GDPR & Marketing Consent: No Means No
The General Data Protection Regulation (GDPR) has made waves across numerous sectors, and its vibrations will continue to echo around the offices and break rooms of marketing agencies across the UK.
Given that GDPR will control and govern how businesses use data, the methods businesses use to market themselves are a prime target for the new law.
In essence, consent is the name of the game. Let’s have a look at this in more detail and understand what the landscape is now, after the GDPR deadline. For the full GDPR spec, read out GDPR Guide for Businesses.
What is GDPR Consent?
Here’s exactly what consent looks like for GDPR. It must be:
- Freely given, without being forced or with any undue threat of penalisation. If consent is a condition of a subscription, consent must be demonstrable.
- Relevant to the type of communication in question, and the organisation sending it.
- Displayed clearly with no room for error. The person needs to know what they are agreeing to.
- Show a positive expression of choice, with a prominent statement signifying agreement. Opting-in cannot be inferred by silence, pre-ticked boxes or inactivity.
The Official Definition of Consent
Under GDPR, consent is defined as:
“Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11)
Let's break this down into jargon-free chunks:
Under the previous Data Protection Act 1998, there was some room for ambiguity. Many companies employed 'opt-out' methods of consent or 'catch all' marketing consent. The aim of GDPR is to do away with this ambiguity and many of these techniques of gaining consent have now been rendered obsolete. As it says on the tin, it must now be ambiguous so there has to be a clear 'opt-in' method only.
Fairly standard, here. It is both unethical and illegal for companies to force, coerce or otherwise acquire consent against an individual’s will.
In fact, GDPR now clarifies that consent will not be freely given if:
- The data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment (Recital 42) and/or
- There is a clear imbalance between the data subject and the controller (Recital 43)
Consent must relate to specific processing operations. This means that different methods of contacting the data subject will need their own specific consent, so email will need consent, calls will need consent and they cannot be grouped together under a generic form of consent.
The new legislation clarifies that, for consent to be informed, data subjects should understand the extent to which they are consenting, be aware of who the controller is ad the purposes of the relevant processing.
“Right to withdraw”
The subject of your data has the right, and they must be aware of this, to withdraw their consent at any time. They have to be informed of their right to do so at the time of consenting.
Note that it must be as easy to withdraw consent as it is to give. If in any way, shape or form, it seems too troublesome a task then the subject is likely to not bother.
Make it easy for your subject to consent AND withdraw consent!
Consent may be in writing or oral form. However, we’d recommend you get it in writing to avoid any confusion or miscommunication. Make sure that you record any phone conversations so you can give evidence of consent if needed.
Ways to Obtain Consent
There are a few different ways you can ask your customers for consent. The one we’d recommend is to simply ask your customers to tick an opt-in box to confirm they do want to receive marketing messages. You then document the specific channels you intend to use (whether that’s post, email or phone calls).
You can also implement a 'double-opt-in' process for all marketing communication, which will allow visitors to confirm that they want to receive communication from your organisation. The visitor simply fills out a form, submits it then replies to an opt-in request email which they can then confirm.
You can also use other methods, such as; clicking an icon, sending an email, subscribing to a service or oral confirmation.
Some things to remember:
- The individual must know, without mistake, that they have given consent, and what they have consented to - no important details should be hidden with ‘small print’.
- Businesses cannot email or text to ask for consent after having been denied, as the message itself is considered a ‘marketing’ message and will be in violation.
- There needs to be an easy, simple way of opting-out.
Is There a Time Limit to Consent?
While there is no fixed time limit as to when consent expires, it is best to assume that it does not remain valid forever. Furthermore, a person’s most recent indication of consent is paramount. If, for example, a customer agrees to marketing on three previous occasions but opts-out the fourth time, it’s the last decision that counts.
In the grand scheme of things, GDPR considers consent to last ‘for the time being’, which has been interpreted to mean ‘until a time where there could be a significant change in circumstances’.
Will My Organisation Need to Provide Proof of Consent?
In a word: yes. Your organisation needs to record and display clear proof of consent, complete with date, what exactly has been consented to and who obtained the consent.
In the event of a complaint, or a legal wrangle of any description, this evidence will definitely come in handy. Using a CRM which automatically records all contact interactions (such as the HubSpot CRM) is highly recommended.
Where GDPR is concerned, ‘consent’ is the word on everyone’s lips. It must be taken seriously, handled with care and utmost professionalism. Ensure that GDPR-relevant training is given throughout your workforce, so that awareness is spread across all departments.
We’ll conclude with a brief description of what requirements must be met by consent.
Consent requests must be separate from other terms and conditions. As such, consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in
Now that pre-ticked opt-in boxes are invalid, use unticked opt-in boxes or similar active opt-in methods.
Give granular options to consent separately to different types of processing wherever appropriate.
Name your organisation and any third-parties who will be relying on consent - even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
Remember to keep records so you can demonstrate what the individual has consented to. This includes what they were told, and when and how they consented.
- Easy to withdraw
Individuals have the right to withdraw their consent, and doing so must be made as easy as possible.
We hope you found this helpful! Take a look at our GDPR series - it’s full of handy insights for GDPR compliance.