• by Sean Hargrave , Staff Writer, May 15, 2018

Any other marketing nerds closely examining the deluge of repermissioning emails flooding everyone's inbox right now? Hopefully so, or that means it's just me wondering why so few are getting it right.

There are just ten days to go now until GDPR becomes law, and you would imagine from the flood hitting everyone's inboxes that companies have only had May to prepare. The truth is they've had the last two years, but have largely avoided the subject until the very last moment. Can it be any coincidence that this is also the week when GCSEs begin? That panic of a date suddenly looming and excuses being made -- even though the day of reckoning has been looming for two years -- must be familiar to both sixteen-year-olds as well as executive boards right now.

So what are companies getting wrong? In a nutshell, there's a really useful line in the ICO's guidance to GDPR and explaining it to the public. You have to use language that is very clear and simple to understand. I don't know about you, but the majority that I receive appear to have been from a law student who has swallowed a book and decided to spew out legalese.

So many clauses, so many legal phrases. How is anyone supposed to understand what is being asked of them?

A few have been getting it mostly right. There's a quick line that the law is changing and the company needs a click on the "Stay in Touch" button to carry on bringing each person a list of latest offers. It's to the point and simple. But is it too simple?

This is not a scientific study, it's my own observations at play here, but I can't think of a single company that has solicited consent from me under the higher hurdle set out by the GDPR. 

Companies have typically failed to tell me whether they intend to share my data, and if so, with whom. Many, but not all, have also failed to get granular permission to each different type of communication and they have failed to let me know whom I can contact to get clarification on how I can reach out if I want to find out what data is held on me and require deletion or rectification.

This need not be done in a snappy email -- it can be achieved on the landing page. However, it should appear before I click "yes" or whatever wording is in the email to make sure a company can keep in touch with me.

All I usually get is a "thank you for staying in touch" message. There is no clarification of what I'm signing up to and why and there is no link to a renewed privacy notice, should I want to check it out. A couple of sites say there is a preference centre when I can drill down into what I'm giving permission for, but this isn't good enough. GDPR needs a clear demonstration that each person has signed up to each use of their data. It is the brand that needs to show us what the data is being used for and seek repermission for each use. A general "yes" being applied to uses we are not made aware of simply isn't good enough. It isn't our responsibility to do this for the brand, and companies have to do this for us.

So is it just me? It just appears that nearly all companies are simply repermissioning on the grounds of what permission looked like before GDPR. 

If so, does that mean the dozens of brands begging to keep in touch I deal with each day are just wasting their time? It seems to me they are regaining consent that no longer passes the GDPR's raised requirements.

We could argue all day about how visible the revised privacy notice has to be and how clear contact details for seeking rectification need to be. 

However, companies have nowhere to hide in not seeking granular consent and not making it clear if I give permission whether my data will be shared with someone else. There are very basic and very stupid mistakes for countless brands to be making. 

They have repermissioned me -- but only under the old rules, not the new ones that prompted the repermissioning effort.