Gigya is now SAP Customer Data Cloud. Learn more
Forrester logo Download the report

The Good, the Bad and the Ugly: GDPR “Last-Chance” Opt-in Emails

Marketers faced intense pressure in the days leading up to the General Data Protection Regulation (GDPR) enforcement deadline on May 25, 2018. In last-ditch efforts to preserve their European Union prospect databases, they sent a dizzying variety of “opt in” emails, hoping against hope for positive results.

In most cases, response rates disappointed. “With all the other companies doing the same thing, users are finding an unprecedented volume of consent-recollection messages in their mailboxes,” Lukasz Olejnik, an independent cybersecurity and privacy researcher and consultant, recently told the International Association of Privacy Professionals. “This short-term fatigue will inevitably result in mechanic clicks on ‘No, thanks,’ or outright ignoring the emails altogether.”

Aside from consent collection, these last-chance communications were a litmus test for businesses on another GDPR principle: being more transparent about personal data collection and processing practices. Even if they didn’t convince consumers to opt in, these emails had the potential to demonstrate a company’s commitment to offering unambiguous consent requests and clearly stating the purpose of their communications.

How did businesses do? Let’s analyze elements of these communications through a lens of transparency.

Opt-In 101: Missing the Mark

For consumers around the globe – and especially in the European Union – the GDPR has raised awareness about data and security issues. As a result, social media outlets buzzed with examples of opt-in emails from brands that missed the transparency mark, causing some embarrassing damage to their hard-earned reputations.

Even among companies with the size and budget to address GDPR requirements effectively, we saw three common issues:

  1. Misleading email subject lines. Some promised cheaper services; others used the old “RE:” ploy to trick readers into thinking the email was actually a reply to a personal message. While these tactics might boost open rates, they’re far from ideal when the goal is to build trust, show transparency, and opt in readers.
  2. Bundled consent requests. Many companies tried to get consent for terms of service, privacy policies and marketing communications in one fell swoop. The results only served to confuse readers. Others tried to bundle their requests with a promotion, confusing and angering many readers, since the only way to take advantage of the promotion was to sign up for marketing communications they didn’t even want.
  3. Lack of a clear opt-out choice. Many companies just pushed the envelope too far in their attempts to get prospects to opt in. Some less savory tactics included:
    • Presenting only an “opt in” choice
    • Offering two choices: agree to receive all communications or a reduced amount
    • Presenting dominant, colorful opt-in buttons and relegating the opt-out button to a small, hard-to-find rectangle   

All of this highlights a lack of understanding that still exists in the marketplace. At its core, the GDPR is about putting the consumer in control, even if it means them walking away. In their rush to address GDPR requirements, many companies violated the spirit of the regulation.  

Opt-In 101: Hitting the Target

In its Guide to the the General Data Protection Regulation (GDPR),  the UK’s Information Commissioner’s Office (ICO) said requests for consent should be: “prominent, concise, separate from other terms and conditions, and easy to understand.” The ICO also said each consent request should explain why you want the data and what you will do with it.

Last-chance communications that met these requirements included:

  • Clear descriptions of the offered marketing communications, including their purpose and frequency
  • Intelligible explanations of the data being collected and how the company would use it
  • 100% un-ticked consent boxes
  • A privacy statement link
  • Notice of the right to withdraw consent at any time
  • Clear functionality for opting out
  • Notice that recipients who didn’t respond would be automatically opted out

While it’s true that communications with these elements may not have benefited from higher opt-in rates, they at least demonstrated that the senders prioritize consumer privacy and are prepared for GDPR compliance.

Takeaways from the Opt In Extravaganza

With the GDPR now in effect, transparent data collection and processing is a digital experience imperative. How can your business reach this new level of transparency? Develop a holistic strategy for centrally managing all aspects of your customers’ profile, preference and consent data throughout their full lifecycle with your business.

It starts at the initial point of preference and consent capture. The “right to be informed” requires companies to notify their customers about the collection and use of their personal data at the time it’s collected. In most instances, you must provide individuals with your purposes for processing their personal data, how long your business will retain that data, and with whom it will be shared. Designing a holistic approach to providing this information at every point where consent is captured in concise, easy-to-understand language – from initial cookie, to full registration, to first purchase and return visits – will help you address GDPR requirements while demonstrating your commitment to your customers’ privacy and well-being.

When a consumer entrusts his or her profile, preference and consent data to your business, store it in a centralized and secure environment to satisfy auditors and honor requests from customers to view, update, delete or freeze processing of their data in a timely manner.

Maintain up-to-date consent record versions throughout the customer lifecycle to ensure accurate enforcement across the business. Terms of service and privacy policies change. Communication frequencies shift. Rather than trying to manage all of these different data points in multiple silos, centralizing these functions in one place makes it easier to:

  • Track what communications and activities customers have given permission for
  • Satisfy audits and consumer requests for data
  • Trigger renewals of consent when needed

If any brand, property or downstream application or service isn’t meeting these requirements, the entire organization is at risk of large penalties, not to mention breaking their customers’ trust. The onus is on the business to enforce consumers’ consent settings and preferences and honor them at every touchpoint. With each customer’s consent and preference data stored in a single, unified record, enforcing his or her wishes across the digital ecosystem becomes much easier.

Lastly, centralizing this data can power a more intuitive and complete preference center for customers, enabling them to easily view and manage their data. Through this interface, customers can give or withdraw their consent, change their preferences, and correct their profile information. They’ll feel respected and in control, and your business will stay out of harm’s way because their changes will be enforced across the organization.

Want to Learn More?

The GDPR has changed the game when it comes to managing consumer preferences and consent. It incentivizes businesses to abandon inference-based, opt-out strategies in favor of providing a transparent experience for consumers that includes unambiguous consent choices and offering an intuitive way to manage their own experiences, even if it means offering them a way out.

In this new era, the emphasis is on customer data value, not volume. When a consumer chooses to opt in, he or she is putting trust in the business. A holistic strategy for honoring that trust and enforcing his or her wishes across the enterprise is a core capability for businesses looking to be more transparent and to unlock new potential in a crowded, customer experience-driven marketplace. To learn more about this strategy, download our SAP Customer Consent product brief.

By Natalie Monetta

Meet us at

Gartner IAM
Las Vegas

December 3-5, 2018

View Event >
Gartner Summits - Join us December 3-5, 2018 | Las Vegas, NV

Gigya has updated its Privacy Policy as Gigya, Inc. has been acquired by SAP America, Inc. and Gigya has updated the information regarding how we collect and use your Personal Data. You can see the updated Privacy Policy here.