The news of JD Wetherspoon deleting their customer e-mail database made waves in the privacy world. Instead of opting to promote themselves via e-mail, as is usual, the company decided to axe its e-mail newsletters citing risks to the individuals’ privacy and intrusiveness.
However, Wetherspoon experienced a data breach in 2015, which potentially affected its subscribers. It is likely they opted to minimise the amount of data they hold in order to prevent the risks of future breaches. This data minimisation process is welcomed by the GDPR, and Wetherspoon seems to appreciate it as well. The company will no longer run the risk of securing all this personal data for, as they perceive it, potentially insignificant gain.
The company says it will promote itself through various social networks and other outlets, instead of storing its customers’ data.
JD Wetherspoon’s choice is quite logical, in fact. The e-mail sign-ups they got might not satisfy the consent threshold as set in the GDPR. This would mean that, in the post-GDPR world, their marketing e-mails would for the most part be unlawfully sent and they would open themselves up to huge fines by the regulatory authorities.
Most companies will face this issue. Their mailing lists will invariably contain at least some e-mails obtained without proper consent. In some cases, consent has been obtained, but there are no relevant and trustworthy records. Such consent is also worthless in the eyes of the law.
So, if businesses do not derive much value from mailing lists, then deletion is a reasonable and the cheapest choice, in the short term at least. But when it comes to other kinds of businesses dealing primarily with online customers or clients, mailing lists are essential for any marketing operation.
Luckily, it does not have to be like that. There is a way to keep the mailing lists and carry on with regular promotions and updates.
What businesses can do instead is try to salvage at least some value from their mailing lists. Since the GDPR is all about opting in, companies can try sending e-mails asking its subscribers to re-evaluate and confirm their subscription.
The consent form should be updated according to the GDPR rules, of course. Afterwards, all confirmed e-mails are placed in a new, ‘sanitised’ mailing list, whereas non-responders should be removed from the list altogether.
Take care to obtain proper consent. The fines will be higher for repeat offenders, and in plenty of cases it will simply not be worth the risk. Still, consent practices are something most businesses will have to get the hang of. It is best to do it sooner than later, before the GDPR enters into force.
We expect that most users will be swamped by e-mails asking for consent as the GDPR implementation date nears. That is why we believe the best choice is to start preparing proper consent forms for mailing lists as soon as possible. Consent is valid even if it is obtained before the GDPR, if all the provisions are followed.