Following the introduction of the General Data Protection Regulations (GDPR) in May 2018, Grid Law founder David Walker takes a question from a reader to consider the impact of new data laws on promotional prize draws and competitions.
If I run a prize competition on my website, am I obliged by law to hold details of the people who enter for any length of time after the prize draw?
How will this impact my GDPR statement?
Thanks for your question.
The General Data Protection Regulations (GDPR) don’t give specific time limits which you must adhere to. Instead, they say that you must keep the data for no longer than is necessary for the purpose for which it is processed.
The Advertising Standards Authority’s (ASA’s) CAP Code has rules that govern how prize competitions should be run and administered. They are currently going through a consultation process to look at how their rules and guidance fit with the GDPR to ensure consistency between them.
So, we may see changes in their rules and guidance (particularly in relation to the processing of personal data) in the near future and this is something that Im keeping my eye on.
To answer your question now, you first need to ask yourself why you are collecting the personal data.
There are likely to be several reasons for this and the time limits for keeping and processing the data will vary accordingly.
The first, and most obvious reason, is that you need to administer the competition. Personal data will be collected as people enter and you will need to use that data to communicate with entrants and choose the winner.
After the winner has been chosen, you will likely need to keep all of the entrants? data for a short period of time (may be a month, depending on your terms and conditions) in case the winner doesnt claim their prize or you have to disqualify them for any reason. You will then need to use the data again to draw a new winner.
Read more about the law behind promotional prize draws and competitions:
You are obliged, under the ASA’s CAP Code to either publish or make available on request, the name and county of the winner(s) and you will usually put a 30-day time limit on this.
So, you will need to have the right to publish this information for at least 30 days after the winner has been drawn. (I imagine this is one of the provisions that will be looked at closely as part of the ASA’s consultation.)
Next, you need to ask yourself why you are running the prize competition in the first place.
For example, is it part of a sales promotion? If it is, are you intending to send marketing messages to entrants after the competition has ended?
Is running prize competitions your business? If it is, do you wish promote future competitions to entrants of this competition?
Assuming you have permission to use the data for these purposes, then in both cases you will likely want to keep personal data for longer than a month after the competition has ended. You may decide (and it’s up to you to decide what is reasonable for your business) that you will keep the data for 12 months and then review the position again.
Depending on the capabilities of your CRM system, you may decide that after 12 months, anyone who has not opened an email from you, has not entered another competition, or has not purchased a product is removed from your mailing list. However, you may decide that you still need to keep the data for other purposes (see below).
If people are positively engaging with you, you may decide to keep these people on a marketing list for another 12 months and then review again.
If people unsubscribe earlier than 12 months, you should respect their wishes and stop marketing to them immediately.
Depending on the nature of the prize or the type of products you are selling, you may need to keep the entrants? personal details for longer than 12 months.
For example, it may be prudent for warranty or product recall purposes to keep the data for five years or even longer but, it probably wouldnt be reasonable to carry on marketing to these people after 12 months if they werent engaging with you (or didnt consent to receive marketing in the first place).
These are just examples and you may have other reasons for keeping and processing the data.
As you can see, there isnt a clear-cut time limit on how long you should hold the personal data. It really depends on the purpose for which you are holding it and what is reasonable in those circumstances.
Whatever decision you make about the length of time to keep the data, make sure you can justify it and explain why you decided this time limit was reasonable.
I hope this helps, and please feel free to email me again if you need any further guidance.