Consent is only one of several lawful bases for data processing available under the EU General Data Protection Regulation. The others — fulfilling a contract and legitimate interest being the most popular — are often preferred to consent because consent can be withdrawn by the data subject at any time.
Nonetheless, sometimes consent is the most appropriate — or only — basis for personal data processing. For example, although GDPR Recital 47 explicitly states that direct marketing may be based on legitimate interest, the ePrivacy Directive and the member state law implementing it (such as the U.K.’s Privacy and Electronic Communication Regulations) generally mandate the use of consent for email marketing and cookies.
The GDPR requires consent to be opt-in. It defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” It is not acceptable to assign consent through the data subject’s silence or by supplying “pre-ticked boxes.”
Consent for email marketing — Success!
The IAPP, like many organizations, invites new customers and members to enjoy some of our content or other products for free to sample the goods. Ideally, the potential new customer or member enjoys the experience and decides to return for more.
To help this person in their decision, the IAPP might send them an email. But do we have their consent to do so? Under U.S. and Canadian email marketing laws, the IAPP does not always need opt-in consent, although it must always allow the customer to unsubscribe or opt out of future messages. Given the GDPR’s opt-in standards, the IAPP decided — along with many other companies globally — to convert to an opt-in standard for receiving email messages about IAPP news and events and to apply this to everyone globally.
Here is how it works. A potential new member is offered the opportunity to receive a free study guide for an IAPP certification or perhaps a copy of the “Top Ten Operational Impacts of the GDPR.” They complete a form that requires inputting their email (to fulfill the order). Although under U.K. law it might be allowable to rely on “soft opt-in” to send a follow-up email for related goods or services, the IAPP now gives potential customers a choice: “Yes, I’d like to receive news and updates from the IAPP” or “No, I do not want to receive such messages from the IAPP.” These choices are recorded in our customer records management system. They can be changed from “yes” to “no” (or vice versa) — by the customer’s actions — at any time.
This system, implemented June 1, 2018, has yielded the following results: Prior to that date, the IAPP’s consent records showed that approximately 82 percent of customers in our database were subscribed to receiving marketing communications — either through a soft opt-in or through another lawful basis to receive marketing communication. After implementing our opt-in system, 69 percent of our customers are recorded as subscribed. These numbers hold true among EU-, as well as U.S.-based, customers.
Yes, the number of consenting “leads” went down — but only by about 10 percent!
When nearly seven out of every 10 potential leads affirmatively agrees to receive your follow-on marketing communications, after being given a clear choice to receive or not to receive them, we call this an incredibly positive result. It taught us not to fear opt-in consent, especially if you can stand by the quality of your products and services and your respect for data subject’s rights.
Consent for cookies — Meh.
Following our marketing opt-in campaign, we tackled cookies…
