GDPR and Consent

Comply to the new European regulation means re-thinking how you obtain consent from your contacts. Marketing practices used without clear consent from each individual under the Directive 95/46/CE are not allowed anymore according to EU GDPR. To understand the consequences of the new European directive, here is a summary of key information on obtaining consent under GPDR for your reference.

Soft Opt-in Under GDPR

Is soft opt-in acceptable under GDPR? No, as soft opt-in does not considered as explicit consent under GDPR, it is not an acceptable practice. Soft opt-in is a form of temporary consent given by individuals while collecting their email details. Regardless how much individuals engage with your marketing communications, consent must be asked in explicit language. If the individual didn’t say “yes”, it means “no”.

What is double opt-in?

Double opt-in is when individuals need to confirm their email address before being added to your email list and receive email communication from you. It is the double confirmation of their subscription to your newsletter or any services needing their email details. Using double opt-in in email marketing is a good way to ensure compliance regarding consent under GDPR.

How to write a clear and concise consent message?

Consent message needs to be easily understandable to individuals. Practices such as pre-ticked opt-in boxes and confusing or vague language (double negatives or inconsistent language), disruptive mechanisms are banned by the Regulation.

An example of a clear and concise consent message: “You agree that [your organisation name] may collect, use and disclose your personal data which you have provided in this form, for providing marketing material that you have agreed to receive, in accordance with our data protection policy [available at link]. Please tick the relevant boxes below if you agree to receive: [boxes]”

What should I do about my legacy data/contacts?

New and explicit permission will have to be obtained before sending email marketing campaigns to your legacy contacts unless you have record of their consent to receive such communication from you.

How does GDPR affect telemarketing?

Along with marketing emails, you can still communicate with your contacts through marketing calls, faxes or texts. However, you need to make sure that they have given clear consent for each communication. Using preferably double opt-in practices, the individuals must confirm that they are happy to receive marketing communication from your organization through a specific communication channel.

How do I store consent under GDPR?

Under GDPR, you need to keep a record of how you obtained the express consent of the data subject. That includes: the data subject who gave the consent, when the consent was obtained (data and time stamp, for example), and the specific purpose for which the consent was given. The record of the IP address, location and time at which someone submitted a consent form is insufficient without a screen capture of the form itself. The confirmation email containing this information is recommended.

How should I manage consent?

You should review consent data regularly to check that the relationship, the processing and the purposes have not changed and consider using privacy dashboards to make it easy for individuals to update their consent preference. Any consent withdrawal requests should be processed as soon as possible and records kept.

Consent and third party provider?

If you provide or transfer personal data to third parties, the data controller must have agreed to this data sharing. Consent for categories of third parties is not enough for the new European regulation as you now need to list the third party providers involved. If you use personal data from third parties, you must confirm that each individual’s consent was collected properly.

What is legitimate interests?

Based on Article(6)(1)f, private-sector organizations can process individuals’ data without their consent if they have a legitimate and genuine reason to do so, and such act must not be outweighed by unwarranted impact on the individuals. The subject’s fundamental rights and freedom should not be harmed; i.e processing of personal data for the purpose of preventing fraud is considered as legitimate interests whilst direct marketing purpose is not.

Check out the consent checklist to make sure you follow the right guidelines for your transition to GDPR.