The European Union’s GDPR regulation, which has been in force since May 2018, compels companies to implement changes to their marketing activities. One of the basic issues marketers must address is the acquisition of appropriate consents for personal data processing.
Even though under GDPR consent is just one of six possible legal bases for lawful processing of personal data (others include contract and legal obligations, or saving somebody’s life), for marketers it’s all but indispensable.
Consent for data processing under GDPR
For data processing to be lawful under GDPR, a data subject’s permission to use their personal data has to be given by a clear affirmative action.
Consent must be freely given, specific, informed and unambiguous. The individual must also have the right to withdraw their consent at any moment.
As specified in Recital 32 of GDPR:
Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
In practice, this means that all the company’s leads, clients, partners need to consciously confirm that they agree to be contacted for specific purposes by the company. Such permission can’t be expressed through a pre-ticked opt-in box under a contact form, but needs to be made deliberately by a specific action (e.g. ticking a box) by the data subject.
How does it work in practice?
In the field of marketing consent management translates into an appropriate use of opt-ins and opt-outs. Marketers mustn’t assume that their potential customers agree to be contacted. They must be able to prove that the person they are contacting has expressed their permission for such an action.
For example, e-mail address or telephone number provided by a customer, which may be necessary to process their order, may not be used for any other purpose, such as, for example, sending them some information about promotional offers on different products.
In order to use the e-mail address (or any other communication channel) to conduct marketing activities, the administrator must have an explicit consent of the recipient for such activities (expressed e.g. by checking the appropriate boxes under the form.)
If a company wants to profile customers in order to be able to offer them a tailored offer based on their personal data, it has to obtain their consent to use specific types of information – e.g. their location, age or gender.
Below we can see an example of two contact forms, the first of them not-compliant and the second one compliant with GDPR.
What’s also very important, any person who had agreed to have their data processed must be guaranteed the possibility to withdraw the consent at any time (the process of consent withdrawal should be as easy as the process of its provision.)
One of the ways to ensure that recipients can withdraw their consent is to include a relevant link in footers of emails sent to customers, which allows them to opt out of unwanted communications at any time.
After clicking the link, the user may be redirected to an unsubscribe page, which may contain personalized content and any information prepared by the company. Such a page may be created e.g. in iPresso, where the unsubscription process takes place in one (verification page) or two steps (verification and confirmation pages.)
The burden of proof
In case of doubt as to whether consent has been expressed, it is the responsibility of the data controller to prove that the person whose data is being processed has provided relevant consent (if the processing is based on consent). The processor should therefore ensure that they are able to prove that all the pertinent permissions have been collected.