The entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018, marked a milestone in the management of personal data by businesses.
In many respects, the GDPR is a novel regulation in European legislative history thanks to its (highly) harmonized nature, its extraterritorial application, the significant increase in regulatory power (with penalties of up to 4% of companies’ annual global turnover) and the creation of a European structure for the interpretation of the regulation (European Data Protection Committee).
As we will detail in this article, the RGPD applies more flexibly in B2B, because the data collected most often relates to legal persons or professionals in a way that is not very or not at all nominative. RGPD and B2B prospecting: how to be “compliant” without restricting the commercial effort?
The RGPD does not require consent(opt in) in B2B prospecting… with some conditions
In B2B, which therefore involves transactions between two entities, the General Data Protection Regulation (GDPR) has not changed the derogatory regime that prevailed in commercial prospecting and lead generation campaigns (LeadGen). In reality, B2B commercial prospecting continues to fall under the European ePrivacy Directive and Article L.34-5 of the French Post and Electronic Communications Code.
Thus, consent is not required for outgoing communications, whether they are intended for prospects (prospecting) or actual customers (loyalty, upselling, cross-selling). However, the legislator has set three main conditions for B2B prospecting without consent (or opt-in).
#1 Inform about the conditions of data processing
In short, this means detailing the method of data collection (direct or indirect), identifying the organization that collects and processes the data (identity and contact details), specifying the legal basis for this processing and informing about the length of time the data is kept, the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL), etc.
#2 Make anopt-out link available to the recipient
Since the first drafts of the GDPR (2013 – 2014), B2B professionals have repeatedly expressed their fear that the regulation will restrict the scope of B2B marketing and prospecting, with a catastrophic impact on companies’ sales performance.
In fact, the GDPR has maintained the status quo in B2B, as it has not required the data controller to collect consent(opt in) from business recipients in a B2B email campaign. This is what the CNIL calls ” the opt-in provision “.
On the other hand, the company must allow the professional recipient to unsubscribe(opt out). The CNIL recommends that the unsubscribe link be direct, visible and systematic to all B2B prospecting communications. In short, B2B emailing works in opt out mode (without consent), while B2C emailing works in opt in mode (mandatory consent).
The subtle definition of “personal data
The flexibility of the GDPR in B2B is explained by the very definition of “personal data”. Indeed, the legislator has excluded from this category the so-called “firmographic” data, which refer to legal entities (company name, address, activity, product range, etc.). Also excluded are generic e-mail addresses such as firstname.lastname@example.org and professional e-mail addresses that do not directly identify a natural person. Please note: the processing of personal data, as defined by the RGPD (e.g. personal e-mail addresses and telephone numbers) is not exempt from the consent of the person concerned.
#3 The emailing must be related to the profession of the person contacted
Companies must ensure that the solicitation (emailing in particular) is consistent with the profession of the person being canvassed. The notion of “consistency” has not been made explicit by the GDPR.
It is generally recommended that companies use common sense and contextualize email campaigns to ensure its relevance (performance objective) but also its legality (RGPD compliance).
B2B prospecting: what does the GDPR say about scrapping?
Scraping refers to a set of techniques that allow to extract publicly accessible or not data from one or more web sites in an automatic way. Scraping is usually driven by scripts or tools that run scripts. This technique is used for SEO purposes (with content plundering), in a competitive intelligence context (to detect variations in competitor prices on marketplaces) or to build or enrich a database for B2B prospecting purposes.
Scraping has not been specifically designated by the GDPR. The “Nestor” case, named after the company that sells meals in the workplace, shows that the CNIL is rather hostile to this practice. As a reminder, Nestor was using a scrapping tool on LinkedIn to feed its database in order to prospect professionals. The company used theopt-out principle. The CNIL found that Nestor’s activity had ” little connection with the professional activity of the prospects “, and ruled that there was a violation of the GDPR due to the failure to comply with the information and consent obligations.
Is it possible to do scrapping if the subject of the emailing is in line with the professional activity of the prospects? We are in a grey area here, with the risk of a penalty.
Does the GDPR allow for the rental of databases for B2B prospecting?
The GDPR does not explicitly oppose the principle of renting databases for B2B prospecting from brokers. On the other hand, the conditions of legality of this practice are restrictive:
- You must ensure that this third party provider is compliant with the GDPR;
- Demand evidence of the provider’s “RGPD compliance” practices, whether it be for the constitution of the database or its maintenance.
Beyond the law, the use of poor quality third-party databases has many drawbacks: low conversion rates, degradation of the company’s brand image, waste of sales and marketing resources, etc.
If the European legislator has been relatively lenient with B2B companies by omitting the consent requirement for B2B prospecting (under certain conditions), the CNIL strictly regulates the grey areas with two major points of vigilance:
- The type of data in question and whether it is personal;
- The coherence of the prospecting message and the marketed offer with the profession and/or the activity of the prospect.
It remains to be noted that negotiations between EU member states on the second draft of the ePrivacy regulation have resumed in 2022, with an expected entry into force in 2025. It is highly unlikely that this regulation will call into question the exemption from consent in the context of B2B prospecting, but a tightening of the conditions cannot be ruled out.