Workload and Application Security Blog

GDPR: Requirements Around Consumer Consent & Opt-Ins for Email

Written by Virsec Systems | May 24, 2018 10:42:45 PM

Tomorrow is the big day and welcome or not, the GDPR regulations arrive and go into effect. Perhaps one of the more challenging aspects companies have been wrestling with is how to manage their email lists. Hopefully you’ve already taken steps to address that, but for those still preparing or double-checking their dotted i’s and crossed t’s, this article recaps some basics.

Gaining consent from your email subscribers

Most businesses have at least one if not many email lists that they use regularly to communicate with their customers and contacts. Many of those names may have been collected through “soft” methods, such as pre-checked boxes on a form or being transferred from one list to another without directly asking each time, and those kinds of methods are not acceptable under GDPR.

Going forward, gathering new names require very specific consent from customers (data subject) where the offer to opt in and hear from you again has been very clearly communicated to them, and the choice to respond and accept is actively on them (no more passive additions to your email list from a GDPR perspective).

The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” (https://www.gdpreu.org/the-regulation/key-concepts/consent/ )

Companies can use different means to gain the ‘clear, affirmative action’ but it’s clear that a distinct action from the user (data subject) is needed to meet the consent requirement. Companies can’t help or persuade them by pre-checking a yes box even if the user could uncheck it. The regulations also specify that companies must keep documented proof of the consent. Some companies are using a simple presentation of 2 boxes for customers to check kind of approach – “Yes, please add me to your mailing list” or “No, I do not wish to receive emails from you.” (Likely obvious at this point, this is a steeper requirement than the US CAN-SPAM regulation, which only requires companies to provide the means to opt out.)

What about subscribers already in your database?

Such an approach works for gaining new subscribers. But the law also applies for names already in your company’s database. With all the advance buildup to the GDPR taking effect, their mindset is companies had 2 years, from May 25, 2016 until now (May 25, 2018), to get their existing databases inline with the new regulations. So, by tomorrow, your organization needs to have already accomplished garnering active consent from the members currently in your email list.

To that end, likely you’ve been receiving emails the last few weeks from many companies attempting to get this consent. Some companies have been very direct in their approach, referencing changing laws in their request for confirmation that you want to keep hearing from them, followed by 2 check boxes:

“Yes, I confirm” or “No, I do no consent.” When going about gaining this permission, it can be useful to break your list down into categories based on things like level of activity, past behavior, prior consent, and so on.

For contacts where you haven’t gained consent by now and who have not given prior consent, use caution and consideration in contacting them via email after tomorrow (May 25) as doing so may be considered a violation of processing their data without consent.

The GDPR regulations require many more steps for compliance as well – including the mandate to keeping clear records, having a defined purpose for using a subject’s data, and deleting those records when that purpose is complete or when requested by the data subject.

Business uses and requirements are different in some ways for B2B and B2C so it’s worthwhile to do some research to learn precisely what your obligated to do to be in GDPR compliance.

Resources:

1. Consent checklist:

2. Additional GDPR requirements:

At a glance (shown in image below)

• The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
• Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
• Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
• Explicit consent requires a very clear and specific statement of consent.
• Keep your consent requests separate from other terms and conditions.
• Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
• Be clear and concise.
• Name any third party controllers who will rely on the consent.
• Make it easy for people to withdraw consent and tell them how.
• Keep evidence of consent – who, when, how, and what you told people.
• Keep consent under review, and refresh it if anything changes.
• Avoid making consent to processing a precondition of a service.
• Public authorities and employees will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.

3. GDPR Overview: https://www.gdpreu.org/

4. Information Commissioner’s Office: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

5. Data & Marketing Association: https://dma.org.uk/gdpr

Data privacy remains of critical importance, as does the protection of that data. The two go hand in hand. Visit our resource page for more information on protecting your application data, from web to memory.