2019 Bookings up or down on 2018

Up, down, could be better? How to get more bookings is our number one obsession. Talk shop here.

Bookings for 2019 up or down compared to 2018

Poll ended at Wed Jul 17, 2019 7:06 pm

Up more than 30%
2
3%
Up 15-30%
5
7%
Up 1-15%
3
4%
About the same
17
22%
Down 1-15%
23
30%
Down 15-30%
26
34%
 
Total votes: 76

ianh100
Posts: 598
Joined: Thu Jan 10, 2013 4:37 pm
Location: Sherborne Dorset

Post by ianh100 »

I am pretty sure that GDPR applies to any business intending to sell products or services in EMEA, it applies even if the company is based outside EMEA. You have to get express permission to send marketing messages, I did try and mail all of my contacts before GDPR came in asking for permission to continue to send messages but almost none accepted.
Codliveroil
Posts: 156
Joined: Fri Jan 09, 2015 3:10 pm
Location: Algarve
Contact:

Post by Codliveroil »

I will agree that there are articles that argue both sides. The same arguments are there for cold calling by telephone* or the use of an IP** address to allow Google and Amazon et al to provide those awesome popups on your screen of items that you have recently been looking to buy.

What we can learn from both arguments is that GDPR was never set up with the purpose of regulating advertising but rather protecting an individuals data, such as name, address, telephone number, date of birth, gender, nationality, government issued ID and personal records such as tax, financial, medical, etc. when these items can be associated with an individuals identity.

I receive cold telephone calls, advertising by sms texts and scores of emails from many well known large companies, most of which I have never had dealings with, companies that have never asked me to "opt in" . They do it knowing that if their "lists" of email addresses are just standalone addresses without any data attached then they are not in breach of GDPR.


It is a simple task to export contacts to a mailing app and delete all data save for the standalone email address, so from that point forth there is no breach of data. What a person does with the data in their contacts list and how they keep it safe is what GDPR was set up for.

* isn't it ironic that the UK, (at least), it's the same in Canada and Portugal, specifically allows cold calling by telephone even though the telephone number can, by reverse look up, be attributed to a name, and an address, where an individuals gender can be gleaned together with demographics with Google Earth they might even see how many cars you own and what make, lol. But all this is okay, in law.

** A search on an IP address can reveal most of the above too if it is not made private.

We can debate to and fro to no avail, can any one quote the specific European GDPR law, with relevant references/links that prevents using standalone email lists in such a way?

PS: Thanks to those that continue to vote in the poll, it seems we are all pretty much in the same sinking boat.
User avatar
greenbarn
Posts: 6146
Joined: Sat May 30, 2009 6:41 pm
Location: The Westmorland Dales, Cumbria

Post by greenbarn »

From the ICO:
What are the rules on electronic mail marketing?

The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:

they have specifically consented to electronic mail from you; or
they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.

For further information, see our guidance on direct marketing.
Here’s the link

You can spend many happy hours mooching around the ICO site and looking at the relationship between electronic marketing and GDPR, but you’ll arrive at the answer above; did you, when you first collected their details, give them a simple means to opt out of receiving marketing emails from you?
User avatar
CSE
Posts: 4414
Joined: Mon Nov 06, 2006 3:34 pm
Location: Galicia

Post by CSE »

GB, that last sentence should read
give them a simple means to opt in of receiving marketing emails from you?
surely?
Never try to out-stubborn your guests.
Codliveroil
Posts: 156
Joined: Fri Jan 09, 2015 3:10 pm
Location: Algarve
Contact:

Post by Codliveroil »

Thanks Greenbarn

Also from the same source: (Same page)

You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.

You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object.


Soft opt-in

The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.

The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts (eg from bought-in lists).


So I should be good to go, well with my own "soft opt ins" and business addresses, and so should others. Corporately? Several businesses combining into one mail shot and combining standalone email addresses the question is does this flout the rules, I wonder?
The other sticking point is and you gave them a simple way to opt out both when you first collected their details sure I have a privacy policy link on my emails which explains how to opt out but only from 2018, before that then what? It does not clarify this point I can only assume that this rule applies to post 2018 and pre 2018 then grandfathered rights apply. Well it seems it does, I receive scores of personal emails from, Hyundai, Jaguar, Chrysler, because I bought vehicles from them 8 years ago and the same from Ford, GM and Honda because I didn't buy from them! I never opted in or was offered at that time an opt out method because in those days this did not exist. I also receive marketing emails from Staples, Continente, La Roudete, and dozens more that I have never done business with or even made an inquiry and I have no idea where they got my email from?
I also regularly receive emails from Premier Inn, Shearings, Coast and Country, and a dozen or so Private Hotels several car rental companies, all used long before 2018. No opt out offered in those days either.

A standalone email address is not personal data if a person cannot be identified by it. From the same source:

What is personal data?
The GDPR applies to the processing of personal data that is:
wholly or partly by automated means; or
the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
Personal data only includes information relating to natural persons who:
can be identified or who are identifiable, directly from the information in question; or
who can be indirectly identified from that information in combination with other information.
Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
Information about companies or public authorities is not personal data.
However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.
What are identifiers and related factors?
An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.
A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.
A combination of identifiers may be needed to identify an individual.
The GDPR provides a non-exhaustive list of identifiers, including:
name;
identification number;
location data; and
an online identifier.
‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.
Other factors can identify an individual.
Can we identify an individual directly from the information we have?
If, by looking solely at the information you are processing you can distinguish an individual from other individuals, that individual will be identified (or identifiable).
You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.
If an individual is directly identifiable from the information, this may constitute personal data.
Can we identify an individual indirectly from the information we have (together with other available information)?
It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
Even if you may need additional information to be able to identify someone, they may still be identifiable.
That additional information may be information you already hold, or it may be information that you need to obtain from another source.
In some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of GDPR. You must consider all the factors at stake.
When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person.
You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments).
What is the meaning of ‘relates to’?
Information must ‘relate to’ the identifiable individual to be personal data.
This means that it does more than simply identifying them – it must concern the individual in some way.
To decide whether or not data relates to an individual, you may need to consider:
the content of the data – is it directly about the individual or their activities?;
the purpose you will process the data for; and
the results of or effects on the individual from processing the data.
Data can reference an identifiable individual and not be personal data about that individual, as the information does not relate to them.
There will be circumstances where it may be difficult to determine whether data is personal data. If this is the case, as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the data and, in particular, ensure you hold and dispose of it securely.
Inaccurate information may still be personal data if it relates to an identifiable individual.
What happens when different organisations process the same data for different purposes?
It is possible that although data does not relate to an identifiable individual for one controller, in the hands of another controller it does.
This is particularly the case where, for the purposes of one controller, the identity of the individuals is irrelevant and the data therefore does not relate to them.
However, when used for a different purpose, or in conjunction with additional information available to another controller, the data does relate to the identifiable individual.
It is therefore necessary to consider carefully the purpose for which the controller is using the data in order to decide whether it relates to an individual.
You should take care when you make an analysis of this nature.
User avatar
greenbarn
Posts: 6146
Joined: Sat May 30, 2009 6:41 pm
Location: The Westmorland Dales, Cumbria

Post by greenbarn »

CSE wrote:GB, that last sentence should read
give them a simple means to opt in of receiving marketing emails from you?
surely?
CSE I believe that is now the case, unless a customer has recently purchased something.

The wording in the document
you gave them a simple way to opt out both when you first collected their details and in every message you have sent
effectively allowed a business to contact past customers for whom they legitimately held contact details and who had not ticked a clear opt out box at that time (ie they’d done a soft opt-in), and as part of that contact (or even its sole purpose), invite them to opt in and update their preferences for future mailings. Hence the flurry of emails we all received at the time asking us to opt in to mailings from companies we’d forgotten all about!

I’m no lawyer and I have very little further interest in this topic beyond sticking to the lines of having a mailing list that consists only of guests with a current hard opt-in. The reality is that if someone decides to mass email past guests and those emails don’t conform to the electronic marketing regulations, they will get away with it unless some of the guests report them to the ICO; although that’s a fairly simple process, how many people would choose that path rather than using the obligatory Unsubscribe? Of course, when you unsubscribe but the business keeps sending regardless, involving the ICO is a no-brainer...
AndrewH
Posts: 1499
Joined: Thu Sep 12, 2013 1:17 pm
Location: Kefalonia, Greece
Contact:

Post by AndrewH »

greenbarn wrote:...The reality is that if someone decides to mass email past guests and those emails don’t conform to the electronic marketing regulations, they will get away with it unless some of the guests report them to the ICO; although that’s a fairly simple process, how many people would choose that path rather than using the obligatory Unsubscribe? Of course, when you unsubscribe but the business keeps sending regardless, involving the ICO is a no-brainer...
+1
The ICO (Information Commissioner's Office) does have teeth and can bring criminal prosecutions based on complaints received from the public and which can lead to the imposition of fines. However, I doubt the ICO would go that far unless there were numerous complaints made against a single offender who is sending marketing emails to identifiable individuals.

Also, the ICO is a UK organisation. Those of us who live and operate outside the UK are beyond its reach.
Post Reply