Consent is perhaps one of the most important aspects of GDPR, and marketers will need to pay close attention to this. Going forward, new changes in regulations will have businesses changing the way they ask customers for consent.
The GDPR defines consent as the following:
“Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.”
In short, it’s become more difficult for organisations to obtain consent. An agreement for the processing of Personal Data needs to include clear, concise and affirmative action from organisations, of which the customer must agree to.
Let’s break down the GDPR documentation and extract the key qualities which make up valid consent.
- “Freely Given”
There should be a genuine choice between giving, or not giving, consent in which there is also a clear option to ‘refuse’ consent. The choice between these two options should be clear and informed, by making all information on the repercussions of each option readily available to the Data Subject.
- “Specific”
Consent must be obtained in a way that is distinguishable from all other matters. It must be clearly defined and identified. One piece of consent for all purposes will not suffice.
- “Informed”
The data subjects should be aware of the data controller, purposes of processing and all of the below information. - “Unambiguous”
The way that consent is collected should leave no doubt surrounding the intentions of the data controller/data processors in respect of the data subject’s personal data. It should not be open to more than one interpretation.
In short, ensure that consent is presented clearly and separately from any other form of written declaration. No longer is it viable to present consent alongside the terms and conditions, or even within them; it must stand alone to ensure any uncertainty and ambiguity for the Data Subject is non-existent.
Sainsbury’s exemplify good practice by taking a specific and unbundled approach. As you can see, both consent and terms and conditions are presented as two separate sections, distinguishable by separate headings, text and boxes that are unticked.
Historically, organisations would gain consent in two steps; a form, followed by a confirmation email sent to customers. This is now bad practice as the GDPR communicates that ‘double opt-in’ is mandatory for consent. Meaning, once a form is completed, the customer will then receive an opt-in confirmation email that contains a link confirming subscription.
As expected, ‘double opt-in’ adds a further layer of confirmation to the process which will strengthen and improve the accuracy of your mailing lists, which are populated only with correct data of the people that genuinely want to hear from you. The GDPR may seem like much effort and hassle for now, but it brings the benefit of cleaning up your marketing practices and making them much more coherent and concise, so you truly know your customers better.
‘Explicit consent’ is best practice and in the majority of cases is the only compliant way to gain consent.
Legitimate Interest
While ‘explicit consent’ has not been stipulated, obtaining it is considered best practice. That said, ‘implied consent’ – a situation where the person could easily conclude they have consented to marketing, even if not said in as many words – could be considered valid. This is called legitimate interest.
The GDPR notes the following in regards to Legitimate Interest:
“Necessary for the purposes of the Legitimate Interests pursued by the Controller or by a third-party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection or personal information, in particular where the individual is a child.”
Legitimate Interest will only apply if there’s an established, relevant and appropriate relationship (in the eyes of the GDPR) between a data subject and an organisation. For instance, the data subject is an existing client of the organisation. In addition, the individual must expect that processing (within context) will take place. For instance, the individual will be subject to promotional offers or other marketing collateral based on his/her purchase.
Always bear in mind, it must invariably be communicated by the company to the data subject, that they can rely on the grounds of Legitimate Interest to process their data. To ensure coherence and good practice on behalf of your organisation, an ‘unsubscribe’/’opt-out’ option would ethically fulfill and satisfy any argument that involves the rights of an individual.
In Summary
It’s of paramount importance that organisations fully comprehend these distinctions and comply with all new consent laws of which the GDPR brings. Failing to do so could be severely costly, with fines of up to €20 million or 4% of the organisation’s global annual turnover. Nevertheless, for most marketers the preparation begins now, if not already begun- prioritising legal consent and the storing and documenting of data is a great way to start.