Let’s talk about GDPR Email Consent
You have an email list. It is GDPR season. Should you email everyone on your email list, perhaps thousands or hundreds to get fresh consent to hear from you, that is, to receive whatever you told them you would send all over again? Is it necessary?
Here’s what Article 7(1) of the General Data Protection Regulation says:
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Should you send out emails to get consent again under GDPR?
No, if the consent you previously collected via opt in form on your webpage or landing page meets the requirements of the GDPR.
Remember that consent needs to be “freely given, specific, informed and unambiguous.”
Recital 171 of the GDPR states:
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”
This gives you some homework to do. Check these out:
- Did you collect subscriber personal data with their consent or did you just add names of people to your email list?
- Do you have any documentation of the consent that was received during subscription? Oftentimes, email marketing solution providers have proof of the date subscriber opted in. Have you checked it lately?
- Did you use double opt-in for your sign up forms when the subscriber opted in?
- Did you inform your subscribers about what they were signing up for? Were you clear about what you wanted from them?
- Did you force subscribers to sign up? That is, did you inform them that if they didn’t provide their personal data, they wouldn’t receive from you something you promised them?
Some organizations have been sending out email blasts to everybody to refresh consent, but how about they use this opportunity to clean up their email marketing strategy? Send mass “refresh consent” emails is not a quick fix.
The Information Commissioner’s Office (ICO) has a great checklist and it is clear about the reasons why re-consent is not needed:
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.
Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. However, you will need to be confident that your consent requests already met the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.
Quick Tips About GDPR Email Consent
1. Check your existing consent record if they meet GDPR requirements. What? Open up your email list account, click on one subscriber name, what do you see? Is there any information about when the user subscribed or joined?
2. What does your opt -in form look like? Are there unchecked permission boxes / consent boxes to opt in to hear from you for specific reasons listed on the form? If different types of processing will occur, list them separately.
3. Demonstrate consent. Keep good records that you actually received consent including what they agreed to receive from you.
4. Don’t “force” data subjects to give consent if they want to receive from you unless of course as part of your service or business solution, the submission of their personal data is necessary.
5. Please, absolutely no pre-ticked boxes on your opt-in form.
Let’s talk about those “GDPR refresh consent emails”
Are the emails that bad? I received them and frankly, I didn’t even know that I signed up for some lists! It made it easy for me to unsubscribe. What do you think?
My blog posts are for informational purposes only and should not in any way be construed as legal advice and I bear no liability if you choose to rely on the blog post. For legal advice, please consult an attorney licensed to practice in your jurisdiction.