GDPR Requirements for Consent: What You Need to Know

Michelle_Miles3
Level 9 - Champion Alumni
Level 9 - Champion Alumni

For those of you who missed our recent webinar, “Fearless Marketing Strategies for GDPR World,” you missed a good discussion. The most popular topic of the day was “consent.” We had many questions regarding GDPR compliance requirements—everything from permission to retain personal data, to what to do if you are unsure if consent exists or are missing the documentation to back it up, as well as how GDPR consent compares to CASL. All very valid questions!   As for the answers:

GDPR Documentation for your Database

We’ve covered the topic before, but it’s worth another mention—auditing your database for GDPR compliance may be painstaking and time-consuming but it is also highly recommended; appropriate documentation is just as necessary as capturing consent. To verify consent, all records in your database should have:

  • opt-in date and timestamp
  • opt-in source
  • opt-in IP address (if available)

For records that are questionable, better safe than in doubt is the rule of thumb. Run a whitelisting (verification) campaign now, so there’s no question regarding if, how or when consent was obtained. No one wants to be fined €20 million or stop European marketing operations due to records you thought were compliant but are not.

And just a reminder, track BOTH data consent and email consent as one does not guarantee the other. Having said that, email consent can constitute data consent, if appropriate privacy policies are acknowledged.

Bundling Consent: What to Do and What to Avoid

When using content (such as a white paper) to attract interest, per GDPR, opting-in to marketing communications cannot be assumed or bundled with another action. You may however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset. And always ALWAYS link your forms to your privacy policy!

GDPR vs. CASL

As we talk more and more about consent, we’re frequently asked another question: does CASL (Canadian Anti-Spam Law) compliance mean you are also GDPR compliant? Aren’t the two processes for capturing consent very similar? In a word, yes and no. (OK, two words) The opt-in process is similar, as both consent intake process should include an unchecked checkbox on a form and capturing date/timestamp, opt-in source and opt-in IP, and a link to your privacy policy. If you’re already using this methodology for CASL, you can extend it to your GDPR operations.

However, while both regulations are permission-based, that’s where the similarity ends. We like to think of GDPR as “CASL on steroids”—GDPR extends much further than CASL and with stiffer penalties. GDPR goes beyond permission to email, extending into cookies, data processing and other elements that are not governed under CASL.

See how the two legislations compare on the Perkuto blog.

9445
19
19 Comments
Michelle_Miles3
Level 9 - Champion Alumni

Here are the details of the data retention: Marketo Activities Data Retention Policy - Overview & FAQ 

And information on how to do a REST API bulk extract of activities: https://developers.marketo.com/rest-api/bulk-extract/

For anyone following who needs to do this (perhaps to retain prior opt-in details/context if it wasn't properly captured in a field).

Mark_Wallace1
Level 4

Hello All,

This still concerns me and I cant find a clear answer.  Current forms are correct and do not force the consent box to be ticked (link to privacy etc).  What are you doing if a contact with consent from a previous form visits another form.  You cannot prefill the consent box with their current setting.  If they do not provide consent on this form visit are they opted in or out.  Or can you preserve the consent setting until an unsubscribe occurs?

Also for preexisting contacts if there is no consent date time and source info are they no longer marketable?

thanks

Mark

Grégoire_Miche2
Level 10

Hi Mark,

Pls open a new thread for these types of questions. It is of interest to everyone and easier to search.

The quick answer is to use visibility rules to hide the opt-in field in case the consent has already been given.

-Greg

Dan_Stevens_
Level 10 - Champion Alumni
Dan_Stevens_
Level 10 - Champion Alumni

Michelle Miles - per your statement above:

When using content (such as a whitepaper) to attract interest, per GDPR, opting-in to marketing communications cannot be assumed or bundled with another action. You may, however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset.

I'd be interested in your comments in this thread: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a...

Mark_McGourty
Level 2

Hi Dan,

Is it recommended to use two checkboxes at the bottom of the form?  One for email consent and a second box consenting to the collection and processing of data?

Grégoire_Miche2
Level 10

Hi Mark,

You need to get the consent for both data processing (sending an email is data processing) and data storage, but nothing forces you to use 2 boxes instead of only one.

Some companies are implementing 2 consent boxes, while some others only one, and so far, I have not seen any position from the regulator here in France about one of the other.

Let's note that there is a dependency between the 2: one cannot consent to data processing if they do not consent to data storage.

What is clear is that whatever the solution you retain, you need to clearly explain what your visitors are consenting to.

And the key question is: if people do not consent to one or the other, what are you going to do if they do with their data that will enter into Marketo from the form. See

-Greg

Mark_McGourty
Level 2

Hi and thank you for all your guidance; it has been very helpful.  I'm researching phone call consent; if the end user consents to receiving email; which is an Opt-In field can I expose that in Salesforce and let it be understood that it is ok to call that individual? Is seperate Phone Call consent needed?  Thanks.

Grégoire_Miche2
Level 10

A phone Opt-in consent can be necessary if you store the direct line or the mobile. You can combine it with the email consent of have a separate one.

-Greg