For years, retailers, travel and hospitality companies, banks and other businesses have relied on SMS and mobile chat to reach customers and provide efficient and rapid resolution for their issues. SMS has proven to be a more effective mobile marketing channel than any other. Reports have indicated SMS marketing messages have up to a 98 percent open rate and messages are opened within three seconds of being received.
Some experts have estimated that by 2020, the number of consumers that have opted in to receiving business communications via text will reach more than 48 million. With emerging technologies including rich communications services (RCS), the efficacy and use of mobile connection with customers will continue to increase.
But for any companies processing and holding the personal data of anyone residing in the EU regardless of the company’s location, the enactment of the General Data Protection Regulation (GDPR) is complicating today’s tried and true approaches to customer communications. Under GDPR’s requirements, companies must meet strict guidelines for how they interact with users, and how they collect, process and store consumers’ personal and sensitive data. Additional data protection laws in the US (including the California Consumer Privacy Act and the NYDFS Cybersecurity Regulation) and other regions around the world are emerging as well, ultimately impacting virtually any company that collects and stores personally identifiable information.
Read More: GDPR — Six Months and Counting
In the pre-GDPR landscape, real time communication methods such as SMS and live chat allowed organizations to automatically collect data through their interactions with website visitors or customers. Organizations could go on communicating with users, use the information collected and hold on to it for as long as they chose. In many cases, that customer data would be kept in a database and later plucked out when needed for marketing efforts. Minimal consideration was given to how, when or where the data was processed, stored and protected, which are all now critical considerations to maintain compliance with GDPR and other laws.
For organizations using mobile communications for marketing and customer service, the issue of user consent — gaining explicit permission from users to collect and process their personal data, and documenting how that data will be used — is equally critical as ensuring proper storage and security controls. The GDPR requires user consent in every scenario that personal data is collected, and outlines specific guidelines for how consent can be obtained. The request for consent must be delivered in a format that is easy to read and understand, and allows the consumer control over the choice. For example, a person can give consent through a check box on a web form or via email, but it may be rendered invalid if it is a pre-checked option or a required condition to use a service.
Read More: Using Personalization To Grow Sales
Apps and websites can provide onscreen explanations or pop-up notifications to show users what data is being collected, why and what will happen to it over time. SMS double opt-in is emerging as one viable option, which provides a compliant way for users to explicitly confirm their request to receive communications. This process involves the user sending a specific code to the business in order to subscribe or request offered information. A confirmation message sent to the user requires a final response in order to complete the request. Users can unsubscribe quickly by replying to any previous message sent.
Organizations must also keep records of how data and consent were obtained. Without supporting documentation to prove consent was lawfully given, the consent becomes invalid. The customer service team and other key stakeholders should work with the legal, IT and information security groups within the organization to implement processes and workflows that properly manage and document user consent.
Though the extra steps required for compliance can be complicated and cumbersome, they far outweigh the consequences of failing to fulfill GDPR obligations. Under the regulation, authorities have the power to halt any business operations that are deemed as non-compliant. If such a penalty was brought down upon customer communications, it could lead to severe damage to the business and its reputation. Organizations must take stock of existing options for obtaining and maintaining user permission, so they can continue to effectively and lawfully connect on critical channels.