Tougher data protection rules will push up cost of email marketing

The EU will announce tougher rules for collecting information from consumers. Security pros can plan now for the new rules, expected in January 2012.

Tougher new rules governing the collection and storage of personal information will soon make it harder for businesses to collect information, experts warn, and will likely drive up the cost of email marketing campaigns.

Although full details have yet to be disclosed, the European Union is expected to announce in January 2012 that data protection guidelines across the region will be tightened to provide consumers with greater protection. 

The warning was spelled out Nov. 8 in a joint statement issued by EU Justice Commissioner Viviane Reding and the German Consumer Protection Minister Ilse Aigner. 

“In modernising the EU's data protection rules, we believe that consumers must be more empowered than they are today. Users should be in control of their data,” the statement read. “This is why, in our view, EU law should require that consumers give their explicit consent before their data [is] used. And consumers generally should have the right to delete their data at any time, especially the data they post on the Internet themselves.”

For those conscientious organisations that make an effort to comply, it may place an extra burden because they will have to delete information.

Kathryn Wynn
Pinsent Masons

Key to the new rules is an expected requirement to gain explicit and informed consent from individuals before storing their data, as well as informing them of what data will be stored, and how that information will be used. Consumers will also have the right to be “forgotten” on the Internet, and have all references to themselves removed.

Although the UK’s Data Protection Act already requires companies to seek permission to use personal information, in practice this may consist of just getting individuals to select a box saying they agree to a long list of terms and conditions.

Alan Calder, CEO of Cambridge-based consultancy IT Governance, said the new regulations will mean companies have to seek more explicit and informed consent when collecting and using customers’ personal information. 

Calder said the new European data protection rules reflect a stricter approach to consumer protection adopted in Germany and Holland, which he described as being “anti-business.”

“It is already hard to buy email lists across mainland Europe. They are expensive and they are difficult to put together,” Calder said. “That means a key area of digital marketing becomes much harder. It will be more expensive for organisations to ensure individuals can have their information forgotten.”

However, Calder noted two benefits of the new rules: They will clarify the regulations for doing business across Europe, and establish minimum standards of consumer protection.

“There is good and bad in what’s being proposed," he said, "but there is a danger that the good stuff will be outweighed by the bureaucratic, restrictive approach.”

The Reding/Aigner statement also sought to address emerging concerns around cloud computing and social networking, and how information stored in the cloud should be regulated. In a clear reference to companies such as Facebook, Twitter and Google that often seek to harvest data from their users, the statement indicated those companies' practices would face scrutiny as well.

“We both believe that companies who direct their services to European consumers should be subject to EU data protection laws," Reding and Aigner said in the statement. "Otherwise, they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a 'cloud'.”

Kathryn Wynn, a data protection expert at London-based law firm Pinsent Masons, said it is difficult for companies to plan their responses to the new rules until the European Commission formally announces them in January. However, she said organisations shouldn’t be negatively affected if they are following the rules properly.

“Even at the moment, the bar is set quite high because the Data Protection Act says consent has to be unambiguous, fully informed and freely given. So you already have to be careful,” she said. “For those conscientious organisations that make an effort to comply, it may place an extra burden because they will have to delete information. But the Data Protection Act already says you should not keep data any longer than you need.”

Wynn welcomed the new rules concerning the right to have material deleted, saying young people especially may want to get rid of comments or pictures they may have uploaded on social networking sites earlier in their lives. She predicted there would be more rules to prevent employers spying on employees’ social networking pages. “That is becoming a live issue, especially in Germany,” she said. “We have rules about what questions can be asked during an interview process. But it’s quite easy to find information by looking on someone’s Facebook page.”

Read more on Regulatory compliance and standard requirements