GDPR Opt-In advice for complementary therapists / health and wellbeing practitioners

/ Breaking News, Business Tips, Tech Stuff, Website Tips

In my previous post you can read about GDPR and what action you can take to make sure you are adhering to the regulations.

However, I felt we needed a bit more clarity on the “must clients opt-in” question.

Ever heard of a “soft opt-in”?

Well, now you have. The information below will help you tremendously to understand what you need to do around getting clients, or potential clients, to opt-in.

Coupled with this advice, I recommend you do the right thing, an ethos my parents regularly instilled in me.

I spotted something on this marketing page of the ICO website, which lead me to calling them. I spoke to a lovely man, who patiently answered all my questions. If you have any questions, I suggest you get in touch with the ICO (phone or web chat).

Marketing campaigns

If you’re planning a marketing campaign, you’ll have to comply with a number of regulations. Some of these apply to unsolicited electronic messages sent by telephone, fax, email or text, while others apply to marketing material sent by post.

Electronic mail marketing

The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their permission.

However, there is an exception to this rule. Known as the ‘soft opt-in’ it applies if the following conditions are met;

  • where you’ve obtained a person’s details in the course of a sale or negotiations for a sale of a product or service;
  • where the messages are only marketing similar products or services; and
  • where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.
  • When you send an electronic marketing message, you must tell the recipient who you are and provide a valid contact address.

The rules on emails don’t apply to emails sent to organisations, though you must still identify yourself and provide an address.

[Calls and fax paragraph deleted]

In summary, we recommend that your marketing campaigns are always permission-based and you explain clearly what a person’s details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints.

To ensure your marketing complies with data protection law and good practice see our direct marketing checklist – ideal for small businesses. For more information read our direct marketing guidance.

So, what does this actually mean in plain english?

What seems to be missing in the above bullet points is information form the previous post: as soon as you take personal information form someone, you need to tell then what you are going to do with it.

If someone contacts you (via any form of communication) you MIGHT be engaging with them about a ‘sale or negotiations about a service’ a.k.a booking an appointment. They might just be enquiring about how much you charge, or your working hours.

You can choose at which point you deem the conversation to be about a sale, and IF the 3 conditions (bullet points above) are met, then you do not need to ask them to opt-in. They are considered a soft opt-in.

It was also suggested that to keep a record of opt-ins and soft opt-ins. More about that below.

What about adding people to my mailing list when they make first contact?

The guy I spoke to from the ICO said (and hopefully I understood him correctly) “If you add them to your list after first contact, the contact must have been carried out through a contact form on your website, which does NOT NEED opt-in but MUST HAVE  opt-out information and must also mention how you intend to use their information“.  You can always reference your privacy policy page on your site for this purpose.

You might be thinking, Leora, the last 2 sections contradict each other to a degree don’t they? Well, they do a little, and I think that is because a lot of this can boil down to YOUR interpretation of the law and what YOU feel is right…so…let’s look at…

Good practice around soft opt-in (and even the normal opt-in)

As we have said above, if someone contacts you about how much you charge or where you work, and during the course of the exchange they give you their email address, you can sign them up to your mailing list, by applying the soft opt-in rule, as long as you adhere to the 3 bullet points above.

But would you?
I wouldn’t.
I would would only add someone to my mailing list after their second session with me AND I would ask their permission. But thats me!

As we all know, to work in the heal and wellbeing sector, we need to create good rapport with our clients. What does it say about our rapport if we just slap someone’s name on our mailing list after their first contact?

How would you feel if you booked in for an appointment with someone and then started getting mailings from them?

Clients need to have faith in you that you are holding their information lawfully and confidentiality and that you are using it in the right way.

Further reading: Legislation for the Privacy and Electronic Communications Regulations (PECR)2003 and the ICO guide to Privacy and Electronic Communications Regulations

For best practice, I think this paragraph is important to keep in mind:

“In summary, we recommend that your marketing campaigns are always permission-based and you explain clearly what a person’s details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints.”

For the latter part of this statement, look at this form I have created for me web clients to update/change info, opt-out , make a complaint.

I use normal email to inform clients about certain things and MailChimp for newsletters. On the newsletters there is the usual update details or opt-out, though it seems now we should have in place this previously mentioned form, so they can request other changes.

Keeping a record of opt-ins

It was suggested that you keep a record of when someone has asked opt-in or when you asked them if they would like to.

Personally, I would to it all via email. If a client has come to me more than once, I would ask them via email if they wanted to signup to my mailing list. It goes without saying that I would have a link to the signup form in my signature, though you never know if they see it and take action.

If you ask them via email, you have an easy way of keeping that record. Put all those emails in a “subscribed” folder in your inbox. Simple.

What happens if I do adhere to the law?

I was told by the ICo gent that we “must show every effort to comply”.
 
If we send out lots of stuff (technical term) and not adhere to the guidelines, we will be fined.
 
I think mostly they are after the big fish, though small fish would benefit from staying safe.
 
If we are unsure about something or there is a complaint about us, we should call the ICO and get some advice from them. We should document what we are doing e.g.  I phoned the ICO on DATE X, I did this I did that, I thought the soft opt in rule applied, taken people off my mailing list.
 
The ICO’s principles are: education > guidance > fine

So, what do we need to do?

There is a bullet point list of some, but not all suggestions on the previous post. Please digest all the info on both posts, fill in the missing “to do’s” and decide what YOU need to do. Most of it will be the same for all of us, though there might be some differences in how we handle all of this.

My parents raise me to always “do the right thing” and I think this is what this is about. Treat people like you would like to be treated and don’t abuse the information they give you, whether they are a potential client, a client, a friend/family or a colleague.

Need to chat with me

If you need any advice about this or need to make changes on your website, please let me know if The Wembitress team can help you!

Scroll to Top