Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Dan_Stevens_
Level 10 - Champion Alumni

Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

I recently came across an example where I was registering to download content and the site required me to tick the opt-in checkbox - while submitting the form - in order to download the content: 16 Tips to Capture Marketing Consent for GDPR – CleverTouch .

pastedImage_0.png

I used their chat feature to inquire about this since much of what we've learned is that you cannot make the ticking of the opt-in checkbox required.  The response I received was as follows:

The GDPR legislation talks about a "balance" in the exchange when it comes to opting-in - we take the view that if we're giving away content for free, there is a balance that you will provide us something in return. If you don't want to provide us that then that's OK - you just won't get the content.  As another example, if this was a paid for event then we wouldn't capture opt-in as well, as that would indicate an imbalance (revenue + an opt-in for 1 event registration).

Again, just wanted to share yet another interpretation/implementation of the GDPR laws.  Thoughts?

Michelle Miles

Grégoire Michel

40 REPLIES 40
Josh_Hill13
Level 10 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

First, I'm not a lawyer. Best to discuss with legal counsel.

That being said, I would agree with them - if you want to get the content, you must check the box.

For a Contact Us form, or a free trial, perhaps that is less certain - Yes, I want the free trial but no, I don't want extra marketing. Requiring opt in there would likely lead to lower conversion rate.

What CASL and GDPR say is that you cannot "pre-check" the box for them, that is to assume the opt in for the person. You must take a free action that is explicit and deliberate to opt in. Even for events, we were asked that the scanner or tablet be presented to the Lead for opt in checkbox.

Keith_Nyberg2
Level 9 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

I can see more companies following this model. I mean there really shouldn't be a reason why we aren't allowed to do this... The person is submitting their information on their own and checking the box on their own. Kinda like a restaurants "right to refuse service to anyone". No info, no free whitepaper. I think it's pretty sweet!

Dan_Stevens_
Level 10 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Hi Keith - it's not that they're refusing to let someone download the content without filling out the form, it's that they require the user to tick the "opt-in/consent" box.  If you don't, they're blocking you from receiving the content. 

Josh_Hill13
Level 10 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

I just spoke with my team member and they said that you must still offer the asset even w/o opt in checked.

Again, I'd spend some time with legal if you plan to follow such a model.

Dan_Stevens_
Level 10 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Our legal team is of the same belief (that you still must provide access to the content; and not force someone to provide their consent).  I just found it interesting when I came across this today - especially the reason given by the site owner - and wanted to share this with the community.

Keith_Nyberg2
Level 9 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

In actuality, i'm not following the approach in discussion, to play devils advocate and stir the pot here, I still really don't think there is a problem with this method. I mean we spend alot of time/money to make the content we produce. What law requires us to make it available/free to all people? In other examples the business has the right to define terms, like a bouncer at a nightclub saying that you aren't allowed in unless you comply with the dress code, or a 5 start chef not allowing guests to request food restrictions. As businesses, don't we reserve the right to offer our services/content only to people that agree with our terms?

Dan_Stevens_
Level 10 - Champion Alumni

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

I think for the most part, you're preaching to the choir here, Keith.  The same thing applies with the online/targeted advertising models that support much of the commercial content that's available online.  Without the ability to target, profile, etc., many of these sites wouldn't be able to turn a profit/remain in business.  GDPR is what it is (and there's no doubt that it's causing a lot of frustrations/uncertainty for many of us - and the companies that we work for).  And included with that are the risks that businesses are willing to take in how they continue to operate.

I was sent another perspective from a company based in the UK:

https://marketlocation.com/wp-content/uploads/2018/03/ML_GDPR_Brochure_2018_singlepages2.pdf

It too, contains some contradictory information from what many of us have been exposed to thus far (experts, legal team, etc.) - especially on pages 8 onward.  In fact your nightclub analogy was used here as well.  Here are some interesting perspectives from this document:

PECR treats the use of email for marketing communication differently depending on whether it is sent to ‘individual subscribers’ or to ‘corporate subscribers’.

PECR allows electronic direct marketing communications [email] to be sent to corporate subscribers (business email addresses of individuals working for incorporated entities) without prior consent, unless the recipient specifically requests not to receive emails from the sender (“opt-out”). Each direct marketing email should include an “unsubscribe” option to allow the individual to notify the sender that he/she no longer wishes to receive emails from the sender.

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’

Amanda_Thomas6
Level 9

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Our compliance team was under the same belief, that you should offer content without requiring an opt in. This is a very helpful post. Thanks, Dan Stevens​.

Nicholas_Manojl
Level 9

Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

hmmmm, interesting.

But what if the content contains calls-to-action like "Contact our sales to find out more"?

If you imagine a process map, a business might be doing the responsible thing and checking for consent at the very start of an interaction with a potential new customer. Now the customer has actively refused that consent and missed the opportunity to get past our consent gate.

It doesn't seem fair or reasonable that a business now has to implement a consent gate at every possible interaction if the customer changes their mind. If you contact sales, are they expected to provide a collection statement and information about privacy and receive explicit consent before storing any personal information? A reasonable business might say, hey, our sales people don't have the time or skills for that..  it seems like quite a burden on the sales person to have to record and manage consent.

my thoughts on this are scattered (and entirely my own without legal skills or knowledge!)