Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

SanfordWhiteman
Level 10 - Community Moderator

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

One email, one intelligent token will do it.

Grégoire_Miche2
Level 10

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Hi Dan,

I think that the approach from Clevertouch is ot GDPR compliant. The article 7.4 of the GDPR writes:

  1. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

I do not see why a consent is required for the execution of the delivery of the e-book in the Clevertouch case. This is very similar to the discussion on how to interpret the fact that you can send emails to people who are your customers. You can send them emails, but not any email.

Whether or not Clevertouch's approach is really risky ultimately depends on the country your visitors are from and in which EU countries you operate. In Germany I feel the Clevertouch approach is very risky. In France, it's not. To give readers a hint on how strict things can be, a german company was sued (on the previous regulation, not even the GDPR) and fined because the sales people were adding CTAs below their signature in their emails send from their personal mailboxes...

-Greg

Dan_Stevens_
Level 10 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Thanks Greg. This is aligned to our guidance as well. In fact, I would argue that obtaining the data captured on the form is adequate value received - without the need to also require opt-in consent.

Amy_Goldfine
Level 10 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

For GDPR we are doing two separate checkboxes (neither is pre-checked). One is for content to processing, and that is required. The other is consent to direct marketing, and that is optional.

Amy Goldfine
Marketo Champion & Adobe Community Advisor
Grégoire_Miche2
Level 10

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Hi Amy,

In all strictness, this double consent is what should be done. Most companies are merging the 2 in order to simplify the forms. Which leads to a conclusion: if the person does not consent to be kept in the database, you should delete it or anonymize her immediately. So, if you only use 1 consent box and the person does not consent, you should not only stop sending emails, but also delete the lead or anonymise it. This anonymization issue is one that is listed here: Marketo GDPR Compliance-a summary of key ideas

I am dreaming of a form with a double consent that, when someone does not consent to be stored in the database and submits the form, displays the following follow-up message:

"We are sorry, but we cannot process and send you the link to the requested content since it would require that we store your data in our database, to which just did not consent"

-Greg

Jason_Hamilton1
Level 8 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Have you considered legitimate interest as basis for processing?  Is everyone grouping 'processing' as one item or are you getting more granular?  And if someone says no to processing what are you doing with them? Stopping all processing (scoring, normalization, segmenting, tracking etc...) Or are you deleting them?

Anonymous
Not applicable

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Legitimate interest starts to get into fuzzy territory if you don't also have the consent. You'll want to gather that consent via form or emailed agreement between sales and prospect.

As far as what I'm doing -

Consent to marketing is not given on a content request form. Content is delivered based on "fills out form" triggered campaign. Mark as marketing suspended once email is delivered.

Consent to data processing is revoked (must be given when requesting content as a require field - no data stored without original consent). Turn off sync to sfdc via Marketo. Delete lead from Marketo (not CRM) - clears marketing history. Flag for anonymization in sfdc for product and sfdc admins to handle.

Anonymous
Not applicable

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

We're doing the same thing. Consent options must be separate and written in plain english. It was my understanding that consent could not be coupled. It really boils down to three things:

#1 Cookie consent

# 2 Consent to marketing

# 3 Consent to data processing

We're creating cookie notifiers on our site to handle #1. Consent to marketing #2 is a checkbox which is optional (yes/no) - selecting no still yields the requested content. Consent to data processing #3 (privacy policy acceptance) is a required field for submitting a form.

Grégoire_Miche2
Level 10

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Hi Willow,

IMHO, the order should be

#1 Cookie consent

#2 Consent to data processing (better : consent to data storage)

#3 Consent to marketing

Marketing (sending emails) is just one type of data processing.

-Greg

Jason_Hamilton1
Level 8 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

It sounds to me more like merging of the interpretation of Legitimate interest and consent.  This damn regulation has so much gray.  I do not think you can force someone to be required check a box, to get the content.