Proving Consent Under the GDPR

“Consent Is Sexy” by Charlotte Cooper from Flickr (Creative Commons License)

The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. According to this new law aimed at protecting individuals’ privacy and their personal data, all companies that send commercial emails to any person living in the European Union must obtain a person’s consent to collect and process their data – and be able to prove it. This applies to anyone who collects and processes data from persons living in the EU, including non-EU companies.

The key to compliance is specific explicit consent.

Double Opt-In Required for Email Lists

If you have an email list, the GDPR essentially requires you to use double opt-in when adding someone to your list. This will help resolve the problem of companies adding people to their mailing list without consent.

So many times, when I’ve sent a question, bought a product, or dropped my card in a company’s drawing for an iPad at a conference, my inbox has been bombarded with the company’s newsletter and “special offers.” We all agree this is poor form, right? If I want to be on your list, I promise I’ll add myself.

It happened just this week. A new connection on LinkedIn sent me an email to invite me to coffee. While we were exchanging emails to arrange a meeting time, he added me to his list! When his newsletter hit my inbox, I let him know that adding me to his list violated Wheaton’s Law and he blew his opportunity to have coffee with me.

Under the GDPR, you have to verify you’ve obtained consent to send someone commercial emails. This also avoids problems like someone adding you to a list without consent as a joke or to annoy you.

Written Declarations of Consent

If the data subject gives their consent in writing – perhaps at an expo at a conference or by filling out a form on your website, you must explicitly tell them what they’re signing up for. Their consent must be obtained:

  • On an easily accessible form,
  • Using clear and plain language, and
  • Distinguishable from other matters.

This means consent cannot be buried in your terms of service or some other process or fine print.

Right to Withdraw Consent

One of the requirements of the GDPR is it must be as easy to withdraw consent as it is to give consent. Companies that comply with the U.S.’s CAN-SPAM Act know that every email  they send “must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future.” Email services, like Mail Chimp, already have this feature by automatically including an “Unsubscribe” link in every newsletter its users send.

Here’s more on the consent requirements for the GDPR:

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

5 responses to “Proving Consent Under the GDPR”

  1. Thanks for breaking this down into language that more people can understand. For sure, I’m going to need to read this again for more clarity and insights.

  2. Great comments on GDPR, as it highlights what many businesses are talking about right now – and also struggling with. I’m seeing two recurring challenges with GDPR compliance for US businesses. First, what is the scope – more importantly, what information systems, service offerings and locations are in scope? Second – and probably the biggest – what are the documentation requirements for the GDPR. As with any regulatory compliance mandates, information security policies and procedures are critical, but with the GDPR, it goes much, much further than just information security – per Article 32. Documentation also needs to include materials covering privacy, consent, a data subject’s rights, and more. Well, good luck everyone on your GDPR compliance efforts.

Leave a Reply

Your email address will not be published. Required fields are marked *