From a practical perspective, the context in which data is collected will affect how customers are notified about the intended use of their data and how permission is obtained from them.
It is essential to provide the appropriate notifications at the right point in the transaction process. The flow of these online transactions also needs a log-in stage to recognise returning customers - with the option of setting out the basics of their record and permissions for them to update – and obviate the repeat notification/permission process.
The notification statement for new customers still needs to provide the basic information.
Thank you for booking tickets to see the Touring Artists Company (optional: who are officially called Actors Bank Raid Ltd).
They would like to add your (email address/telephone number/postal address etc.) to their marketing list so they can keep you informed about their events (by email/by SMS/by telephone call etc.).
TICK BOX: Yes please / No
Thank you for booking tickets at the Any Town Venue (optional: who are officially called Any Town Venue Promotion Company Limited).
We would like to add your (email address/telephone number/postal address etc.) to our marketing list so we can keep you informed about events at our venue (by email/by SMS/by telephone call etc.).
TICK BOX: Yes please / No
The law (PECR) requires opt-in consent from individuals, to use their details to send electronic direct marketing, that must be specific about who will be sending the marketing and what method they will be using to send it. This means that when a venue obtains such consent from an individual on behalf of a touring company, it must explain what it is sharing (e.g. email addresses, telephone numbers) and who it is sharing those details with. Terms such as “selected third parties” are not specific enough to constitute valid consent.
A notification statement must name the specific organisations that contact details will be shared with. This marks a change in the guidance received from the ICO. Formerly it was acceptable to clearly describe a specific type or category of organisation and that the touring company in question clearly falls within that description. However, under the new regulations, it is no longer acceptable to deal with it that way. The specific company/ies with whom data is to be shared must be named.
Please note that this is not legal advice, and as compliance is so content sensitive, the ICO must judge any complaint on its own merits.
Compliant functionality in ticketing systems
The ability to functionally support the obligations of GDPR in relation to data sharing in online booking processes and ticketing systems varies on a system-by-system basis. Ticketing suppliers are at varying stages of developing the functionality around booking processes that fully support compliant data sharing. As part of this guidance, Arts Council England also commissioned a consultation, (undertaken independently by Andrew Thomas of the Ticketing Institute) to liaise with ticketing suppliers over the requirements of the new legislation, and to give them a chance to demonstrate how their systems can best be configured to comply with the requirements of GDPR in relation to data sharing. The results of these consultations are available to view on a system by system basis at the Ticketing Institute site here.
Possible “soft opt-in” exemption
PECR (2003) includes a limited exception from the requirement to obtain opt-in consent for electronic messages (e.g. email or SMS) where the following circumstances apply:
- The contact details were collected “in the course of a sale or negotiations for a sale”
- The sender only sends promotional messages relating to their own “similar products and services” AND
- When the address was collected, the opportunity to opt-out was offered and not taken. This opt-out opportunity must be given again with every subsequent message.
This is commonly known as a “soft opt-in”. A compliant notification statement seeking permission for the venue to contact the individual for marketing purposes, similar to that previously outlined must be provided to the customer, but only the option to ‘opt-out’ is required – no need for them to tick ‘Yes please’.
Please note that it is only the organisation actually selling the ticket to the customer that can rely on the soft opt-in. For example, a touring company cannot rely on the soft opt-in if the contact details were collected by the venue or ticketing agent when the ticket was bought. A touring company or venue can only rely on the soft opt-in if it sells the ticket to the individual directly.
Note that the “opportunity to opt-out” must then be in each subsequent email or SMS communication sent to the customer – this is a legal requirement.
No “soft opt-in” exemption for data sharing
It is not acceptable to apply this “assumed opt-in” for more than one legal entity at once, so the venue is not able to include a named touring company in the “assumed opt-in” permission. Essentially, while the venue can assume permission if it collects the individual’s details in the course of selling them a ticket, the touring company in this case requires separate permission on an actual ‘opt-in’ basis. This will affect any venues that had combined the notification with the touring company so they could share data under the “assumed opt-in”.