GDPR and B2C and B2B commercial prospecting: what you can (and cannot) do.

Commercial prospecting is an essential practice for many companies wishing to expand their customer base and increase their business opportunities.

However, with the entry into force of the General Data Protection Regulation (GDPR) in 2018, companies' commercial practices, and in particular their canvassing practices, are being framed with regard to the resulting uses of personal data.

It is therefore crucial for businesses to understand what rules govern commercial prospecting, so that they can remain compliant with European data protection legislation.

In this article, we will define what commercial canvassing is, discuss the various rules imposed by the GDPR governing commercial canvassing, and finally look at the major difference between B2B and B2C commercial canvassing.

What is commercial prospecting?

Commercial prospecting refers to all the actions taken by a company to identify and contact potential new customers. Prospecting activities include sending promotional e-mails, making telephone calls, running targeted advertising campaigns on social networks, etc. Most of these canvassing activities involve the use of databases to store contact information, enabling companies to contact these potential new customers, whether individuals or companies, to present them with their offers.

These databases therefore contain information that is considered to be "personal", as it enables the individuals in the database to be identified directly (in particular through the surnames, first names, telephone numbers and/or email addresses stored).

B2B and B2C commercial prospecting

In terms of commercial prospecting, the rules are slightly different depending on the target: are prospecting campaigns aimed at private individuals or professionals?

The main difference between B2B and B2C prospecting lies in the nature of the customers targeted.

B2B prospecting targets companies (Business to Business), while B2C prospecting targets individual consumers (Business to Consumer).

In the case of B2C prospecting, the company seeks to reach individuals directly in order to offer them its products or services. The prospecting actions mentioned above therefore involve the use of personal information about prospective customers: their surname, first name, potentially their telephone number, email address and/or postal address.

The GDPR rules on commercial prospecting

The GDPR imposes a strict framework on the collection, processing and use of individuals' personal data, particularly in the context of commercial prospecting.

Basic obligations apply, such as filling in a data processing form for this canvassing process, which will be an opportunity to ask all the right questions.

Explicit consent

Before prospecting an individual, it is essential to obtain their explicit and specific consent to the processing of their personal data.

This means that the prospect (when he is an individual) must have explicitly given his consent to be canvassed: he has subscribed to a strictly promotional emailing, he has ticked a box (not obligatory and not ticked by default) to express his agreement, etc.

The consent must be free, informed and given in the affirmative.

"Free" means that the prospect has genuinely had the choice (which is why the consent box must be non-mandatory).

"Informed" means that the prospect knows precisely what they are consenting to, and that they have had access to all the information they need to make their decision.

For more details on the conditions applicable to consent and its exceptions, see our blog post on the subject.

Transparency

The principle of transparency stipulates that you must inform individuals in a clear and transparent manner about how you will use their personal data. In this specific case, it must be made clear to prospects that their personal data will be used for commercial prospecting purposes.

This principle of transparency also requires the amount of information to be sufficiently exhaustive to enable the prospect to make an "informed" choice, as we saw earlier. For example, it will also be necessary to provide information on the types of communications they will receive (solicitations by email, SMS, telephone calls), the frequency of these solicitations, what their rights are, how they can subsequently unsubscribe from these communications, and who the preferred contact is if they wish to exercise their Data Protection rights.

Respect for data protection rights (and contact person)

Data protection rights include in particular the right to oppose, access, modify and delete data. Your prospects must be able to object to your commercial communications, and be able to exercise their rights easily and at any time.

To do this, you must be able to offer your prospects a contact person to enable them to exercise their rights.

Although it is not compulsory for this contact to be a DPO (although this would really be ideal), it is nevertheless compulsory to identify at least one contact person for this purpose, and to offer his or her contact details in a way that is accessible to prospects.

Data minimisation and purpose

The data minimisation and purpose principles stipulate ...

• ... that you should only collect data that is strictly necessary for the purpose for which it is to be used. For example, if you wish to carry out commercial canvassing by email, you will not be allowed to ask for a telephone number or postcode, as this data is not strictly necessary for sending emails. To go even further, you would not be allowed to collect a first name either, because this data is not strictly necessary for sending emails, and because the purpose of collecting this data is not justified.

• And that you should only collect this data for the stated purpose. For example, if you collect an email address for the purpose of email marketing, you may not re-use this email address to automatically subscribe this prospect to other emailings that the latter has not explicitly consented to receive.

Data security and privacy

In the context of commercial canvassing, we have seen that it is necessary to collect, store and use a certain amount of data, particularly personal data, in the context of B2C commercial canvassing.

In this context, the company carrying out each of these actions carries out what is known as "data processing", and thus becomes the Data Controller. The company is then required to ensure the protection and security of the personal data it uses as part of its canvassing activities.

The company must be able to prove that it uses security and confidentiality tools, and that it has put in place organisational practices that encourage secure practices, etc.

Opt-in or opt-out: the fundamental difference between B2B and B2C prospecting

The few rules mentioned above apply to all types of canvassing activity, whether aimed at private individuals or professionals.

However, we have already seen that the rules for commercial prospecting are slightly different in these two cases.

This difference is based in particular on the opt-in and opt-out principles.

In B2C, the opt-in principle applies - "No yes means no".

The opt-in principle stipulates that the prospect must have expressly given their consent to be solicited. If they have not clearly said "yes", then they have said "no", and you are not authorised to solicit them.

When commercial canvassing targets private individuals, i.e. B2C, the opt-in principle applies.

In B2B, the opt-out principle applies - "No means yes".

The opt-out principle, on the other hand, stipulates that prospects do not have to give their consent to be solicited (but they can always ask not to be solicited in the future). So if they haven't clearly said "no", then it's a yes, and you are authorised to solicit them.

When commercial canvassing targets companies, i.e. B2B, the opt-out principle applies.

To conclude

Commercial canvassing is therefore an essential practice for most companies, which depend on canvassing to fill their customer portfolios.

However, commercial canvassing requires the use of a great deal of data, particularly personal data.

In this context, companies carrying out canvassing are subject to a certain number of obligations and regulatory constraints that govern their practices and are designed to protect the personal data of the people concerned.

Related blog posts:

• "These GDPR compliance offers that should alert you"

• "6 good reasons to call on an outsourced DPO"

• "7 actions to ensure your website is GDPR compliant"

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

Find out more about our GDPR compliance services!

We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!

Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!