Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

First, I'm not a lawyer. Best to discuss with legal counsel.

That being said, I would agree with them - if you want to get the content, you must check the box.

For a Contact Us form, or a free trial, perhaps that is less certain - Yes, I want the free trial but no, I don't want extra marketing. Requiring opt in there would likely lead to lower conversion rate.

What CASL and GDPR say is that you cannot "pre-check" the box for them, that is to assume the opt in for the person. You must take a free action that is explicit and deliberate to opt in. Even for events, we were asked that the scanner or tablet be presented to the Lead for opt in checkbox.

I can see more companies following this model. I mean there really shouldn't be a reason why we aren't allowed to do this... The person is submitting their information on their own and checking the box on their own. Kinda like a restaurants "right to refuse service to anyone". No info, no free whitepaper. I think it's pretty sweet!

Hi Keith - it's not that they're refusing to let someone download the content without filling out the form, it's that they require the user to tick the "opt-in/consent" box.  If you don't, they're blocking you from receiving the content. 

I just spoke with my team member and they said that you must still offer the asset even w/o opt in checked.

Again, I'd spend some time with legal if you plan to follow such a model.

Our legal team is of the same belief (that you still must provide access to the content; and not force someone to provide their consent).  I just found it interesting when I came across this today - especially the reason given by the site owner - and wanted to share this with the community.

In actuality, i'm not following the approach in discussion, to play devils advocate and stir the pot here, I still really don't think there is a problem with this method. I mean we spend alot of time/money to make the content we produce. What law requires us to make it available/free to all people? In other examples the business has the right to define terms, like a bouncer at a nightclub saying that you aren't allowed in unless you comply with the dress code, or a 5 start chef not allowing guests to request food restrictions. As businesses, don't we reserve the right to offer our services/content only to people that agree with our terms?

I think for the most part, you're preaching to the choir here, Keith.  The same thing applies with the online/targeted advertising models that support much of the commercial content that's available online.  Without the ability to target, profile, etc., many of these sites wouldn't be able to turn a profit/remain in business.  GDPR is what it is (and there's no doubt that it's causing a lot of frustrations/uncertainty for many of us - and the companies that we work for).  And included with that are the risks that businesses are willing to take in how they continue to operate.

I was sent another perspective from a company based in the UK:

https://marketlocation.com/wp-content/uploads/2018/03/ML_GDPR_Brochure_2018_singlepages2.pdf

It too, contains some contradictory information from what many of us have been exposed to thus far (experts, legal team, etc.) - especially on pages 8 onward.  In fact your nightclub analogy was used here as well.  Here are some interesting perspectives from this document:

PECR treats the use of email for marketing communication differently depending on whether it is sent to ‘individual subscribers’ or to ‘corporate subscribers’.

PECR allows electronic direct marketing communications [email] to be sent to corporate subscribers (business email addresses of individuals working for incorporated entities) without prior consent, unless the recipient specifically requests not to receive emails from the sender (“opt-out”). Each direct marketing email should include an “unsubscribe” option to allow the individual to notify the sender that he/she no longer wishes to receive emails from the sender.

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’

Our compliance team was under the same belief, that you should offer content without requiring an opt in. This is a very helpful post. Thanks, Dan Stevens​.

hmmmm, interesting.

But what if the content contains calls-to-action like "Contact our sales to find out more"?

If you imagine a process map, a business might be doing the responsible thing and checking for consent at the very start of an interaction with a potential new customer. Now the customer has actively refused that consent and missed the opportunity to get past our consent gate.

It doesn't seem fair or reasonable that a business now has to implement a consent gate at every possible interaction if the customer changes their mind. If you contact sales, are they expected to provide a collection statement and information about privacy and receive explicit consent before storing any personal information? A reasonable business might say, hey, our sales people don't have the time or skills for that..  it seems like quite a burden on the sales person to have to record and manage consent.

my thoughts on this are scattered (and entirely my own without legal skills or knowledge!)