Best Practice Example: Hilton Honors Starts GDPR B2C Repermissioning Project

Hilton Honors has started a repermissioning project for members of its loyalty program members. With the GDPR deadline less than 4 weeks away, it’s a surprisingly rare example of an international company launching a repermissioning project.

Companies are not required to update their customer permissions if the pre-existing process already meets the higher GDPR standard. However, many companies have relied on broad ‘improve our services’ permissions on the terms and conditions of their websites to collect customer data. GDPR requires explicit permission for specific uses. Pre-checked boxes are not GDPR compliant, which has been a standard tactic for most companies, most of the time.

Also, many marketing and customer databases have been built up using several sources so sales and marketing, Human Resources, and even finance departments will need to verify the source of each data set and the compliance of each data set. In cases where consent for a specific purpose is not clear, the customer data can not be used without first obtaining consent. One difficulty that has not been mentioned is that contacting customers without permission in order to ask permission to contact the customer may itself be a GDPR breach.

So re-permissioning campaigns need to be conducted prior to the GDPR deadline of May 25th, while it is still legal to contact customers.

Where existing permissions don’t meet the higher GDPR standards, and a company can not prove that the higher standard is met, then a company needs to stop using the customer data and delete the data.

So expect many more repermissioning campaigns over the next few months.