17 August 2017
The definition of consent is changing significantly under the GDPR and from 25 May 2018 it will be very difficult to obtain valid consent. In addition, you can only rely on consent obtained prior to 25 May 2018 if it is GDPR compliant.
What will valid consent look like under the GDPR?
The definition of consent under the GDPR is:
Any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
This means that consent must be:
- Unbundled – separate from other terms and conditions
- Active opt-in – no pre-ticked boxes or implied consent
- Granular – applied to separate processing and purposes
- Named – all those relying on the consent must be named individually
- Verifiable – records must be kept to prove what consent was provided for
- Easy to withdraw – just as easy as it was to provide
- No imbalance of power – not available to public sector or employer/employee relationships
- Refreshed – valid consent does not last forever
Our advice is that if you can rely on another processing condition, then do - consent should be your last option and is generally not your only option.
However if you are marketing via email, SMS or any other digital format then it is likely that consent will be your only option. Alongside the Data Protection Act 1998 in the UK, the Privacy and Electronic Communications Regulations 2003 (PECRs), have defined what is acceptable in relation to direct marketing.
There is an exception called the ‘soft opt-in’. This means that consent is not required if you are sending marketing message about similar products and services to your customers/clients or those you have negotiated with to provide products or services, as long as:
- You give them the opportunity to opt-out when you receive their contact information; and
- You give them the opportunity to opt-out when you send them subsequent messages.
This processing is not based on consent, but rather the legitimate interests processing condition and can only be relied up on by the organisation that collected the contact details, not third parties.
Alongside the GDPR, the EU has also proposed changes to the regulation of digital marketing. The draft ePrivacy Regulation was published in January 2017 with the intention that it would come into direct effect across the EU on 25 May 2018 as well. It will replace PECRs in the UK with the aim of bringing regulation up to date with modern technology and in line with GDPR. The definition of consent under the ePrivacy Regulation will be the same as the definition under the GDPR. And getting in wrong can result in fines of up to €20 million or 4% turnover.
The contents of the draft ePrivacy Regulation have caused controversy and it seems unlikely that the final version will be ready in time. However we expect that the definition of consent under PECRs will change on 25 May 2018 via the new UK Data Protection Bill, due out next month.
In relation to the soft opt-in, that will still be available under the ePrivacy Regulation as currently drafted but there is a significant difference. Consent will not be required to send customers/clients direct marketing using their email address etc in the context of a sale of a product or service. Entering into negotiations, however will not allow the provider to send marketing messages without consent. This may change but at the moment it appears that the soft opt-in may be reduced in scope.
Now is the time to start working out what contact details you can and cannot use post-25 May 2018.
If you rely on consent, we think it is likely that you will have to refresh that consent to ensure that it is GDPR compliant, not least to ensure that you have an appropriate record in case the ICO come knocking.
But if you rely on the soft opt-in then as long as you are happy that you have complied with the requirement to allow your customer/client the option of opting out when you collected their contact details and they are given this option every time you send them a marketing message, then it appears that this will remain to be within the law – as far as we can tell. You will of course still require to process their data in line with the processing principles under the GDPR and provide them with information to ensure fair processing – see our blog on this issue.
If you have any queries about the GDPR, marketing or other data issues, then please contact the Data Protection team.
For more info visit our GDPR updates page.