GDPR Requirements for Consent: What You Need to Know

Level 6 - Champion Alumni

For those of you who missed our recent webinar, “Fearless Marketing Strategies for GDPR World,” you missed a good discussion. The most popular topic of the day was “consent.” We had many questions regarding GDPR compliance requirements—everything from permission to retain personal data, to what to do if you are unsure if consent exists or are missing the documentation to back it up, as well as how GDPR consent compares to CASL. All very valid questions!   As for the answers:

GDPR Documentation for your Database

We’ve covered the topic before, but it’s worth another mention—auditing your database for GDPR compliance may be painstaking and time-consuming but it is also highly recommended; appropriate documentation is just as necessary as capturing consent. To verify consent, all records in your database should have:

  • opt-in date and timestamp
  • opt-in source
  • opt-in IP address (if available)

For records that are questionable, better safe than in doubt is the rule of thumb. Run a whitelisting (verification) campaign now, so there’s no question regarding if, how or when consent was obtained. No one wants to be fined €20 million or stop European marketing operations due to records you thought were compliant but are not.

And just a reminder, track BOTH data consent and email consent as one does not guarantee the other. Having said that, email consent can constitute data consent, if appropriate privacy policies are acknowledged.

Bundling Consent: What to Do and What to Avoid

When using content (such as a white paper) to attract interest, per GDPR, opting-in to marketing communications cannot be assumed or bundled with another action. You may however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset. And always ALWAYS link your forms to your privacy policy!


As we talk more and more about consent, we’re frequently asked another question: does CASL (Canadian Anti-Spam Law) compliance mean you are also GDPR compliant? Aren’t the two processes for capturing consent very similar? In a word, yes and no. (OK, two words) The opt-in process is similar, as both consent intake process should include an unchecked checkbox on a form and capturing date/timestamp, opt-in source and opt-in IP, and a link to your privacy policy. If you’re already using this methodology for CASL, you can extend it to your GDPR operations.

However, while both regulations are permission-based, that’s where the similarity ends. We like to think of GDPR as “CASL on steroids”—GDPR extends much further than CASL and with stiffer penalties. GDPR goes beyond permission to email, extending into cookies, data processing and other elements that are not governed under CASL.

See how the two legislations compare on the Perkuto blog.

Level 6 - Champion

Thank you Michelle Miles​! All of these GDPR posts are very useful!

Level 6 - Champion Alumni

Thanks Amanda Thomas​!

Hello, question on the 'opt-in source'. How specific we need to be here? Is it okay to say, it came from our website, a landing page, or anything else. Or do we really proove it with the URL the person actually opted-in?

Hi Wolfgang,

Do not bother too much on this: the "fills out form" activity provides all the information you need, including all field values, the URL of the page, the form used, the time stamp and the IP address used by the person.


Level 10 - Community Moderator

... though the Filled Out Form activity ages out of the log in 25 months, so if you've chosen to consider consent fresh for 2+ years (and you don't archive your logs) that'll be a problem...

Yes, good point We will need to work on a log archiver service that can be seen as a trusted third party.


That's and idea for you Zak Pines

Level 4

Yes, nice use case Gregoire Michel​.  It's definitely one of the byproduct benefits of having your Marketo data fed into a cloud data warehouse. I like it.

Hi Zak,

It is not just being able to export the data. You  also need to appear as the trusted 3rd party, meaning that yo can guarantee the origin of the data (so no fake record has been inserted) and the fact that it has not been tempered with.


Level 4

OK got it.