One email, one intelligent token will do it.
I think that the approach from Clevertouch is ot GDPR compliant. The article 7.4 of the GDPR writes:
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
I do not see why a consent is required for the execution of the delivery of the e-book in the Clevertouch case. This is very similar to the discussion on how to interpret the fact that you can send emails to people who are your customers. You can send them emails, but not any email.
Whether or not Clevertouch's approach is really risky ultimately depends on the country your visitors are from and in which EU countries you operate. In Germany I feel the Clevertouch approach is very risky. In France, it's not. To give readers a hint on how strict things can be, a german company was sued (on the previous regulation, not even the GDPR) and fined because the sales people were adding CTAs below their signature in their emails send from their personal mailboxes...
Thanks Greg. This is aligned to our guidance as well. In fact, I would argue that obtaining the data captured on the form is adequate value received - without the need to also require opt-in consent.
For GDPR we are doing two separate checkboxes (neither is pre-checked). One is for content to processing, and that is required. The other is consent to direct marketing, and that is optional.
In all strictness, this double consent is what should be done. Most companies are merging the 2 in order to simplify the forms. Which leads to a conclusion: if the person does not consent to be kept in the database, you should delete it or anonymize her immediately. So, if you only use 1 consent box and the person does not consent, you should not only stop sending emails, but also delete the lead or anonymise it. This anonymization issue is one that is listed here: Marketo GDPR Compliance-a summary of key ideas
I am dreaming of a form with a double consent that, when someone does not consent to be stored in the database and submits the form, displays the following follow-up message:
"We are sorry, but we cannot process and send you the link to the requested content since it would require that we store your data in our database, to which just did not consent"
Have you considered legitimate interest as basis for processing? Is everyone grouping 'processing' as one item or are you getting more granular? And if someone says no to processing what are you doing with them? Stopping all processing (scoring, normalization, segmenting, tracking etc...) Or are you deleting them?
Legitimate interest starts to get into fuzzy territory if you don't also have the consent. You'll want to gather that consent via form or emailed agreement between sales and prospect.
As far as what I'm doing -
Consent to marketing is not given on a content request form. Content is delivered based on "fills out form" triggered campaign. Mark as marketing suspended once email is delivered.
Consent to data processing is revoked (must be given when requesting content as a require field - no data stored without original consent). Turn off sync to sfdc via Marketo. Delete lead from Marketo (not CRM) - clears marketing history. Flag for anonymization in sfdc for product and sfdc admins to handle.
We're doing the same thing. Consent options must be separate and written in plain english. It was my understanding that consent could not be coupled. It really boils down to three things:
#1 Cookie consent
# 2 Consent to marketing
# 3 Consent to data processing
IMHO, the order should be
#1 Cookie consent
#2 Consent to data processing (better : consent to data storage)
#3 Consent to marketing
Marketing (sending emails) is just one type of data processing.
It sounds to me more like merging of the interpretation of Legitimate interest and consent. This damn regulation has so much gray. I do not think you can force someone to be required check a box, to get the content.