Consent to Marketing - how are you managing customer consent?
Are you sending email marketing newsletters to your customers, how are you managing customer consent to marketing material? Prepare your website for the General Data Protection Regulation (GDPR) which will come into force 25 May 2018.
Many of the GDPR's main concepts and principles are much the same as those in the current Data Protection Act (DPA), however, there are new elements and significant enhancements and the GDPR builds on the DPA standard of consent in several areas and in much more detail.
What role does "consent" play in the GDPR?
Basing your processing of customer data on GDPR-compliant consent means giving individuals genuine choice and ongoing control over how you use their data, and ensuring your organisation is transparent and accountable.
The definition of consent
DP Directive definition:
"any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed"
GDPR definition:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"
In Brief
The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms. The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action.
- Consent should be separate from other terms and conditions. It should not generally be a precondition of signing up to a service.
- The GDPR specifically bans pre-ticked opt-in boxes.
- It requires granular consent for distinct processing operations.
- You must keep clear records to demonstrate consent.
- The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
- You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.
What are the key changes to make in practice?
You will need to review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. The key new points are as follows:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).
- Granular: give granular options to consent separately to different types of processing wherever appropriate.
- Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
Information source - ico.org