i am working with a german DPO / lawyer to cover our GDPR needs for our website in Europe and we have covered this issue. He agrees with you ... you need two check boxes BUT (a very big but...)
1 consent to further email marketing (if not already opted in)
BUT... Neither of these boxes can either be pre-checked, nor mandatory.
GDPR is specific about this. You cannot couple consent (tick this and you can have the content) doing so invalidates the consent...
(assuming we are talking about a form that then provides access to white paper download etc - there are some exceptions to this depending upon what the user is registering for...)
You have to give the option of allowing the registrant to download the white paper without giving you the consent to store and use their data- let alone opt-in to further emails... and the only field you can make mandatory on that form is email address, assuming you deliver the whitepaper via email... you can include other fields but these are optional.
its a brave new world...
I am dealing with about 15 layers and DPO through EU on this subject, from my various customers, and they do not agree between them
I fully agree that the checkboxes cannot be pre-check, and the GDPR guidelines are explicit on this point all my correspondants also agree on this.
BUT the guidelines also say that:
“tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable and that if consent is given in this situation, it is presumed to be not freely given
But there is a contradiction in not making the checkbox about data storage mandatory: If the person does not check it, then you are not entitled to let their data enter Marketo database Anyway, as always with the GDPR, there are some leeway in the following statement :
data that are not necessary for the performance of that contract or service
Entering the data in Marketo is required to be able to send the white paper, so making the "storage consent" checkbox mandatory is acceptable...
As wrote earlier, I and have some customers who make that box non mandatory and then run smart campaign to immediately delete the lead after sending the white paper link, and other who make that box mandatory. Time will tell.
Mark Knight, thanks for sharing. It's useful to hear of all of the different perspectives and interpretations of GDPR. Just out of curiosity - since you didn't mention it in your reply - what is his take on cookie/tracking consent? Does that introduce yet a third checkbox? Even though there's a lot of information/discussion that addresses this (including the recent post from Michelle Miles - Marketing Strategies to Thrive in a GDPR World) - it would be interesting to hear his perspective on this.
In fact, with regards to the cookie consent, nothing has really changed compared to the previous system and you do not need to add a third check box, but your site needs to have a cookie consent system that also controls Marketo munchkin.
FYI, the EU is working on a ePrivacy regulation taht will replace the currently applicable directive on cookies. See Proposal for an ePrivacy Regulation | Digital Single Market . The first draft are interesting in that they make a difference between the type of cookies, remove the need for the cookie consent banner and strengthen the requirement to support the Browser DNT. No ETA yet.
Yeah, we’re going down that road now in eventually deploying a cookie consent/preference center using the OneTrust platform.
Hi again Dan,
I would be interested in your feedback regarding OneTrust and also how it fits with Marketo, Google Analytics, etc...
Are you simply using their Cookie Compliance Module or the whole suite ?
Will do, Greg. We'll be using several of their products, including vendor risk management, PIA/DPIA automation, data mapping automation, and incident/breach management.