GDPR: To re-opt in, or not to re-opt in? That is the question…

On the 25th of May 2018, one month today, the EU’s new General Data Protection Regulation (GDPR) will come into force. This is a wide reaching law which will affect all businesses who are based in the EU/EEA, or trade with EU/EEA Citizens. If you live in the EU and have access to e-mail, you will have no doubt started to receive e-mails on the subject.

Businesses are rushing to prepare in advance of the deadline and although the purpose of the law, to protect personal data, is laudable, there is still a lot of uncertainty around what exactly you must do to become compliant.

To illustrate the point, the GDPR regulations state that following an approved code of conduct could demonstrate adherence to certain articles, but to the best of my knowledge, no approved code of conducts or certifications exist (at least not in the UK).

This is from the ICO’s guidance on contracts…

The GDPR allows for standard contractual clauses from the EU Commission or a supervisory authority (such as the ICO) to be used in contracts between controllers and processors — though none have been drafted so far.

The GDPR envisages that adherence by a processor to an approved code of conduct or certification scheme may be used to help controllers demonstrate that they have chosen a suitable processor. Standard contractual clauses may form part of such a code or scheme, though again, no schemes are currently available.

So there are no official certified training courses, codes of conduct or indeed model articles that you can incorporate into your contracts yet, but that doesn’t mean your business shouldn’t get legal advice and be doing its best to comply. The question is, how?

There are many aspects to GDPR, but in this post I want to focus on one particular issue that seems to have the business community divided, and that is: should you ask your users to re-opt in to your existing mailing list?

I have seen various different approaches to this issue:

1. The first could be described as the ‘re-subscribe’ approach. This is where a business writes to their users to ask them to re-opt in to their marketing list. In this approach the business is assuming they have no legal basis on which to process your data, and so they are asking you to give them consent to keep e-mailing you. They will state that if you don’t re-opt in they will assume you don’t give them consent and therefore stop e-mailing you. This is the most cautious approach from a legal point of view, but could have huge commercial consequences for the business. It can take years to build a mailing list and I would expect only a small proportion of their users will re-opt in.
2. The second is the ‘update preferences’ approach. This is where a business just wants to remind you that you are on their mailing list, and gives you the opportunity to change your preferences. They will keep the status quo if you fail to act.
3. The third is what I have decided to call the ‘update privacy policy’ approach. This is where a business will send you a notification that they have updated their privacy policy to incorporate some GDPR related terms, but otherwise they don’t mention e-mail preferences.
4. There is also a fourth approach, which is to ‘do nothing’. If you are subscribed to a mailing list, but have received nothing from the business running it, they will currently fall into this camp.

I am involved in various businesses and we are still considering the best approach to use ourselves, so I created a Twitter poll, targeted at followers of GDPR related accounts, to see what they thought.

The question was simply: Mailing list operators; assuming your users have already double-opted in to your e-mail marketing list, do you intend to ask them to re-opt in for GDPR, or not?

111 people took part, and the results were:

• 36%: Yes, they must re-opt in
• 43%: No, already have consent
• 21%: What’s GDPR?

This would suggest that no consensus has yet emerged on what the correct thing to do is.

Lawful Bases for Processing

There are six lawful bases set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

Vital interests: the processing is necessary to protect someone’s life.

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Article 7 of the GDPR further states that:

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

In my view having someone double opt-in to your mailing list could be a pretty clear indication of consent, but how do you go about proving it? The wording says ‘demonstrate’ so would a signup timestamp field plus a screen grab from the Internet Archive showing your signup process from 5 years ago suffice?

There is huge scope for interpretation the GDPR articles, and very little case law or established best practices, and so again, in my view, if your list has been built in good faith, using a double opt in process that is compatible with GDPR, then it could both be legally unnecessary, and commercially disastrous to ask you users to re-opt-in.

Even if you lack the ‘consent’ basis, you may have another legal basis to process your users’ data (contractual, or legitimate interest). Asking people to re-opt in is likely to cause you to lose a huge portion of your marketing list.

Recital 47 acknowledges that direct marketing could be covered as a legitimate interest:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Of course I am not a lawyer, and you should seek your own legal advice on this, as we will, but I would love to hear from you in the comments your views on the right course of action.

What are you planning to do with your mailing list?