Tsunami of repermissioning
May 17, 2018

Thoughts from the tsunami of repermissioning emails (part 2 of 2)

By Paul Laughlin

How are you coping with the tsunami of repermissioning emails? Have they filled your InBox yet?

Before we all get sick of them and let inertia reduce our subscriptions (providing consent is being sought), let’s return to our review of these communications. In part 1 of this series, I reviewed a number of emails that I’d received from suppliers to my business. A mixture of those seeking consent (informed opt-in) and those just confirming a legitimate interest basis for holding my data.

But, as you have no doubt already experienced, GDPR is not just for work – it follows you home as well. In fact, many would say that the increased protection for your rights as a citizen, is the key benefit of GDPR. So, in part 2, I will review a number of GDPR related emails that I’ve received as a consumer.

Once again, I will be looking for lessons to learn from these, of either good practice or mistakes to avoid. Let’s get back to rifling through my InBox…

Tsunami of repermissioning, exhibit 1 (Hiscox Insurance)

Let’s start with nothing too personal, my insurance provider. I was pleased to receive this simple & clear repermissioning email from Hiscox:

Tsunami of repermissioning 1

With the clear & simple email subject line of “A quick question for you…“, this email makes clear what is required & sets the right tone. Uncluttered layout & clarity of a question requiring a response, makes this both easy to action for consumers & quick to read. A number of companies have gone with the Yes & No buttons, even though no action is the equivalent of denial (if proactive consent is being sought). But, many fall into the pitfall of being far too overt about making Yes sound like a positive choice, while playing on the ‘Fear Of Missing Out (FOMO)’ in how they word or visualise choosing No.

The other good practice here, is to have two clear buttons, of equal prominence & non-pejorative language. It appears empowering and confident of the brand to provide such a clear unpressurised choice to the consumer. However, it is still making use of the behavioural bias that by presenting the consumer with the apparent need to make one of these two choices, Status Quo bias should increase likelihood of retaining their permission.

It’s also good to see a clear message on this not being a permanent choice & a link to full privacy policy. Just a couple of improvements that could be made. A clear link to detail on data held & data processing undertaken (or even quick summary in email), plus a clear link to details of other consumer rights now with GDPR. That said, this is a positive example to follow. Well done, Hiscox.

Tsunami of repermissioning, exhibit 2 (Under Armour)

Getting a bit more personal now. I’m afraid we are into the world of my lycra exercise gear. I’ll skip over that disturbing image quickly, to focus on the email I received from Under Armour:

Tsunami of repermissioning 2

As you’ll see, this email is assuming a legitimate interest basis. That itself is interesting, as I don’t recall ever positively opting in, nor have I purchased directly from their site (so they don’t have the evidence that I am a customer, nor active user). In addition to this, the subject of this email sets the tone for the pitfall that this example falls into. The email had the right riveting subject line of “Please review our updated Privacy Policy and Terms”. I’m pretty sure that alone consigned this email to trash for many recipients.

In my last review of GDPR related emails, I shared the example of IQPC appearing to try to make a ‘communication of Legitimate interest basis‘ email so boring it almost guaranteed no action. This example from Under Armour falls into the same trap, but is surely less acceptable, as aimed at mainstream consumer audience.

One could argue that they are sharing a lot of potentially useful information, as the email goes on like this…

Tsunami of repermissioning 3

However, there are no helpful visuals & in fact the recipient is just being told that terms will be changing prior to GDPR. It will be interesting to see how Under Armour follow-up this communication, once new Privacy Policy is live. I hope they communicate the key elements in a more visual way & notify recipients of their new right (with links or contacts to exercise them, excuse the pun).

At present, this feels like another case of boring the data subject into submission & focussing on policies rather than empowerment. Those designing these emails should instead prioritise communicating the following (in plain english):

  1. The personal data that is being held (or sought).
  2. How it will be used (data processing) & if shared with others.
  3. Legal basis for doing the above i.e. make clear is seeking permission, or assuming a legitimate interest, or needed to provide product or service.
  4. Rights that data subject has under GDPR (e.g. right to deletion, right to portability, right to object, subject access request + how to exercise these)

Tsunami of repermissioning, exhibit 3 (Subway)

As a fairer presentation of my mixed lifestyle, let’s not pretend I spend most of my time exercising. I spend more time eating, so have received GDPR related emails from a few food outlets. The experience that impressed me, from amongst these, was the capture of consent by Subway:

Tsunami of repermissioning 4

Here I am sharing not the initial email requesting consent, but the equally important screen for capturing consent. After clicking on the link in Subway’s clear repermissioning email (“Update your preferences”), the user is taken to the screen I show above. Now, whilst elements of the original email could certainly be improved (too much ‘leading the witness’), I was impressed by some of this design.

Akin to the effectiveness of uncluttered email & simple consent buttons by Hiscox, this screenshot shows the power of simply using colour. It sounds blindingly obvious, but the use of green for red appearing to confirm positive & negative changes, makes it easier for user to sure of choices. I would prefer to see equal billing for “Opt out of all Marketing“, at same level as “Tell me Everything” and “Select all“. But, use of colour works well & it is good to see option provided for in-app notifications rather than email. It is important to capture channel level preferences & content preferences at the level of granularity most useful to your users.

Tsunami of repermissioning, exhibit 4 (other opinions)

I hope you have found the above review (and part 1 of this series) to be useful. As ever, there is a risk that I am simply sharing my opinion. So, on this important topic, I also want to bring in some other voices.

For almost a year, I have also participated on MyCustomer.com’s GDPR expert panel. There have been a number of useful posts shared, on topics ranging from legitimate interest basis to requests for erasure.

But, for this post, the most relevant to share is their recent article reviewing some other GDPR repermissioning emails. I hope you find my comments, and especially the views of others, helpful in improving the design of your comms:


Tsunami of repermissioning, what are your plans?

Finally, I’d love to hear more about your plans. Have you already successfully completed your repermissioning & legitimate interest email campaigns? What did you learn from them.

Whether sharing your own results, or your experience as a consumer, we welcome input from our readers.

We are all suffering the current email deluge, so why not share the love with your advice & tactics?