GDPR, Consent and Robots

Recently, I was on a website of a brand that I like and I signed up for an email newsletter. Instead of asking for explicit consent for permission to email me, it requested that I confirm that “I am not a Robot.”

What is consent?

Consent is a beautiful thing in digital marketing. It is the agreement and social contract between the subscriber and the brand. When you purchase a home you receive a deed to that house which proves you are the owner. Consent is the deed to the ownership of the subscriber relationship. It is often written in the first person For example, a signup form says something like, “I would like to receive future offers from Cheese of the Month club.” When the subscriber leaves a checkmark on the form and submits, they are adopting that statement as their own. Explicit consent is made.

The email marketer now has that deed to the relationship. To be GDPR compliant, everything that the subscriber agreed to should be stored in the database on the subscriber record. These subscriber records should be readily available and easy to produce. They protect the marketer in the case that a subscriber challenges the right to email him/her. For a subscriber, consent should be explicit to what he/she is opting in to, stating the programs he/she will be enrolled in.

Maybe I am a robot?

In the above case, the only option that I had to consent to was that “I was not a robot.” This is both unclear consent and was probably violating GDPR. This checkbox presented me with one option, I could affirm that I was not a robot. There was no choice to consent to receive their content.

Regarding the question as to whether or not I am a robot, at some level, there is a part of me that does question my existence. Maybe at my rawest form, I am a robot, maybe we all are. The interesting thing about this situation is that once the checkbox was selected, it was disabled and could not be unselected. Had I betrayed my best self and maybe, in fact, I was a Robot.

The General Data Protection Regulation (GDPR) is based upon returning control of subscriber information back to the individual. The entire GDPR is about establishing consent and what the consequence is to those who violate it.

In Article 16 of the GDPR spec, I have the right to rectification, which is the ability to correct the information that I have submitted. When asked to confirm that I was not a robot, after clicking the checkbox, I was unable to unselect it. This was the only form element beyond an email address, my inability to unselect the checkbox made my consent unclear.

Additionally, the checkbox was being controlled by a piece of script running on the signup web page. The script tracked my mouse movements to classify me as human. Yes, a Robot had engaged in an automated decision. According to Article 22, I “have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

If you have concerns about whether this checkbox is collecting PII about robots, it is not. According to Article 4 of the GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);” and as robots are not people, marketers are free to collect as much info about robots as they like.

In the above example, consent is unclear for several reasons:

• The form for consent was poorly defined exposing the organization to legal liability and unnecessary risk
• Poor User Experience design on the brands part. Unclear consent language on signup form creates an unclear relationship with the subscriber and may impact the marketer’s permission to email them.
• I may actually be a robot, still (J/K, maybe?)

Why does consent matter

Although rare, a subscriber could challenge their consent, for example:

Let’s say that our subscriber is an attorney with questionable behavior and forgets that they opted-in to your mail. He receives your mailing in his inbox and rather than clicking unsubscribe decides to file a GDPR lawsuit to recoup the emotional damages for receiving an unwanted email in his inbox.

You, the email marketer, have the exact time that the subscriber opted in, and the program. You produce that record because it is so readily available. Now, our “imaginary” attorney checks his calendar and realizes that the opt-in date was his signup and not an unsolicited SPAM email. Now, instead of a carefully crafted legal challenge with a possible attached fine, our attorney apologizes for his unwarranted behavior (unlikely I know, but here is hoping)

GDPR, The new path

On May 25, 2018, when the GDPR went into effect, the landscape of digital marketing changed. It required that all digital marketers become attorneys (and not good ones), and lawyers to become marketers (and not good ones). At the center of that landscape is consent. Consent is critical to the relationship between brand and subscriber. The following GDPR recipe for consent is what every brand should follow:

1. Discover all touchpoints where we could take leads and need consent.
2. Engage your legal team to write consent into all subscriber agreements for all and in all applicable languages (The European Union alone has 24 official languages registered).
3. Work in a CRM/Database to ensure all future data is stored following GDPR compliance.
   1. Reference the agreed upon consent form including the Time/Date stamp.
   2. Prevent CRM users from editing customer preferences post creation.
   3. Global opt out AND Consent
4. Implement sign-ups that are compliant in all touchpoints and enable some integration to record data in CRM.

Although GDPR increases our workload in the near-term, it benefits the subscriber and will potentially have broad and long-term benefits. It basically outlines who should have subscriber data and who should not.

At AudiencePoint, we take data very seriously. Send Time Optimization is based upon data. We are the best in the world at identifying when the best time is to email someone. Implicit in that role is subscriber rights and data security. Data is the building block for the digital economy.

We will all have to be more creative and identify new compliant ways to benefit the subscriber both for the robot and non-robot types out there