How do you run a GDPR compliant competition or award?
Updated: Oct 11, 2022
What is GDPR and how will it affect contest campaigns?
Ok, so you’re thinking about running an online contest or award, but you’ve heard a lot of noise about new privacy laws such as GDPR and want to understand what this means to you?
With all the negative press about the privacy concerns that organisations such as Facebook have attracted recently it is any wonder that legislation such as the EU’s General Data Protection Regulation (GDPR) has gained so much attention.
There are now heavy fines for organisations (of any size) that don’t abide by these new privacy laws.
So, if you are thinking of running a campaign such as an online contest or awards where you are collecting people’s information through either registration, entry/nomination or voting then there are a few things you need to consider in order to stay compliant with laws such as GDPR.
Let’s touch on a few of these.
The explanations and information provided herein are only general and high-level explanations, information and samples. You should not rely on this article as legal advice or as recommendations regarding what you should actually do. We recommend that you seek legal advice to determine your privacy requirements.
It’s important to remember that this may not only be for explicitly entered information such as name and email address. It could also include other identifiable information such as IP address or other information obtained from the device they are using.
Now that you know what information you are going to collect, and you have explained this to individuals, you need to ensure you provide Opt-in function(s) when individuals are handing over their information. For consent to be considered valid, here are a few things you need to consider:
It must be freely given, without coercion, undue incentives or a penalty for refusal. This is an important one because while you can request consent as a condition for entering or voting in a contest, if this same consent includes using personal data for other unrelated purposes (e.g. adding to a mailing list) then this consent must be obtained separately. It also should not preclude the person from entering the contest if consent for unrelated purposes is not given.
The consent conditions must be displayed clearly and be easy to understand so the person knows what they are agreeing to. This could be in the form of a short description and then a link to the conditions in more detail. Regardless how it is displayed in cannot be written in complex legal jargon.
Show a positive expression of choice, the individual must take some kind of specific action to provide consent. It is not acceptable to have consent pre-selected or assumed without the individual taking specific action. Make sure if you have an opt-in form the opt-in tick box is not ticked by default.
The consent must be audit-able, the date, time and conditions that an individual agreed to when they provided consent must be kept and producible in the case of a complaint or audit of compliance.
It must be able to be withdrawn, the individual must be able to withdraw their consent at any time where the consent has been provided for purposes other than the running of the contest.
The consent must be provided by someone who is of a legal age, which may vary from region to region however typically someone needs to be 16 years of age or older in the EU or 13 years of age in most US states. Anyone below legal age must receive consent authorised by the holder of parental responsibility over the minor. You also need to ensure you show reasonable steps to verify that the person providing consent is authorised.
Examples of consent:
Incorrect, as this is the condition of entry to the contest or award and the individual cannot enter without also agreeing to be included on a marketing list which is not related to the specific contest. This is seen as a penalty for refusal.
Correct, as the acceptance to join the marketing list is separate from entering the contest. The tick box for the marketing list is also not selected by default which means the individual needs to take a positive action in order to opt-in.
Right to be forgotten
GDPR and many other privacy rights include the right to be forgotten. This effectively means that an individual has the right to request for their information to be permanently deleted. Interestingly this is a tricky one when it comes to contests. While this is pretty straight forward for personal information such as name, email, address, etc. With UGC contests you may have received consent to use a video or other UGC that someone has uploaded for ongoing campaigns.
In the case of a disgruntled contestant or upon an individual finding out that they didn’t win they could request for their video to be deleted. This hardly seems fair. As the use of the video for ongoing campaign was the original premise of the contest you need to ensure that the consent to the terms and conditions that the individual agreed to include the perpetual rights to the video, photo or material that the individual provided as part of the contest.
It is important to ensure you get this thoroughly checked by your legal team to ensure you do not limit the effectiveness of your campaign due to local privacy laws.
Data portability is all about making sure that you can that you can export personal data in a common format so that it can be transferred either to another platform (controller) or provided back to the customer who has supplied it. This is definitely something you need to ensure you consider when selecting a platform to manage your contest or campaign.
An important aspect which we often see forgotten when running a campaign is to provide an easy way to contact the organisation running the campaign. The ability to request for personal information to be accessed, deleted, changed or to lodge a complaint are examples of reasons that you need to ensure you have an easy way for your customers to contact you.
This could include phone and email address details or a contact form. This should be clearly visible on your campaign pages.
Data Processing Agreements
Many jurisdictions including the EU include legislatively mandated agreements on how data is to be processed. It is important that any supplier you use for managing competitors data have in place the correct Data Processing Agreement to ensure your audience is adequately protected and you are complying with local privacy requirements.
These processing agreements will include information such as how data is encrypted, stored, managed and who that supplier in turn uses to sub-process your data.
As jurisdiction laws may differ it can be important to either understand or apply limits to the geographical jurisdictions of your audience that you are collecting data from.
For example you may want to limit voting to only people from the EU. In many circumstances this can be effectively done using GEO IP detection technology. Launchpad6 leverage an organisation called IP2Location to provide this capability in our platform (https://www.ip2location.com/).
IP2Location provide Launchpad6 with a comprehensive database of locations based on IP address which is used to enable customers to create rules to limit access to participate from specific locations.
While privacy laws such as GDPR seem onerous and a burden, organisations that treat their customers information with respect and transparency will the real winners. This creates an ongoing trust with your customers and ensures that the likelihood of falling foul of the privacy laws is minimised.