You would have to be living under a rock not to know GDPR is about to become law in the EU. It is also safe to say that many organisations, especially smaller operations, will still be feeling bewildered and overwhelmed by the breadth and specificity of the new regulations.

Likely, you have received numerous emails from service providers or publishers whose mailing lists you forgot you were even on, pleading with you to show them some love by consenting to receiving their bits of fluff after May 25th (ClearBookings is amongst that melee)!

What's that about?

Amongst the rules imposed by the GDPR is a requirement that all processing of personally identifying information (or simply 'PII' to those down with the lingo) must be done under an appropriate lawful basis, of which there are six bases identified in the regulations. The nature of the processing illuminates the choice of lawful basis. In the case of using names and email addresses to distribute marketing content, the most appropriate choice will generally be that of informed consent provided by the customer or subject receiving the content.

In the past, organisations might have slotted something into their terms and conditions of service suggesting that simply by using their service, you consented to receiving marketing materials from them and hence they started spamming you on that basis, or even that receiving the marketing content was a condition of using their service. Under the new rules, this would no longer be allowed since, among other things, consent:

A) must be both informed and given freely,
B) should not be a pre-condition of signing up to a service, and
C) requires a positive opt-in (no pre-ticked checkboxes any more!)

In many cases, it would generally be trivial to demonstrate that receiving of marketing content is not necessary for an associated service to be provided, so using some other lawful basis (such as contractual obligation) for the distribution of that content would no longer be appropriate. Hence, everybody is scrambling to acquire consent from their mailing list subscribers to continue sending them stuff!

What's your point?

If you are a MailChimp customer, we can help you manage your mailing list. More importantly, we make acquiring and recording consent from your customers to receive your newsletters or marketing content nice and simple. Simply visit the MailChimp tab on your Account Settings page in the ClearBookings dashboard to add your MailChimp API key, configure your list settings and enable the customer consent checkbox.

This capability has been present in the ClearBookings dashboard for some time now. However, we have made some changes to ensure you manage your GDPR compliance to the best extent. In particular:

1. Customers are informed up-front as to what will happen to their information when they opt in, as well as their ability to unsubscribe at any time.
2. We will automatically add a new 'ClearBookings Opt-In Date' mail-merge field to your list, which we populate with the booking date on which a customer first provides consent at checkout

Since you might want to use MailChimp for more than purely marketing purposes, we also provide choices regarding when you would like customer contacts added to your list - only when consent is given, or always on completion of bookings. In either case though, we will include the date of consent in your list entry, where consent has been given. This allows you to create a segment on your MailChimp list containing only those customers that have given consent at checkout for delivering marketing content to, whilst using the broader list for other non-marketing-related purposes. An example segment using this mechanism is shown below.

If you are also using MailChimp's in-built GDPR fields (more information here), you could create a combined consent segment that considers both MailChimp or CB consent fields as valid.

Note the 'any' option is chosen for contact matching. Also note that the value for the Marketing Permissions field depends upon how you have configured your MailChimp GDPR fields.

Once you have created a marketing consent segment, you can simply choose that when creating new marketing campaigns after May 25th as follows.

What if a customer unsubscribes?

Customers who unsubscribe remain in your mailing list with a status of Unsubscribed. These will automatically drop out of any consent segment you may configure like the above examples.

What about non-marketing related customer contacts?

It is worth noting that consent is not ALWAYS required in order to use your customers' personal details to reahc out to them. For example, an event organiser would have a legitimate basis for sending to customers who booked tickets for an event any information regarding that specific event (eg. venue/time changes, directions and the likes) without having expressly acquired consent from those customers. The lawful basis for processing the customers' data for this purpose would more likely be to meet a contract between the customer and organiser, though some other basis might better apply.

Where can I learn more?

The UK's Information Commissioner's Office website has a very good guide on the GDPR, which is much easier to follow than the text of the legislation. You can find it here.

As mentioned above, MailChimp also provide some handy tools for managing the GDPR compliance of your mailing lists, which you can find here. On this note, you may have found yourself asking the question earlier of "Why don't you simply update the MailChimp 'Marketing Permissions' field when customers opt-in during checkout for bookings, rather than adding a ClearBookings-specific opt-in field to my mailing list?" Unfortunately (but for what are likely valid reasons), MailChimp does not allow us to set or update those values via their API, but only through their own forms.