices should include:
-mentions GDPR specifically, and explains that the GDPR threshold for permission might not have been obtained when the subject was added to the mailing list
-explains what type of content will be emailed in the future, without over-promising for the future
-clearly provides options to accept or reject
-explains that it’s possible to opt out later
-clearly explains that other attempts will be made to get confirmation due to the GDPR deadline
-clearly states that there will be no further emails after the GDPR deadline, but without being overly dramatic
-provides contact details for additional clarification, right to be forgotten, right to be informed
The PwC re-permissioning email is not perfect but follows many of the best practices.