How Do I Get Opt-In Consent for Sending Email, SMS, and WhatsApp?

Introduction

Getting a good grasp of GDPR guidelines for obtaining opt-in consent is essential for businesses looking to send marketing communications through Email, SMS, and WhatsApp. This article offers detailed insights on how to align with GDPR regulations and ensure your marketing efforts respect your audience's privacy.

Goal

This article aims to guide you on how to secure permission to send campaigns via Email, SMS, and WhatsApp to your audience while adhering to GDPR legislation.

Background

The General Data Protection Regulation (GDPR) is a privacy and security law that imposes obligations on any organization collecting personal data from users who are residents of the European Union or organizations based in the European Union.

The GDPR's purpose is to ensure that organizations treat the privacy of individuals sharing "personally identifiable information" (or personal data) with utmost seriousness. It requires that only necessary data be collected, stored securely, and used appropriately.

Under GDPR, "personal data" refers to any information that can be linked to an identifiable individual, either directly or indirectly. This encompasses all information collected in the Customer Data Platform.

Is it All About Consent?

First, we need to differentiate between two types of consents:

1. Marketing opt-ins (ePD)
2. Consent to process personal data (GDPR)

"Marketing opt-ins" are regulated by the "ePrivacy Directive" (which will be replaced by the ePrivacy Regulation once it comes into effect). This ensures that you cannot "spam" individuals and outlines when and how you should request opt-ins. GDPR consents, however, pertain to obtaining permission to process personal data. For instance, you may process personal data because someone purchased a ticket to an event at your venue, but that doesn’t automatically grant you permission to send them marketing messages. GDPR governs the processing of personal data, while ePD oversees marketing communications.

Under GDPR, you don’t always need to seek approval before processing personal data. There are other "legal bases" for processing personal data, and the data controller (typically our customers) must select the appropriate basis for their specific purpose.

Other Legal Bases to Process Data

1. Consent (The data subject has granted permission for the organization to process their personal data for one or more processing activities.)
   1. Read below for how
2. Performance of a Contract (The data processing activity is necessary to enter into or fulfill a contract with the data subject.)
   1. Example: When you sell tickets for an event, this legal basis allows you to send communications related to that specific event.
3. Legitimate Interest (Is this processing activity essential for the organization to operate? Does the processing activity outweigh any risks to a data subject’s rights and freedoms?)
4. Vital Interest (A rare processing activity that may be necessary to save someone’s life.)
5. Legal Requirement (A rare processing activity that may be necessary to comply with legal obligations.)
6. Public Interest (A processing activity that would be conducted by a government entity)

For commercial entities, legal bases 1 and 2 are the most commonly applicable.

How to Ask for Consent?

The GDPR stipulates that consent must be:

1. Freely given (Avoid pre-checked boxes and always allow people to opt-out. Respect their choices.)
2. Specific (Clearly request consent for particular channels (SMS/Email/WhatsApp))
3. Informed (Inform the subscriber about how their data will be used. This should be included in the Terms & Conditions / Privacy Policy, with links provided.)
4. Unambiguous (Use clear and straightforward language to explain everything)
5. Expressed (Make it clear, e.g., “I understand and accept…”)
6. Granular (Only claim consent for the areas where it is given)

Specific Channel Guidelines

For all channels:

• Clearly identify the sender.
  • Email address should include the customer’s domain.
  • WhatsApp account should display the customer’s name.
  • SenderID for SMS should reflect the customer's name (in regions where SenderID cannot be alphanumeric, use greetings with the company name).
• Provide a straightforward and clear opt-out option.
  • Email: Include an unsubscribe link to the CDP or address book or a custom unsubscribe page.
  • SMS: Add an opt-out tag (No-S.MS) or a custom unsubscribe page.
  • WhatsApp: Include a STOP keyword linked to the chat flow.
    • For all: This is best achieved when combined with a CDP.
• Avoid sending messages at inconvenient times.
  • Email: There are no strict limitations.
  • SMS/WhatsApp: While there are no laws, it’s good practice to refrain from sending messages between 8 PM and 8 AM. If not necessary, avoid sending on Sundays and public holidays.
    • In France, sending marketing messages is prohibited between 20:30 and 08:00 GMT+1, on Sundays, or on public holidays.

Articles to Share with Your Customer:

• Opt-in policies for Text messaging: https://www.cm.com/blog/opt-in-text-messaging/
• GDPR: https://www.cm.com/blog/mobile-marketing-in-a-gdpr-era/
• Country-specific regulations for SMS: https://www.cm.com/blog/sending-international-sms-country-specific-rules-regulations-and-habits/
  • [WIP-MMC] Is it possible to use a custom Sender name (Sender ID) in Campaigns?