I think what's still unclear, Sandy, is that for a user to proceed in submitting the form - and making the field required, aka "checked"
You can't prevent someone from submitting a form? You must let them submit it, even if they don't agree to the terms? If their desired data privacy terms are stricter than GDPR, are you then obliged to comply with their terms because you aren't allowed to stop their data from entering your system?
Compelling private companies to allow user data into their systems, even when the user specifically refuses to agree to public and private restrictions, sounds really implausible. (Government sites may be another issue.) CASL doesn't have anything to say about this, that's clear.
Requiring someone to check a box to prove that the user agrees to the terms presented to them is one thing (and we do this all the time as part of our "Gifts & Entertainment" policy when user register for events that exceed a certain value (e.g., when we're paying for their hotel room)). That's different than an opt-in checkbox to provide explicit consent to send marketing emails in the future.
And the unchecked opt-in checkbox to provide express consent (on the front end at least, pending round-trip confirmation) is what you're saying is not allowed? There would then be no way for the person to provide express consent. Meaning you legally can't contact them again, even though a statute exists that allowed you to gather express consent and proceed. Strange, dude!
No, what I'm saying is that requiring a user to CHECK that checkbox before they can submit the form is where the issue lies. A user should have the right to leave the checkbox unchecked without having to subscribe to future marketing emails.
BTW, I'm learning more each day with regards to GDPR - and it's causing me heartburn. While not explicitly required, using a double-opt-in approach is highly recommended. Primarily so that someone can't opt-in on behalf of someone else. Having that feedback/consent loop will be necessary should someone ask why they're receiving unsolicited marketing emails.
A user should have the right to leave the checkbox unchecked without having to subscribe to future marketing emails.
Ergo, a company is compelled to accept personal data into their systems via web forms from people who expressly refuse further contact.
But CASL doesn't say anything about that -- it doesn't require companies to do business with people who are not marketable.
Wow, this appears to be a much more complicated issue than I originally thought! And it sounds like there's even more I need to look into regarding some upcoming changes in EU laws.
My plan is to only have the opt-in field appear for users who select Canada as their country. I wanted to make the opt in checkbox a required field because once a person complete one of our web forms (for instance, a web form to request pricing information from us), we normally send an email response with the pricing information they've requested. If the person doesn't checked the opt-in consent box, if I understand the rules correctly, we wouldn't be able to email with the information that they've completed the form to request in the first place. Perhaps I'm overthinking the issue, but I work for a small company and I'm the only person responsible for email marketing compliance, so if it's not done right, any problems that come from non-compliance will fall back on me.
Perhaps I need to leave the opt in box as not required, and set up a rule that alerts a sales rep to follow up by phone with info requested from a Canadian via web form vs. sending that info in an email.
Thank you again Dan Stevens and Sanford Whiteman for your input on this question. I think you both make good points, and I'm sure there are many other marketing professionals who would benefit from more clarification/training on how best to comply with the various laws, especially as they keep changing!
Hi Cayce - sending an email response like this is considered a "transactional" email - not a marketing/unsolicited/promotional email. These sorts of emails - service, maintenance, operational, transactional, etc. - are still permissible (even under CASL, and probably the case for GDPR), regardless if a user has not opted-in (or unsubscribed). Just be sure to not include ANY promotional/marketing content/messaging within the reply.
Here's a good definition of a transactional message:
A transaction message is one that if your customer does not receive it, there is a high likelihood that they will call or contact you to find out that information. It should be customer generated/initiated, even if it isn’t real-time. For example, if you subscribe to an annual cloud-based service with yearly auto-bill. You would expect a notification shortly before your credit card is charged. If the user doesn’t expect it, it probably isn’t transactional.
Thanks for that clarification Dan Stevens! The definition of a transactional message is really helpful and I think I have a better idea of how I need to set my forms/emails up now. I really appreciate it!
Stepping in from my vacations in Spain
The new EU GDPR makes it extremely clear that the consent must be traceable and opposable, meaning the double opt-in, if not explicitly mentioned by the GDPR, is in fact a must have, expecially when the IP address is the company's and cannot be used to prove who filled out the form.
The GDPR also makes it clear that the consent has to be explicit and well informed. I have not yet had a clear feedback from the lawyers whether this means that all details have to be provided on the forms or if a link to a terms and conditions page is enough.
But on this "explicit and well informed content" point, one thing is sure, as stated by Sanford, pre-checking the opt-in box is forbidden, and misleading is even worse.
One also needs to know that, per the GDPR, at any point in time, an individual can ask for his data to be removed or modified and vendors have to provide a mechanism for this. Not sure of the best way to achieve this, though
Per the thread above one should not mix 2 issues :
I concur with Dan on the fact that operational emails are not impacted by the GDPR, yet the definition what is an operational vs Marketing email has to be strictly enforced. Remember that 2 of the characteristics of the GDPR are the very high level of penalties that any breach can lead to and the extra-territoriality (it applies to any company doing business in the EU, not only to companies located or headquartered in the EU).
More globally, the GDPR will probably foster the need for subscription centers, rather that one-off opt-in/opt-out
My 2 cents,
This is pretty much what I've been trying to convey throughout this discussion - Greg obviously has a more eloquent way of explaining this. And forgive me, Sandy, I interpreted some of your replies above as saying it's OK to force a user to check an opt-in checkbox, equating it to an EULA/terms-of-use scenario. Which is what triggered this thought-provoking debate here.