Open in app

Sign in

Write

Sign in

The Bullshit Practice of Asking to Renew Consent under the GDPR*

Adrien van den Branden
6 min readMay 14, 2018

--

In the past weeks and months, we in Europe have all received those awkward emails asking us to refresh our consent for receiving corporate newsletters.

The reason they say? GDPR.

The General Data Protection Regulation (GDPR) is a huge piece of European law that is causing a lot of fuzziness and that has become a very trendy discussion topic, being applicable from 25 May onward.

To me this whole refreshing consent under GDPR thing is bullshit at best and unlawful at worst under current EU laws. In reality, companies use GDPR as an excuse to clean up their newsletters databases which they were badly managing thus far. Keep reading to see why.

“Would you like to continue hearing from us?”

A quick recap of the EU rules on email marketing

European rules on email marketing are intricate.

Sending newsletters to individuals by email is forbidden unless you have obtained their prior consent This general rule is called “opt-in” and is widely understood among marketeers. However, there is a loophole (called “soft opt-in”): you are not required to secure prior consent of your existing clients if:

  1. You obtained their email as part of a sale of a service or a product (a request for information will not qualify — so prospects are out of the picture)
  2. Your marketing message relates to a similar service or product (provided by you, not by another company)
  3. You have given the opportunity to your clients to opt out at the time you collected their email (good luck in proving that!) and you are providing for an easy-to-use opt-out mechanism with each message (e.g. through an “unsubscribe me” link in the email body); and
  4. You can demonstrate that your clients have not previously opted out.

The soft-opt-in exemption derives from the ePrivacy Directive (not the GDPR) and is tough to achieve, especially regarding the fourth condition. And regulators have not been soft on companies that were unable to demonstrate that users did not opt out but decided to send them marketing email anyway.

You can’t send a “would you like to hear from us?”-type of message if you are unsure

Honda case: the conundrum exposed

The difficulty in applying soft opt-in is perhaps best illustrated by the infamous Honda case.

In 2017, the British data protection authority charged car manufacturer Honda a 13,000£ fine. On what grounds? Honda sent an email titled “Would you like to hear from Honda?” to 289,790 email addresses sitting on a database where no “opt-in” or “op-out” information was held due to an alleged flaw in the database. Clearly marketing people at Honda had not well managed their newsletters database. Hence they presumably tried to clean up the database by inviting their users to (re-)provide their consent.

The British data protection authority made two important rulings in the Honda case:

  • An email asking users to reconfirm their marketing preferences is by its very nature a marketing message.
  • If you don’t know whether your clients have opted out, then you can’t rely on “soft opt-in” to send out a marketing message.

The bottom line from the Honda case (available in extenso here) is that you can’t send a “would you like to hear from us?”-type of email if you are unsure about whether the individuals opted out, which of course is the reason why you would send such email in the first place.

The GDPR bullshit excuse

The Honda case blatantly exposes the conundrum of the ePrivacy Directive rules on email marketing.

You can’t send marketing email to users you don’t know have opted out. An email asking users to reconfirm their marketing preferences is by nature a marketing message. So, you’re screwed.

Wait, isn’t the GDPR changing all this? At least that is what my favourite soda company is telling me!

Remember that the email marketing rules derive from the ePrivacy Directive. Well, the GDPR doesn’t change the ePrivacy Directive. One bit. The misinformation about GDPR comes in handy for those companies who mismanaged their marketing databases. Leveraging the buzz and fuzz around GDPR, they use the upcoming rules as an excuse to appear concerned about their users’ privacy, legitimise their request to obtain their consent and start afresh.

Hey but isn’t the GDPR changing the rules on consent? My lawyers told me that consent from my users was no longer valid under the GDPR, so that I was required to ask my users to reconfirm their consent.

It is true that the GDPR enhances the threshold for obtaining valid consent. I also acknowledge the academical point that consent to a newsletter may also mean consent for the processing of personal data under the GDPR so that in theory you should obtain a fresh consent from your users if the consent given in the past would not meet the new validity standards set by the GDPR.

However, the ePrivacy rules already requires consent for marketing email. Consent given under the ePrivacy Directive is highly likely to remain valid under the GDPR, so why take the risk of asking your users again and lose some in the process? Remember that consent is not required for your existing clients (under soft opt-in), so why bother?

Misinformation about the GDPR is the root cause of this nonsense

It makes no doubt to me that the GDPR is used as a bullshitty excuse to try to cover up for poor database management. Receiving a “would you like to hear from us?”-type of email appears reassuring. In in reality, it is a bad sign. And I can’t count the number of companies from which I received such awkward requests to renew my consent. Being a lawyer, I am subscribed to law firms’ newsletters and I was amazed at how many (reputable) law firms have misinterpreted the interplay between the GDPR and the ePrivacy Directive and fallen in the trap (denunciations available privately on request — just kidding).

The GDPR is not only an invalid excuse. Sending a marketing preferences confirmation email is also unlawful under current EU laws, assuming that the company didn’t know whether users had opted out, which should be pretty clear as the whole purpose of sending that email is to make sure users opt in.

To me this is all a result of misinformation surrounding the GDPR. In Europe we are being harassed daily by alarmists shouting things like “GDPR forbids this” or “GDPR imposes that”. Instead of rocking the boat, we should consider carefully what the GDPR really requires and focus on implementing the most relevant aspects of the upcoming rules.

What to do next?

If your marketing database is a mess, consider the following:

  • Transfer your existing clients to a separate database, so you can problem-free email them for direct marketing purposes under the soft opt-in mechanism.
  • Record whether your existing clients have opted out and make sure no newsletters will come their way as from their opting out.
  • Only email your prospects for marketing purposes if they have opted in and unless they have opted out (it is as simple as that).
  • Include an effective “unsubscribe me” link in your marketing emails, as well as a a link to your privacy policy (the latter is a requirement under the GDPR).

If you would like to continue using your poorly managed marketing database, I am afraid nothing (even the GDPR) can really help you. If you do nevertheless send a marketing preferences confirmation email, don’t use the GDPR as an excuse, be honest and perhaps your users will show compassion.

*The author speaks for himself (not for his law firm, his clients or the Pope for that matter). The above doesn’t constitue legal advice you can rely on (obviously).

Privacy
Gdpr
Marketing
Newsletter

--

--

Adrien van den Branden

Written by Adrien van den Branden

47 Followers

Co-founder and former CEO of Canyon, a contract automation software, acquired in 2022 by Yousign, theEuropean eSignature leader. Angel investor and CEO advisor.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams