Tips for GDPR-friendly Sales Promotions

GDPR is on everyones' minds right now and Sales Promotions are a key area that will be impacted. Read on for our tips on staying the right side of the new legislation.

Tips for GDPR-friendly Sales Promotions

GDPR – The Challenge for Marketers

Competitions and sales promotions are an integral part of marketing activities for many brands. Agencies and brands have in our experience always been cautious about collecting consumer data from competitions, the fear being that the consumer might forget all about the promotion by the time they receive a follow-up message, even if they had been fully informed and correctly (actively) opted in at the time of entering.

But under GDPR the data controller and the data processor have a duty to protect their customers’ data privacy regardless of whether they plan to contact them again. So data privacy is of the utmost importance in order to avoid complaints and even fines.

Let’s take a closer look at some aspects of GDPR in relation to sales promotions. Note that we use the terms Data subject, entrant, and consumer interchangeably.

7 Tips for GDPR-friendly Sales Promotions

Image source: Amazon Go

1. Put the Data Subject First

When entering a competition entrants almost always shares their personal information such as mobile number, email address and possibly also other personal data such as name, address or date of birth.

“In May 2018, organisations will no longer be allowed to collect or process a European citizen’s consumer data without identifying a legal basis for doing so. They will also be unable to use data collected prior to May 2018 if this doesn’t have appropriate notice/s and measures for consent in place”.

A Marketer’s Guide to GDPR

Each competition entrant is a “Data Subject” under GDPR, so their data must be stored and handled securely and they need to be made aware of the following;

  • Who is the data controller is
  • How to contact them
  • Why the data is being collected
  • What is going to be done with the data
  • Whether any 3rd parties will have access to the data
  • Their data protection rights e.g. the right to be forgotten and the right to access

2. Understand Contract and Consent

Firstly, the concept of “Contract” is relevant for the purpose of competition entry, whereas “Consent” is needed for any ongoing marketing to the consumer.

When a consumer enters a competition there is a contract of communication in place for the length of the competition only. In other words, it is ok to contact competition entrants during the competition with information relevant to the competition; for example, to let them know if they have won or lost, as you are (in GDPR parlance) “fulfilling the original purpose”.

Secondly, you must remember that you can only use the data again if you have the explicit “Consent” of the consumer as outlined in the example below.

Fig 1: Non-Compliant data collection (left) Vs Compliant data collection (right)

GDPR compliant website formsImage Source: A Marketer’s Guide to GDPR (Gravicus)

In summary, Data Subjects need to specifically opt in (consent) to marketing communications, and the consent must NOT be a prerequisite for entering the competition or promotion.

  • Consent must be freely given
  • Pre-ticked consent boxes are no longer allowed
  • The consumer must be properly informed of what they are opting in to
  • Be clear which channels they are opting in (e.g Email, SMS etc) with separate tick-boxes for each

3. Manage Opt-in

If you’re asking a consumer to fill in a form to enter a competition remember people make mistakes so you should use double opt-in before you add them to your marketing list. This is as simple as getting them click in or reply to an email from you, and will get rid of invalid email addresses and prevent future complaints.

For opt-ins collected pre-May 2018; if the relevant information wasn’t given to the consumer at the time they opted in you will need to reconfirm their consent before sending them any further information post-May 25th. In particular, the consumer needs to have had their right to access and a Data Privacy statement made available at the time when they originally opted-in, and they should also have been offered a method of withdrawing consent.

There can be an exception made where marketers can clearly demonstrate there is a “legitimate interest” in consumers continuing to receive the information on an opt-out basis,  however in practice this can be complex and difficult to prove, so B2C marketers in particular should be wary of using this as the basis for consent.

“You may not know exactly what campaigns you’ll be running later in the year, or what clever new dynamic content your email provider is going to come out with next month, but you need to explain it to your customer and ask their permission before you collect the data”.

GDPR Consent or Legitimate Interest: DMA

4. Manage Opt Out

The consumer should be able to withdraw their consent to further communications at any time (opt out). The promoter must clearly explain how the consumer can opt out and we recommend that you allow them to opt out via an appropriate and convenient channel e.g

  • Email – Click unsubscribe 
  • App – Update app preferences 

However you should bear in mind that any attempt or form of opt-out must also be honoured, which for SMS marketing in particular can make it complicated.

For example, if a consumer can demonstrate that they attempted to opt out by texting STOP to a shared number but was opted out of another service that had texted them more recently. For this reason, we now recommend that any clients doing SMS marketing should have a dedicated number (short code or long code) for opt-out purposes.

Opt-in vs Opt-out for GDPRImage source: Interaction Design 

5. Profiling and Segmentation

Here are 4 key points to remember in relation to profiling and segmentation data when running a competition post-GDPR;

  • Don’t try and capture excessive or irrelevant information
  • Profiling questions must not be mandatory
  • Clearly state why you are capturing the information
  • You must give the consumer the right to object when entering information

For example, if an in-store competition is offering customers the chance to win a cinema or restaurant voucher, does their gender information really need to be collected? We would think not – however it should be legitimate to ask for their location if the offers can only be redeemed in specific locations or venues.

Regarding age, it would be deemed highly relevant for an alcohol or other age-restricted brands to capture the consumer’s age validate age before allowing them to enter a competition.

6. Privacy Policy

The purpose of capturing any consumer data should be always be clearly explained in the Privacy Policy, which should be easily located on the promotional website and customers should tick that they have read the Privacy Policy any opt-in forms.

Your Privacy Policy Data Protection statement can be set out in your Terms and Conditions as long as it is clearly indicated as a separate section at the start or end of the list. Here is one example of a Privacy Policy from the Competition and Consumer Protection Commission: one would hope that this has been reviewed extensively!  

7. Getting your Organisation GDPR-ready

You’re probably already well on top of GDPR by now, but just in case here are some important points relating to your own company’s processes and suppliers.

You should also have in place secure data hosting and processing on your own systems, make your staff aware of these new processes, and put in place clear data retention and deletion policies. We find the ICO website very helpful, and also the Irish website GDPRandYou.

All companies have the responsibility to examine whether the suppliers they work with are GDPR compliant if they are handling your data or your customer data at any level. Your suppliers (Data processors) must be prepared to assist you should a consumer submit a subject access request (SAR), again highlighting the importance of having a GDPR-specific contract with each data processors.

We’ve written another GDPR-related blog which you can read here about what we’ve been doing at Púca to get our technology and processes GDPR-ready.

Final thoughts

In conclusion – despite the potential fines and the additional work and training required – we think it’s vital to see GDPR as a positive development because treating consumer data ethically is good for everyone in the long run.

We hope this article has been helpful and please do get in touch if you have a sales promotion that you would like to discuss. We have retained Sytorus the Data Privacy specialists and also the Privacy Engine tool so we can access expert advice on whether your sales promotion entry mechanic is GDPR-compliant.

Disclaimer: We always recommend you seek your own legal advice as the above tips may not be comprehensive.


Data Controller – Owner of the data – normally the brand, retailer or business collecting the data.
Data Processor – Third party who handles or processes the data on behalf of the Data Controller
Data subject – also referred to here as the “consumer” i.e. the person whose personal data is being collected
GDPR – GDPR will replace the Data Protection Act 1995 and was initially adopted April 2016 by the European Parliament and the European Council, after four years of negotiations. GDPR provides increased control of personal data for EU citizens by making organisations (that collect, process and store such data) much more responsible, especially for data breaches.

Further Reading and Resources:

Featured image courtesy of the Drum.

Get in touch

Please complete the form below, and we’ll contact you as soon as possible
to discuss your needs in more detail along with pricing.

Join us We're currently hiring. If you're interested, check out our careers page more