Sending GDPR ‘consent emails’? You could be breaking the law.
The GDPR’s looming enforcement date has been causing a panic — in some cases with many companies filling user inboxes with requests for consent, but is this necessary or even prudent? The answer is complicated.
Generally speaking, “consent” is one of the more popular legal bases for processing user data, however, it is only one of six legal bases that may apply. The others are: legal obligation, contractual requirements, vital interests, public interest and legitimate interests.
If you’re already legitimately processing (meaning collecting, accessing, storing or otherwise interacting with) personal data based on any one of these other legal bases, then there’s no need to send consent request emails — provided that this basis of processing was stated in your privacy notice/policy and that users had easy access to the notice prior to you processing their data. If this information was not available to users at the time, but one of these legal bases can currently legitimately apply to your situation, then your best bet would be to ensure that your current privacy notice meets requirements, so that you can continue to process your user data in a legally compliant way.
But what about cases where the processing was based on consent, such as email newsletters? Can that consent carry over?
Whether or not the consent can “carry-over” (therefore removing the need to ask for new consent or to rely on another legal basis) depends on whether or not the consent was collected in a GDPR-compliant way and if you can prove this.
Here are some quick questions you can ask yourself to assess this:
- Was the user properly informed at the time? (was there an easily accessible privacy policy that contained all the relevant info including the purpose for processing, the method of processing, all third-parties that might be involved, and users’ rights in regards to their data?)
- Was the consent given via a verifiable affirmative action? (was it given via an unambiguous opt-in mechanism such as clicking in a checkbox? Quick note: If your sign-up process included pre-checked boxes or any mechanism that required the user to “opt-out” rather than “opt-in”, then your method was not compliant and you’re required to either rely on another legal basis — if legitimately applicable — or collect new valid consent).
- Was the consent freely given? (was it clear that signing up was optional and not mandatory?)
- Was the consent specific? (did you clearly state what users would be consenting to in a granular way and was the consent collected specific to each individual purpose? See example here)
- Did you provide users with a way to withdraw consent?
- Do you have appropriate records of these consents? (were the consents and privacy notice available to users at the time of collection documented; can you prove that the consent was collected in a compliant way if required?)
Ok, so the consent I obtained in the past was not done in a GDPR compliant way, what are my options?
Using consent as your legal basis in the past does not mean that you still have to do so now. It might even be ill-advised to do so especially if you’re not completely sure how you collected the contact info/ data in the first place (e.g.illegitimately acquired email lists) or if you can’t prove that you collected it in a legally compliant way. To be clear, if you contact users to ask for consent while currently having no legitimately legal basis for having their data/contact info in the first place, you’ll not only be in violation under the GDPR but also under the existing Data Protection Directive.
Another reason to evaluate whether or not another legal basis can apply as your reason for processing in these cases is that strictly speaking, if you lack the consent necessary to contact users, then you likely lack the consent needed to even email them to ask for consent.
Important to Note:
- Legal bases can’t be “picked” as such as they need to legitimately apply to your situation. When evaluating whether or not a legal basis can apply, please be sure to go through them with your lawyer as determining the correct legal basis is very important and can be difficult. See the link at the bottom of this page to read the ICO guide on this topic for further clarification.
- This information in this article refers specifically to email requests for consent. If you’re updating your privacy policy, T&Cs and/or procedures for any reason (such as the GDPR), you are absolutely legally required to email or otherwise contact your users and inform them of these changes, and to provide them with a link to the related documents.
If no other legal basis can legitimately apply to your case, then you may need to collect consent again. This can be a pain but while you still can (before May 25th) you could send out a simple email letting users know that they need to opt-in if they’d like to keep in touch, or (if you’re reading this past May 25th) a notice on your website or social media posts are other ways in which you can let users know about new requirements without breaking the law.
When collecting these new consents and going forward, be sure that you’re maintaining valid records of consent and managing your consents in a legally compliant way.
We’ve recently launched 2 new services to make the technical aspects of complying with GDPR requirements and consent management as pain-free as possible. You can check them out and chat with us here today on Product Hunt, you can also read our announcement here.
Further Reading:
Please note that while we try to provide the most accurate information possible, the information in this article is not to be considered legal advice. In some cases, depending on your legislation, further actions may be required to make your activity compliant with the law. Nothing can substitute a professional legal consultancy in this regard and as such you should consult with your lawyer for legal advice specific to you.
Originally published at www.iubenda.com.
