40 Replies Latest reply on Apr 4, 2018 7:08 AM by Dan Stevens

Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Dan Stevens Mar 27, 2018 11:50 AM

I recently came across an example where I was registering to download content and the site required me to tick the opt-in checkbox - while submitting the form - in order to download the content: 16 Tips to Capture Marketing Consent for GDPR – CleverTouch .

I used their chat feature to inquire about this since much of what we've learned is that you cannot make the ticking of the opt-in checkbox required. The response I received was as follows:

The GDPR legislation talks about a "balance" in the exchange when it comes to opting-in - we take the view that if we're giving away content for free, there is a balance that you will provide us something in return. If you don't want to provide us that then that's OK - you just won't get the content. As another example, if this was a paid for event then we wouldn't capture opt-in as well, as that would indicate an imbalance (revenue + an opt-in for 1 event registration).

Again, just wanted to share yet another interpretation/implementation of the GDPR laws. Thoughts?

Michelle Miles

Grégoire Michel

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Josh Hill Mar 27, 2018 10:12 AM (in response to Dan Stevens)

First, I'm not a lawyer. Best to discuss with legal counsel.

That being said, I would agree with them - if you want to get the content, you must check the box.

For a Contact Us form, or a free trial, perhaps that is less certain - Yes, I want the free trial but no, I don't want extra marketing. Requiring opt in there would likely lead to lower conversion rate.

What CASL and GDPR say is that you cannot "pre-check" the box for them, that is to assume the opt in for the person. You must take a free action that is explicit and deliberate to opt in. Even for events, we were asked that the scanner or tablet be presented to the Lead for opt in checkbox.
1 of 1 people found this helpful
Like Show 4 Likes(4)

Actions
Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Keith Nyberg Mar 27, 2018 11:25 AM (in response to Dan Stevens)

I can see more companies following this model. I mean there really shouldn't be a reason why we aren't allowed to do this... The person is submitting their information on their own and checking the box on their own. Kinda like a restaurants "right to refuse service to anyone". No info, no free whitepaper. I think it's pretty sweet!
Like Show 0 Likes(0)

Actions
- Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
  
  Dan Stevens Mar 27, 2018 11:30 AM (in response to Keith Nyberg)
  
  Hi Keith - it's not that they're refusing to let someone download the content without filling out the form, it's that they require the user to tick the "opt-in/consent" box. If you don't, they're blocking you from receiving the content.
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
    
    Josh Hill Mar 27, 2018 11:32 AM (in response to Dan Stevens)
    
    I just spoke with my team member and they said that you must still offer the asset even w/o opt in checked.
    
    Again, I'd spend some time with legal if you plan to follow such a model.
    1 of 1 people found this helpful
    
    Like Show 2 Likes(2)
    
    Actions
    - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
      
      Dan Stevens Mar 27, 2018 11:36 AM (in response to Josh Hill)
      
      Our legal team is of the same belief (that you still must provide access to the content; and not force someone to provide their consent). I just found it interesting when I came across this today - especially the reason given by the site owner - and wanted to share this with the community.
      1 of 1 people found this helpful
      
      Like Show 0 Likes(0)
      
      Actions
      - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Keith Nyberg Mar 27, 2018 11:45 AM (in response to Dan Stevens)
        
        In actuality, i'm not following the approach in discussion, to play devils advocate and stir the pot here, I still really don't think there is a problem with this method. I mean we spend alot of time/money to make the content we produce. What law requires us to make it available/free to all people? In other examples the business has the right to define terms, like a bouncer at a nightclub saying that you aren't allowed in unless you comply with the dress code, or a 5 start chef not allowing guests to request food restrictions. As businesses, don't we reserve the right to offer our services/content only to people that agree with our terms?
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Dan Stevens Mar 27, 2018 12:22 PM (in response to Keith Nyberg)
        
        I think for the most part, you're preaching to the choir here, Keith. The same thing applies with the online/targeted advertising models that support much of the commercial content that's available online. Without the ability to target, profile, etc., many of these sites wouldn't be able to turn a profit/remain in business. GDPR is what it is (and there's no doubt that it's causing a lot of frustrations/uncertainty for many of us - and the companies that we work for). And included with that are the risks that businesses are willing to take in how they continue to operate.
        
        I was sent another perspective from a company based in the UK:
        
        https://marketlocation.com/wp-content/uploads/2018/03/ML_GDPR_Brochure_2018_singlepages2.pdf
        
        It too, contains some contradictory information from what many of us have been exposed to thus far (experts, legal team, etc.) - especially on pages 8 onward. In fact your nightclub analogy was used here as well. Here are some interesting perspectives from this document:
        
        PECR treats the use of email for marketing communication differently depending on whether it is sent to ‘individual subscribers’ or to ‘corporate subscribers’.
        PECR allows electronic direct marketing communications [email] to be sent to corporate subscribers (business email addresses of individuals working for incorporated entities) without prior consent, unless the recipient specifically requests not to receive emails from the sender (“opt-out”). Each direct marketing email should include an “unsubscribe” option to allow the individual to notify the sender that he/she no longer wishes to receive emails from the sender.
        The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’
        
        Like Show 0 Likes(0)
        
        Actions
      - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Amanda Thomas Mar 27, 2018 8:22 PM (in response to Dan Stevens)
        
        Our compliance team was under the same belief, that you should offer content without requiring an opt in. This is a very helpful post. Thanks, Dan Stevens.
        
        Like Show 0 Likes(0)
        
        Actions
    - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
      
      Nicholas Manojlovic Mar 27, 2018 7:29 PM (in response to Josh Hill)
      
      hmmmm, interesting.
      
      But what if the content contains calls-to-action like "Contact our sales to find out more"?
      
      If you imagine a process map, a business might be doing the responsible thing and checking for consent at the very start of an interaction with a potential new customer. Now the customer has actively refused that consent and missed the opportunity to get past our consent gate.
      
      It doesn't seem fair or reasonable that a business now has to implement a consent gate at every possible interaction if the customer changes their mind. If you contact sales, are they expected to provide a collection statement and information about privacy and receive explicit consent before storing any personal information? A reasonable business might say, hey, our sales people don't have the time or skills for that.. it seems like quite a burden on the sales person to have to record and manage consent.
      
      my thoughts on this are scattered (and entirely my own without legal skills or knowledge!)
      
      Like Show 1 Likes(1)
      
      Actions
Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Nicholas Manojlovic Mar 27, 2018 7:18 PM (in response to Dan Stevens)

I guess the question is "can we refuse service to someone who hasn't consented"?

In my opinion, refusing service is the only thing we can do unless someone completely and totally opts-in.

People need to know what they're signing up for - tracked Munchkin, tracked emails, stored data, etc.

If we can't refuse service to people who don't agree to tracked emails and stored data, then we are in a pickle. We can't send one person an email that isn't tracked, and another person an email that is. You're either in or you're not with the Marketo tool the way it is currently built and designed.
1 of 1 people found this helpful
Like Show 1 Likes(1)

Actions
- Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
  
  Sanford Whiteman Mar 27, 2018 7:21 PM (in response to Nicholas Manojlovic)
  
  Sending tracked and untracked links is exactly what we're doing...
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
    
    Nicholas Manojlovic Mar 27, 2018 7:30 PM (in response to Sanford Whiteman)
    
    per asset, not per person.
    
    Like Show 0 Likes(0)
    
    Actions
    - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
      
      Sanford Whiteman Mar 27, 2018 7:36 PM (in response to Nicholas Manojlovic)
      
      You don't need to send 2 links to the same person... if you don't know someone's consent status, send them the untracked link because they're assumed to not have consented, and give them the option upon clicking. What's the other case? You can't use the click itself as consent, that's clearly in violation.
      1 of 1 people found this helpful
      
      Like Show 1 Likes(1)
      
      Actions
      - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Nicholas Manojlovic Mar 27, 2018 7:59 PM (in response to Sanford Whiteman)
        
        I'm not sure we're talking at each other.
        
        Person A consents to be in our database but chooses to opt-out of email tracking.
        Person B consents to be in our database and chooses to opt-in to email tracking.
        
        Person A and B both qualify for our send campaign. It is impossible* to send them the same asset but have one person tracked and the other not. (It is burdensome to develop two pieces of content, one specifically designed for untracked links).
        
        Ergo, we needed Person A to choose to opt-in to email tracking or else we can't send them emails.
        
        *OOB
        1 of 1 people found this helpful
        
        Like Show 1 Likes(1)
        
        Actions
        
        Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Sanford Whiteman Mar 27, 2018 8:24 PM (in response to Nicholas Manojlovic)
        
        I guess with your *OOB that makes sense. But since we tokenize content anyway, we now just use a Velocity token -- done!
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Nicholas Manojlovic Mar 27, 2018 8:43 PM (in response to Sanford Whiteman)
        
        what's the gist of that approach?
        
        #if ( $opted-in-to-email )
        <a href="$token-link-1">
        #else
        <a href="$token-link-1" class="mktNoTrack">
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Dan Stevens Mar 27, 2018 8:49 PM (in response to Nicholas Manojlovic)
        
        Change “opted-in-to-email” to “opted-in-to-be-tracked/processed”. If they haven’t opted in to email, you’re not sending them any email.
        1 of 1 people found this helpful
        
        Like Show 1 Likes(1)
        
        Actions
        
        Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Sanford Whiteman Mar 27, 2018 10:43 PM (in response to Nicholas Manojlovic)
        
        Yep, or with less repetition:
        
        #set( $canBeTracked = $convert.toNumber("0${lead.canBeTracked}") ) <a class="$display.message( "{0,choice,0#mktNoTrack|1#}", $canBeTracked )" href="${link}">Le Click, C'est Chic</a>
        
        Note that #if($opted-in-to-email) won't work with Marketo boolean fields (exported as strings in VTL) because all strings are boolean true.
        1 of 1 people found this helpful
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Amanda Thomas Mar 27, 2018 8:26 PM (in response to Nicholas Manojlovic)
        
        This is interesting. Same question. Should we all be setting up two download emails, one with tracking and one without tracking per asset. (If now, we send download emails as a way to send the actual asset?) At my previous company, we just linked directly to the asset after the person filled out the form, so we didn't have to do download emails. I wonder if more people are going to move to that model.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Sanford Whiteman Mar 27, 2018 8:36 PM (in response to Amanda Thomas)
        
        One email, one intelligent token will do it.
        1 of 1 people found this helpful
        
        Like Show 0 Likes(0)
        
        Actions
Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Grégoire Michel Mar 28, 2018 3:49 PM (in response to Dan Stevens)
Hi Dan,

I think that the approach from Clevertouch is ot GDPR compliant. The article 7.4 of the GDPR writes:
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

I do not see why a consent is required for the execution of the delivery of the e-book in the Clevertouch case. This is very similar to the discussion on how to interpret the fact that you can send emails to people who are your customers. You can send them emails, but not any email.

Whether or not Clevertouch's approach is really risky ultimately depends on the country your visitors are from and in which EU countries you operate. In Germany I feel the Clevertouch approach is very risky. In France, it's not. To give readers a hint on how strict things can be, a german company was sued (on the previous regulation, not even the GDPR) and fined because the sales people were adding CTAs below their signature in their emails send from their personal mailboxes...

-Greg
Like Show 0 Likes(0)

Actions
- Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
  
  Dan Stevens Mar 28, 2018 7:06 AM (in response to Grégoire Michel)
  
  Thanks Greg. This is aligned to our guidance as well. In fact, I would argue that obtaining the data captured on the form is adequate value received - without the need to also require opt-in consent.
  
  Like Show 0 Likes(0)
  
  Actions
Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Amy Connor Mar 28, 2018 9:44 AM (in response to Dan Stevens)

For GDPR we are doing two separate checkboxes (neither is pre-checked). One is for content to processing, and that is required. The other is consent to direct marketing, and that is optional.
Like Show 3 Likes(3)

Actions
- Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
  
  Grégoire Michel Mar 28, 2018 3:50 PM (in response to Amy Connor)
  
  Hi Amy,
  
  In all strictness, this double consent is what should be done. Most companies are merging the 2 in order to simplify the forms. Which leads to a conclusion: if the person does not consent to be kept in the database, you should delete it or anonymize her immediately. So, if you only use 1 consent box and the person does not consent, you should not only stop sending emails, but also delete the lead or anonymise it. This anonymization issue is one that is listed here: Marketo GDPR Compliance-a summary of key ideas
  
  I am dreaming of a form with a double consent that, when someone does not consent to be stored in the database and submits the form, displays the following follow-up message:
  "We are sorry, but we cannot process and send you the link to the requested content since it would require that we store your data in our database, to which just did not consent"
  
  -Greg
  
  Like Show 4 Likes(4)
  
  Actions
- Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
  
  Jason Hamilton Mar 29, 2018 10:10 AM (in response to Amy Connor)
  
  Have you considered legitimate interest as basis for processing? Is everyone grouping 'processing' as one item or are you getting more granular? And if someone says no to processing what are you doing with them? Stopping all processing (scoring, normalization, segmenting, tracking etc...) Or are you deleting them?
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
    
    Willow Allen Apr 3, 2018 12:35 PM (in response to Jason Hamilton)
    
    Legitimate interest starts to get into fuzzy territory if you don't also have the consent. You'll want to gather that consent via form or emailed agreement between sales and prospect.
    
    As far as what I'm doing -
    
    Consent to marketing is not given on a content request form. Content is delivered based on "fills out form" triggered campaign. Mark as marketing suspended once email is delivered.
    Consent to data processing is revoked (must be given when requesting content as a require field - no data stored without original consent). Turn off sync to sfdc via Marketo. Delete lead from Marketo (not CRM) - clears marketing history. Flag for anonymization in sfdc for product and sfdc admins to handle.
    
    Like Show 0 Likes(0)
    
    Actions
- Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
  
  Willow Allen Apr 2, 2018 10:31 AM (in response to Amy Connor)
  
  We're doing the same thing. Consent options must be separate and written in plain english. It was my understanding that consent could not be coupled. It really boils down to three things:
  
  #1 Cookie consent
  # 2 Consent to marketing
  # 3 Consent to data processing
  
  We're creating cookie notifiers on our site to handle #1. Consent to marketing #2 is a checkbox which is optional (yes/no) - selecting no still yields the requested content. Consent to data processing #3 (privacy policy acceptance) is a required field for submitting a form.
  
  Like Show 2 Likes(2)
  
  Actions
  - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
    
    Grégoire Michel Apr 3, 2018 12:14 AM (in response to Willow Allen)
    
    Hi Willow,
    
    IMHO, the order should be
    #1 Cookie consent
    #2 Consent to data processing (better : consent to data storage)
    #3 Consent to marketing
    
    Marketing (sending emails) is just one type of data processing.
    
    -Greg
    
    Like Show 1 Likes(1)
    
    Actions
Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Jason Hamilton Mar 29, 2018 10:06 AM (in response to Dan Stevens)

It sounds to me more like merging of the interpretation of Legitimate interest and consent. This **** regulation has so much gray. I do not think you can force someone to be required check a box, to get the content.
Like Show 0 Likes(0)

Actions
Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Liz Davalos Mar 29, 2018 12:04 PM (in response to Dan Stevens)

Not to add fuel to the fire, but a person is still being tracked in Marketo even if you don't include a token on a link and therefore that would violate GDPR unless I'm misunderstanding what people are talking about here. While I personally agree that we shouldn't have to provide free content without receiving the data it does seem that GDPR requires this. I'd say they may be crossing other legal lines there though and they may have to amend that (maybe what that company is banking on). The whole way a free market functions is you get something for your work, requiring it be given away freely breaks that so I can see some lawyer finding a leg to stand on. We're about 99.9% US so for me receiving our emails and being tracked go hand in hand, I can't give one option without the other. They can choose to subscribe all they want, but if they don't also consent to tracking they won't get emails. They simply cannot be a subscriber and not be tracked. We're making that clear for EU residents...
Like Show 0 Likes(0)

Actions
- Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
  
  Sanford Whiteman Mar 29, 2018 12:13 PM (in response to Liz Davalos)
  
  but a person is still being tracked in Marketo even if you don't include a token on a link
  What do you mean by "tracked" here?
  
  Clicking an untracked link sent in a Marketo email, opened in a browser that has Munchkin disabled, doesn't leave any extra tracks.
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
    
    Liz Davalos Mar 29, 2018 4:57 PM (in response to Sanford Whiteman)
    
    I mean that Marketo still tracks opens and the email still exists in Marketo so technically (although barely) they are being tracked and you are still retaining their "personal" data.
    
    Like Show 0 Likes(0)
    
    Actions
    - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
      
      Sanford Whiteman Mar 29, 2018 5:08 PM (in response to Liz Davalos)
      
      Not if you turn off open tracking (which would also be turned off for anyone who is set to untracked).
      
      From the standpoint of tracking, there's no trace of what happens after they send their email.
      
      Like Show 0 Likes(0)
      
      Actions
      - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Dan Stevens Mar 29, 2018 5:20 PM (in response to Sanford Whiteman)
        
        Is Marketo still tracking activity at an aggregate level (for use in email performance reports; and email link performance reports)?
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Sanford Whiteman Mar 29, 2018 5:56 PM (in response to Dan Stevens)
        
        Not any opens or clicks... I mean, obviously the fact that an email was sent is stored -- but that's the same with every email server on earth!
        
        Like Show 0 Likes(0)
        
        Actions
      - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Sanford Whiteman Mar 29, 2018 9:47 PM (in response to Sanford Whiteman)
        
        P.S. More related code at Selectively track links and opens based on lead opt-in
        
        Like Show 1 Likes(1)
        
        Actions
        
        Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
        
        Liz Davalos Mar 30, 2018 8:31 AM (in response to Sanford Whiteman)
        
        Thanks Sanford, that helps. I didn't realize that could be done. Although a template change means every email we have would need to be updated so that's unfortunate.
        
        Like Show 0 Likes(0)
        
        Actions
Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Michelle Miles Apr 3, 2018 12:03 PM (in response to Dan Stevens)

Dan Stevens Our counsel has said that you can't bundle or "buy" consent with content. I would not recommend an approach like the one described above.
Like Show 0 Likes(0)

Actions
- Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
  
  Grégoire Michel Apr 3, 2018 2:46 PM (in response to Michelle Miles)
  
  Hi Michelle,
  
  Yes, this was the meaning of my comment above and all the lawyers tend to agreed on this one (at least we have one question on which they all agree )
  
  -Greg
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action
    
    Dan Stevens Apr 4, 2018 7:08 AM (in response to Grégoire Michel)
    
    Randy Davis offers yet another perspective in this thread (halfway down, dated April 4): Marketing Strategies to Thrive in a GDPR World
    
    Like Show 0 Likes(0)
    
    Actions

Go to original post