UK/EU GDPR: What is valid consent?


Previously I've talked about the affirmative consent standard found in the US federal anti-spam law (CAN-SPAM). I've found it very useful test when trying to understand if a process is appropriately opt-in our not. Wondering if GDPR has something similar? It does.

For various reasons, the UK and the EU have slightly differing versions of GDPR, but the UK's Information Commissioner's Office provides us with a pretty good guide for email marketing permission standards, and I think it's a good starting point to learn about opt-in requirements EU-wide.

The ICO explains that "Consent requests need to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions."

Opt-in is key -- see "What methods can we use to obtain consent?" for more details. No pre-checked box, not hidden in terms and conditions, and make it easy to understand.

The handy website GDPR.eu, put together by Proton AG (and co-funded by the Horizon 2020 Framework Programme of the European Union) has a helpful "Email marketing and spam" section (scroll down) that you'll want to review as well, where they highlight four guidelines established in Article 6:

  • Consent must be “freely given, specific, informed and unambiguous.”
  • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
  • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
  • Children under 13 can only give consent with permission from their parent.

(And going on to explain that you need to keep documentary evidence of consent.)

I'm not a lawyer and this is not legal advice. Duh. But I find the ICO's guidance here to be easy to digest, easy to guide one in the right direction as far as handling email marketing opt-in properly, and I hope you do, too.

Do keep in mind that this could change in the future. Post-Brexit, the UK is likely to overhaul its reliance on GDPR for privacy law. But this is where we're at today.

Post a Comment

Comments