AnsweredAssumed Answered

Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Question asked by Dan Stevens.

on Mar 27, 2018
Latest reply on Apr 4, 2018 by Dan Stevens.

Like • Show 7 Likes7
Comment • 40

I recently came across an example where I was registering to download content and the site required me to tick the opt-in checkbox - while submitting the form - in order to download the content: 16 Tips to Capture Marketing Consent for GDPR – CleverTouch .

I used their chat feature to inquire about this since much of what we've learned is that you cannot make the ticking of the opt-in checkbox required. The response I received was as follows:

The GDPR legislation talks about a "balance" in the exchange when it comes to opting-in - we take the view that if we're giving away content for free, there is a balance that you will provide us something in return. If you don't want to provide us that then that's OK - you just won't get the content. As another example, if this was a paid for event then we wouldn't capture opt-in as well, as that would indicate an imbalance (revenue + an opt-in for 1 event registration).

Again, just wanted to share yet another interpretation/implementation of the GDPR laws. Thoughts?

Michelle Miles

Grégoire Michel

1 person has this question

Outcomes

40 Replies

Josh Hill Mar 27, 2018 10:12 AM
Mark Correct
Correct Answer
First, I'm not a lawyer. Best to discuss with legal counsel.

That being said, I would agree with them - if you want to get the content, you must check the box.

For a Contact Us form, or a free trial, perhaps that is less certain - Yes, I want the free trial but no, I don't want extra marketing. Requiring opt in there would likely lead to lower conversion rate.

What CASL and GDPR say is that you cannot "pre-check" the box for them, that is to assume the opt in for the person. You must take a free action that is explicit and deliberate to opt in. Even for events, we were asked that the scanner or tablet be presented to the Lead for opt in checkbox.
1 person found this helpful
Like • Show 4 Likes4
Actions
Keith Nyberg Mar 27, 2018 11:25 AM
Mark Correct
Correct Answer
I can see more companies following this model. I mean there really shouldn't be a reason why we aren't allowed to do this... The person is submitting their information on their own and checking the box on their own. Kinda like a restaurants "right to refuse service to anyone". No info, no free whitepaper. I think it's pretty sweet!
Like • Show 0 Likes0
Actions
- Dan Stevens. @ Keith Nyberg on Mar 27, 2018 11:30 AM
  Mark Correct
  Correct Answer
  Hi Keith - it's not that they're refusing to let someone download the content without filling out the form, it's that they require the user to tick the "opt-in/consent" box. If you don't, they're blocking you from receiving the content.
  Like • Show 0 Likes0
  Actions
  - Josh Hill @ Dan Stevens. on Mar 27, 2018 11:32 AM
    Mark Correct
    Correct Answer
    I just spoke with my team member and they said that you must still offer the asset even w/o opt in checked.
    
    Again, I'd spend some time with legal if you plan to follow such a model.
    1 person found this helpful
    Like • Show 3 Likes3
    Actions
    - Dan Stevens. @ Josh Hill on Mar 27, 2018 11:36 AM
      Mark Correct
      Correct Answer
      Our legal team is of the same belief (that you still must provide access to the content; and not force someone to provide their consent). I just found it interesting when I came across this today - especially the reason given by the site owner - and wanted to share this with the community.
      1 person found this helpful
      Like • Show 0 Likes0
      Actions
      - Keith Nyberg @ Dan Stevens. on Mar 27, 2018 11:45 AM
        Mark Correct
        Correct Answer
        In actuality, i'm not following the approach in discussion, to play devils advocate and stir the pot here, I still really don't think there is a problem with this method. I mean we spend alot of time/money to make the content we produce. What law requires us to make it available/free to all people? In other examples the business has the right to define terms, like a bouncer at a nightclub saying that you aren't allowed in unless you comply with the dress code, or a 5 start chef not allowing guests to request food restrictions. As businesses, don't we reserve the right to offer our services/content only to people that agree with our terms?
        Like • Show 0 Likes0
        Actions
        Dan Stevens. @ Keith Nyberg on Mar 27, 2018 12:22 PM
        Mark Correct
        Correct Answer
        I think for the most part, you're preaching to the choir here, Keith. The same thing applies with the online/targeted advertising models that support much of the commercial content that's available online. Without the ability to target, profile, etc., many of these sites wouldn't be able to turn a profit/remain in business. GDPR is what it is (and there's no doubt that it's causing a lot of frustrations/uncertainty for many of us - and the companies that we work for). And included with that are the risks that businesses are willing to take in how they continue to operate.
        
        I was sent another perspective from a company based in the UK:
        
        https://marketlocation.com/wp-content/uploads/2018/03/ML_GDPR_Brochure_2018_singlepages2.pdf
        
        It too, contains some contradictory information from what many of us have been exposed to thus far (experts, legal team, etc.) - especially on pages 8 onward. In fact your nightclub analogy was used here as well. Here are some interesting perspectives from this document:
        
        PECR treats the use of email for marketing communication differently depending on whether it is sent to ‘individual subscribers’ or to ‘corporate subscribers’.
        PECR allows electronic direct marketing communications [email] to be sent to corporate subscribers (business email addresses of individuals working for incorporated entities) without prior consent, unless the recipient specifically requests not to receive emails from the sender (“opt-out”). Each direct marketing email should include an “unsubscribe” option to allow the individual to notify the sender that he/she no longer wishes to receive emails from the sender.
        The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’
        Like • Show 1 Like1
        Actions
      - Amanda Thomas @ Dan Stevens. on Mar 27, 2018 8:22 PM
        Mark Correct
        Correct Answer
        Our compliance team was under the same belief, that you should offer content without requiring an opt in. This is a very helpful post. Thanks, Dan Stevens..
        Like • Show 0 Likes0
        Actions
    - Nicholas Manojlovic @ Josh Hill on Mar 27, 2018 7:29 PM
      Mark Correct
      Correct Answer
      hmmmm, interesting.
      
      But what if the content contains calls-to-action like "Contact our sales to find out more"?
      
      If you imagine a process map, a business might be doing the responsible thing and checking for consent at the very start of an interaction with a potential new customer. Now the customer has actively refused that consent and missed the opportunity to get past our consent gate.
      
      It doesn't seem fair or reasonable that a business now has to implement a consent gate at every possible interaction if the customer changes their mind. If you contact sales, are they expected to provide a collection statement and information about privacy and receive explicit consent before storing any personal information? A reasonable business might say, hey, our sales people don't have the time or skills for that.. it seems like quite a burden on the sales person to have to record and manage consent.
      
      my thoughts on this are scattered (and entirely my own without legal skills or knowledge!)
      Like • Show 1 Like1
      Actions
Nicholas Manojlovic Mar 27, 2018 7:18 PM
Mark Correct
Correct Answer
I guess the question is "can we refuse service to someone who hasn't consented"?

In my opinion, refusing service is the only thing we can do unless someone completely and totally opts-in.

People need to know what they're signing up for - tracked Munchkin, tracked emails, stored data, etc.

If we can't refuse service to people who don't agree to tracked emails and stored data, then we are in a pickle. We can't send one person an email that isn't tracked, and another person an email that is. You're either in or you're not with the Marketo tool the way it is currently built and designed.
1 person found this helpful
Like • Show 1 Like1
Actions
- Sanford Whiteman @ Nicholas Manojlovic on Mar 27, 2018 7:21 PM
  Mark Correct
  Correct Answer
  Sending tracked and untracked links is exactly what we're doing...
  Like • Show 0 Likes0
  Actions
  - Nicholas Manojlovic @ Sanford Whiteman on Mar 27, 2018 7:30 PM
    Mark Correct
    Correct Answer
    per asset, not per person.
    Like • Show 0 Likes0
    Actions
    - Sanford Whiteman @ Nicholas Manojlovic on Mar 27, 2018 7:36 PM
      Mark Correct
      Correct Answer
      You don't need to send 2 links to the same person... if you don't know someone's consent status, send them the untracked link because they're assumed to not have consented, and give them the option upon clicking. What's the other case? You can't use the click itself as consent, that's clearly in violation.
      1 person found this helpful
      Like • Show 1 Like1
      Actions
      - Nicholas Manojlovic @ Sanford Whiteman on Mar 27, 2018 7:59 PM
        Mark Correct
        Correct Answer
        I'm not sure we're talking at each other.
        
        Person A consents to be in our database but chooses to opt-out of email tracking.
        Person B consents to be in our database and chooses to opt-in to email tracking.
        
        Person A and B both qualify for our send campaign. It is impossible* to send them the same asset but have one person tracked and the other not. (It is burdensome to develop two pieces of content, one specifically designed for untracked links).
        
        Ergo, we needed Person A to choose to opt-in to email tracking or else we can't send them emails.
        
        *OOB
        1 person found this helpful
        Like • Show 1 Like1
        Actions
        Sanford Whiteman @ Nicholas Manojlovic on Mar 27, 2018 8:24 PM
        Mark Correct
        Correct Answer
        I guess with your *OOB that makes sense. But since we tokenize content anyway, we now just use a Velocity token -- done!
        Like • Show 0 Likes0
        Actions
        Nicholas Manojlovic @ Sanford Whiteman on Mar 27, 2018 8:43 PM
        Mark Correct
        Correct Answer
        what's the gist of that approach?
        
        #if ( $opted-in-to-email )
        <a href="$token-link-1">
        #else
        <a href="$token-link-1" class="mktNoTrack">
        Like • Show 0 Likes0
        Actions
        Dan Stevens. @ Nicholas Manojlovic on Mar 27, 2018 8:49 PM
        Mark Correct
        Correct Answer
        Change “opted-in-to-email” to “opted-in-to-be-tracked/processed”. If they haven’t opted in to email, you’re not sending them any email.
        1 person found this helpful
        Like • Show 1 Like1
        Actions
        Sanford Whiteman @ Nicholas Manojlovic on Mar 27, 2018 10:43 PM
        Mark Correct
        Correct Answer
        Yep, or with less repetition:
        
        #set( $canBeTracked = $convert.toNumber("0${lead.canBeTracked}") ) <a class="$display.message( "{0,choice,0#mktNoTrack|1#}", $canBeTracked )" href="${link}">Le Click, C'est Chic</a>
        
        Note that #if($opted-in-to-email) won't work with Marketo boolean fields (exported as strings in VTL) because all strings are boolean true.
        1 person found this helpful
        Like • Show 0 Likes0
        Actions
        Amanda Thomas @ Nicholas Manojlovic on Mar 27, 2018 8:26 PM
        Mark Correct
        Correct Answer
        This is interesting. Same question. Should we all be setting up two download emails, one with tracking and one without tracking per asset. (If now, we send download emails as a way to send the actual asset?) At my previous company, we just linked directly to the asset after the person filled out the form, so we didn't have to do download emails. I wonder if more people are going to move to that model.
        Like • Show 0 Likes0
        Actions
        Sanford Whiteman @ Amanda Thomas on Mar 27, 2018 8:36 PM
        Mark Correct
        Correct Answer
        One email, one intelligent token will do it.
        1 person found this helpful
        Like • Show 0 Likes0
        Actions
Grégoire Michel Mar 28, 2018 3:49 PM
Mark Correct
Correct Answer
Hi Dan,

I think that the approach from Clevertouch is ot GDPR compliant. The article 7.4 of the GDPR writes:
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
I do not see why a consent is required for the execution of the delivery of the e-book in the Clevertouch case. This is very similar to the discussion on how to interpret the fact that you can send emails to people who are your customers. You can send them emails, but not any email.

Whether or not Clevertouch's approach is really risky ultimately depends on the country your visitors are from and in which EU countries you operate. In Germany I feel the Clevertouch approach is very risky. In France, it's not. To give readers a hint on how strict things can be, a german company was sued (on the previous regulation, not even the GDPR) and fined because the sales people were adding CTAs below their signature in their emails send from their personal mailboxes...

-Greg
Like • Show 0 Likes0
Actions
- Dan Stevens. @ Grégoire Michel on Mar 28, 2018 7:06 AM
  Mark Correct
  Correct Answer
  Thanks Greg. This is aligned to our guidance as well. In fact, I would argue that obtaining the data captured on the form is adequate value received - without the need to also require opt-in consent.
  Like • Show 0 Likes0
  Actions
Amy Goldfine Mar 28, 2018 9:44 AM
Mark Correct
Correct Answer
For GDPR we are doing two separate checkboxes (neither is pre-checked). One is for content to processing, and that is required. The other is consent to direct marketing, and that is optional.
Like • Show 3 Likes3
Actions
- Grégoire Michel @ Amy Goldfine on Mar 28, 2018 3:50 PM
  Mark Correct
  Correct Answer
  Hi Amy,
  
  In all strictness, this double consent is what should be done. Most companies are merging the 2 in order to simplify the forms. Which leads to a conclusion: if the person does not consent to be kept in the database, you should delete it or anonymize her immediately. So, if you only use 1 consent box and the person does not consent, you should not only stop sending emails, but also delete the lead or anonymise it. This anonymization issue is one that is listed here: Marketo GDPR Compliance-a summary of key ideas
  
  I am dreaming of a form with a double consent that, when someone does not consent to be stored in the database and submits the form, displays the following follow-up message:
  "We are sorry, but we cannot process and send you the link to the requested content since it would require that we store your data in our database, to which just did not consent"
  
  -Greg
  Like • Show 4 Likes4
  Actions
- Jason Hamilton @ Amy Goldfine on Mar 29, 2018 10:10 AM
  Mark Correct
  Correct Answer
  Have you considered legitimate interest as basis for processing? Is everyone grouping 'processing' as one item or are you getting more granular? And if someone says no to processing what are you doing with them? Stopping all processing (scoring, normalization, segmenting, tracking etc...) Or are you deleting them?
  Like • Show 0 Likes0
  Actions
  - 9038ca2225580624cc841da923567f2cd7096cc0 @ Jason Hamilton on Apr 3, 2018 12:35 PM
    Mark Correct
    Correct Answer
    Legitimate interest starts to get into fuzzy territory if you don't also have the consent. You'll want to gather that consent via form or emailed agreement between sales and prospect.
    
    As far as what I'm doing -
    
    Consent to marketing is not given on a content request form. Content is delivered based on "fills out form" triggered campaign. Mark as marketing suspended once email is delivered.
    Consent to data processing is revoked (must be given when requesting content as a require field - no data stored without original consent). Turn off sync to sfdc via Marketo. Delete lead from Marketo (not CRM) - clears marketing history. Flag for anonymization in sfdc for product and sfdc admins to handle.
    Like • Show 0 Likes0
    Actions
- 9038ca2225580624cc841da923567f2cd7096cc0 @ Amy Goldfine on Apr 2, 2018 10:31 AM
  Mark Correct
  Correct Answer
  We're doing the same thing. Consent options must be separate and written in plain english. It was my understanding that consent could not be coupled. It really boils down to three things:
  
  #1 Cookie consent
  # 2 Consent to marketing
  # 3 Consent to data processing
  
  We're creating cookie notifiers on our site to handle #1. Consent to marketing #2 is a checkbox which is optional (yes/no) - selecting no still yields the requested content. Consent to data processing #3 (privacy policy acceptance) is a required field for submitting a form.
  Like • Show 2 Likes2
  Actions
  - Grégoire Michel @ 9038ca2225580624cc841da923567f2cd7096cc0 on Apr 3, 2018 12:14 AM
    Mark Correct
    Correct Answer
    Hi Willow,
    
    IMHO, the order should be
    #1 Cookie consent
    #2 Consent to data processing (better : consent to data storage)
    #3 Consent to marketing
    
    Marketing (sending emails) is just one type of data processing.
    
    -Greg
    Like • Show 1 Like1
    Actions
Jason Hamilton Mar 29, 2018 10:06 AM
Mark Correct
Correct Answer
It sounds to me more like merging of the interpretation of Legitimate interest and consent. This **** regulation has so much gray. I do not think you can force someone to be required check a box, to get the content.
Like • Show 0 Likes0
Actions
Liz Davalos Mar 29, 2018 12:04 PM
Mark Correct
Correct Answer
Not to add fuel to the fire, but a person is still being tracked in Marketo even if you don't include a token on a link and therefore that would violate GDPR unless I'm misunderstanding what people are talking about here. While I personally agree that we shouldn't have to provide free content without receiving the data it does seem that GDPR requires this. I'd say they may be crossing other legal lines there though and they may have to amend that (maybe what that company is banking on). The whole way a free market functions is you get something for your work, requiring it be given away freely breaks that so I can see some lawyer finding a leg to stand on. We're about 99.9% US so for me receiving our emails and being tracked go hand in hand, I can't give one option without the other. They can choose to subscribe all they want, but if they don't also consent to tracking they won't get emails. They simply cannot be a subscriber and not be tracked. We're making that clear for EU residents...
Like • Show 0 Likes0
Actions
- Sanford Whiteman @ Liz Davalos on Mar 29, 2018 12:13 PM
  Mark Correct
  Correct Answer
  but a person is still being tracked in Marketo even if you don't include a token on a link
  What do you mean by "tracked" here?
  
  Clicking an untracked link sent in a Marketo email, opened in a browser that has Munchkin disabled, doesn't leave any extra tracks.
  Like • Show 0 Likes0
  Actions
  - Liz Davalos @ Sanford Whiteman on Mar 29, 2018 4:57 PM
    Mark Correct
    Correct Answer
    I mean that Marketo still tracks opens and the email still exists in Marketo so technically (although barely) they are being tracked and you are still retaining their "personal" data.
    Like • Show 0 Likes0
    Actions
    - Sanford Whiteman @ Liz Davalos on Mar 29, 2018 5:08 PM
      Mark Correct
      Correct Answer
      Not if you turn off open tracking (which would also be turned off for anyone who is set to untracked).
      
      From the standpoint of tracking, there's no trace of what happens after they send their email.
      Like • Show 0 Likes0
      Actions
      - Dan Stevens. @ Sanford Whiteman on Mar 29, 2018 5:20 PM
        Mark Correct
        Correct Answer
        Is Marketo still tracking activity at an aggregate level (for use in email performance reports; and email link performance reports)?
        Like • Show 0 Likes0
        Actions
        Sanford Whiteman @ Dan Stevens. on Mar 29, 2018 5:56 PM
        Mark Correct
        Correct Answer
        Not any opens or clicks... I mean, obviously the fact that an email was sent is stored -- but that's the same with every email server on earth!
        Like • Show 0 Likes0
        Actions
      - Sanford Whiteman @ Sanford Whiteman on Mar 29, 2018 9:47 PM
        Mark Correct
        Correct Answer
        P.S. More related code at Selectively track links and opens based on lead opt-in
        Like • Show 1 Like1
        Actions
        Liz Davalos @ Sanford Whiteman on Mar 30, 2018 8:31 AM
        Mark Correct
        Correct Answer
        Thanks Sanford, that helps. I didn't realize that could be done. Although a template change means every email we have would need to be updated so that's unfortunate.
        Like • Show 0 Likes0
        Actions
Michelle Miles Apr 3, 2018 12:03 PM
Mark Correct
Correct Answer
Dan Stevens. Our counsel has said that you can't bundle or "buy" consent with content. I would not recommend an approach like the one described above.
Like • Show 0 Likes0
Actions
- Grégoire Michel @ Michelle Miles on Apr 3, 2018 2:46 PM
  Mark Correct
  Correct Answer
  Hi Michelle,
  
  Yes, this was the meaning of my comment above and all the lawyers tend to agreed on this one (at least we have one question on which they all agree )
  
  -Greg
  Like • Show 0 Likes0
  Actions
  - Dan Stevens. @ Grégoire Michel on Apr 4, 2018 7:08 AM
    Mark Correct
    Correct Answer
    Randy Davis offers yet another perspective in this thread (halfway down, dated April 4): Marketing Strategies to Thrive in a GDPR World
    Like • Show 0 Likes0
    Actions

Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Outcomes

Related Content

Recommended Content

Incoming Links