Discussion
We own several hairdressing salons and have recently dipped our toe in Facebook, late I know but that's another story. Anyway the latest posts have generated a moderate amount of interest and left us with about 500 potential new clients who have liked our pages.
My question is can I contact them direct to offer incentives for them to try us out? I don't want to offer discounts across our Facebook pages at the risk of alienating existing clients. However I'm worried that direct contact is breaching the new legislation? No information is stored other than their details which are on Facebook itself, so I believe we are safe in this respect?
Anyone any thoughts ?
My question is can I contact them direct to offer incentives for them to try us out? I don't want to offer discounts across our Facebook pages at the risk of alienating existing clients. However I'm worried that direct contact is breaching the new legislation? No information is stored other than their details which are on Facebook itself, so I believe we are safe in this respect?
Anyone any thoughts ?
This scenario concerns itself with the consent aspects of GDPR which, in my view, have least clarity so therefore interpretation can be somewhat subjective.
I would recommend you contact all respondents (historical and future) and ask for their consent for you to contact them with offers/deals etc. You can decide who from the positive replies you contact with what offers.
I would recommend you contact all respondents (historical and future) and ask for their consent for you to contact them with offers/deals etc. You can decide who from the positive replies you contact with what offers.
Looking at what is happening - and based on the fact that you need to make contact to get an answer as to whether or not you can make contact (ironic really and not very well thought through) - I would suggest that the majority approach now post GDPR is:
- make contact with an offer
- explain the basis of that contact (e.g. you like us on Facebook)
- make it very clear that you are passionate supporters of GDPR
- make it very easy to opt out
I suspect that most recipients of such emails / contact are more than happy as long as it is easy to opt out...
- make contact with an offer
- explain the basis of that contact (e.g. you like us on Facebook)
- make it very clear that you are passionate supporters of GDPR
- make it very easy to opt out
I suspect that most recipients of such emails / contact are more than happy as long as it is easy to opt out...
From a GDPR perspective you have a perfectly good legitimate interest justification (Article 6.1f) for using the information available to you. However, this has very little to do with the GDPR. What matters are:
1. Facebook's terms and conditions - those applying to you as a commercial content provider, and those applying to individual users. What do they say about your entitlement to use the data, and the purposes to which it may be put?
2. The Privacy and Electronic Communications Regulation (PECR). This is the main legislation covering electronic marketing. In principle you can't send electronic marketing information directly to consumers without their consent. However, since PECR was written before Facebook was invented, it doesn't cover Facebook DMs, only email. This will change with the ePrivacy Regulation, but that's still in draft. Even if you have their email addresses, don't email them.
TL;DR - nothing in GDPR says you can't use Messenger to offer people who've liked your page a discount; but Facebook may think differently, and it's their platform and their data.
1. Facebook's terms and conditions - those applying to you as a commercial content provider, and those applying to individual users. What do they say about your entitlement to use the data, and the purposes to which it may be put?
2. The Privacy and Electronic Communications Regulation (PECR). This is the main legislation covering electronic marketing. In principle you can't send electronic marketing information directly to consumers without their consent. However, since PECR was written before Facebook was invented, it doesn't cover Facebook DMs, only email. This will change with the ePrivacy Regulation, but that's still in draft. Even if you have their email addresses, don't email them.
TL;DR - nothing in GDPR says you can't use Messenger to offer people who've liked your page a discount; but Facebook may think differently, and it's their platform and their data.
akirk said:
Looking at what is happening - and based on the fact that you need to make contact to get an answer as to whether or not you can make contact (ironic really and not very well thought through) - I would suggest that the majority approach now post GDPR is:
- make contact with an offer
- explain the basis of that contact (e.g. you like us on Facebook)
- make it very clear that you are passionate supporters of GDPR
- make it very easy to opt out
I suspect that most recipients of such emails / contact are more than happy as long as it is easy to opt out...
Nope. I agree that this is what a lot of people are doing. But it's still wrong. If you're making that contact by email, you must have prior consent to send marketing information by email. If you don't have it, you can't use email to ask for it. You can, potentially, make initial contact using Facebook Messenger - because that's not covered by the same regulations (PECR, not GDPR) - but Facebook may not like it, and I suspect they consider themselves the data controller in that relationship, meaning that what they say, goes.- make contact with an offer
- explain the basis of that contact (e.g. you like us on Facebook)
- make it very clear that you are passionate supporters of GDPR
- make it very easy to opt out
I suspect that most recipients of such emails / contact are more than happy as long as it is easy to opt out...
964Cup said:
akirk said:
Looking at what is happening - and based on the fact that you need to make contact to get an answer as to whether or not you can make contact (ironic really and not very well thought through) - I would suggest that the majority approach now post GDPR is:
- make contact with an offer
- explain the basis of that contact (e.g. you like us on Facebook)
- make it very clear that you are passionate supporters of GDPR
- make it very easy to opt out
I suspect that most recipients of such emails / contact are more than happy as long as it is easy to opt out...
Nope. I agree that this is what a lot of people are doing. But it's still wrong. If you're making that contact by email, you must have prior consent to send marketing information by email. If you don't have it, you can't use email to ask for it. You can, potentially, make initial contact using Facebook Messenger - because that's not covered by the same regulations (PECR, not GDPR) - but Facebook may not like it, and I suspect they consider themselves the data controller in that relationship, meaning that what they say, goes.- make contact with an offer
- explain the basis of that contact (e.g. you like us on Facebook)
- make it very clear that you are passionate supporters of GDPR
- make it very easy to opt out
I suspect that most recipients of such emails / contact are more than happy as long as it is easy to opt out...
These are contacts who have liked our page already and no emails will be sent ?
Phil Dicky said:
So if I DM them offering the option of a discount, explain if they DM back we can explain the offer. If we don't hear back they won't be contacted again ?
These are contacts who have liked our page already and no emails will be sent ?
You don't need to be that coy. You could write to them including the offer; all you need to do is include a means of opting out of future processing (by you - you should be clear that you're not responsible for any processing done by Facebook), your contact details (including outside Facebook, so email, phone and postal address), and either a brief summary of their data subject rights or a link to a privacy policy which contains that summary.These are contacts who have liked our page already and no emails will be sent ?
You should include some reference in the message to how you obtained their contact information ("We're writing to you because you liked our page/post/whatever") and why you think it's OK to process it ("We thought you'd be interested in a special offer only open to new customers who've reached out to us on Facebook"). Behind the scenes you should have a more formal record of source, purpose of processing and justification.
Don't feel the need to write in pretend legalese. DP law specifically requires you to use plain language in any case, and it's the meaning that's important, not the wording.
All of this is written from a data protection perspective, but as I say you should check Facebook's Ts&Cs before committing to a DM - I'm a data privacy professional, not a marketeer, so I'm not familiar with Facebook's own rules.
Long dull bit follows:
If this is a successful marketing mechanism for you, you will need to keep an eye on the forthcoming ePrivacy Regulation, which is likely to apply the same rules to Facebook DMs (and Twitter, Insta etc) as presently apply to email. That would mean you (probably) wouldn't be able to DM people who'd liked your page/post in future - unless FB amends its own privacy policy to make liking something include explicit consent to be contacted directly by the poster. Even then, embedding that kind of consent is problematic, so it would be safer to include a specific place on your FB homepage where people can sign up (e.g. by friending you) for updates and special offers. If you phrase the consent wording on that section correctly you can bombproof future comms. Note finally that consent cannot be tacit, so someone who does not unsubscribe in response to your initial, currently permissible, DM has not consented to future comms; they've simply not objected (yet) to comms that are not based on consent. This means that anyone you write to now under the current rules will probably need to consent at some point in the future when/if the rules change.
Everything above is written with lots of "probablys" because: 1. The ePrivacy Regulation is still in draft. 2. Unlike GDPR it may not apply to the UK after Brexit 3. There's a whole lot of uncertainty about the treatment of social media data anyway, and there are both test cases and amendments to existing and new regulation floating around with the aim of clarifying the situation.
Ultimately, most data protection depends in part on the principle of surprise. If a reasonable person would not be surprised or might expect it if you processed their data in the way you propose to, then you're unlikely to be in deep trouble. It's still possible to be in breach of the regulations in any number of ways, but the consequences will be less severe (and the ICO's interest in investigating less pronounced). Put simply - how surprised/outraged is anyone likely to be if a brand they've liked reaches out to them with an offer? Answer: not very.
[For the very nerdy amongst us, this is recitals 47 & 50 of the GDPR with a view to interpreting Art 5.1a "fairness"].
964Cup said:
Phil Dicky said:
So if I DM them offering the option of a discount, explain if they DM back we can explain the offer. If we don't hear back they won't be contacted again ?
These are contacts who have liked our page already and no emails will be sent ?
You don't need to be that coy. You could write to them including the offer; all you need to do is include a means of opting out of future processing (by you - you should be clear that you're not responsible for any processing done by Facebook), your contact details (including outside Facebook, so email, phone and postal address), and either a brief summary of their data subject rights or a link to a privacy policy which contains that summary.These are contacts who have liked our page already and no emails will be sent ?
You should include some reference in the message to how you obtained their contact information ("We're writing to you because you liked our page/post/whatever") and why you think it's OK to process it ("We thought you'd be interested in a special offer only open to new customers who've reached out to us on Facebook"). Behind the scenes you should have a more formal record of source, purpose of processing and justification.
Don't feel the need to write in pretend legalese. DP law specifically requires you to use plain language in any case, and it's the meaning that's important, not the wording.
All of this is written from a data protection perspective, but as I say you should check Facebook's Ts&Cs before committing to a DM - I'm a data privacy professional, not a marketeer, so I'm not familiar with Facebook's own rules.
Long dull bit follows:
If this is a successful marketing mechanism for you, you will need to keep an eye on the forthcoming ePrivacy Regulation, which is likely to apply the same rules to Facebook DMs (and Twitter, Insta etc) as presently apply to email. That would mean you (probably) wouldn't be able to DM people who'd liked your page/post in future - unless FB amends its own privacy policy to make liking something include explicit consent to be contacted directly by the poster. Even then, embedding that kind of consent is problematic, so it would be safer to include a specific place on your FB homepage where people can sign up (e.g. by friending you) for updates and special offers. If you phrase the consent wording on that section correctly you can bombproof future comms. Note finally that consent cannot be tacit, so someone who does not unsubscribe in response to your initial, currently permissible, DM has not consented to future comms; they've simply not objected (yet) to comms that are not based on consent. This means that anyone you write to now under the current rules will probably need to consent at some point in the future when/if the rules change.
Everything above is written with lots of "probablys" because: 1. The ePrivacy Regulation is still in draft. 2. Unlike GDPR it may not apply to the UK after Brexit 3. There's a whole lot of uncertainty about the treatment of social media data anyway, and there are both test cases and amendments to existing and new regulation floating around with the aim of clarifying the situation.
Ultimately, most data protection depends in part on the principle of surprise. If a reasonable person would not be surprised or might expect it if you processed their data in the way you propose to, then you're unlikely to be in deep trouble. It's still possible to be in breach of the regulations in any number of ways, but the consequences will be less severe (and the ICO's interest in investigating less pronounced). Put simply - how surprised/outraged is anyone likely to be if a brand they've liked reaches out to them with an offer? Answer: not very.
[For the very nerdy amongst us, this is recitals 47 & 50 of the GDPR with a view to interpreting Art 5.1a "fairness"].
Gassing Station | Business | Top of Page | What's New | My Stuff