5 Replies Latest reply on Oct 14, 2018 9:21 AM by Grégoire Michel

    Legality of 'forced opt-in' in EU?

    Matthew Antos-Lewis

      I'm wondering whether anyone has a clear view (with supporting evidence if possible) of the legality of the following under EU law:


      • A webform has a check box at the bottom inviting the visitor to subscribe/opt-in to further marketing communications
      • The check box is unticked (i.e. visitor must choose to opt-in)
      • But, the form's 'submit' button is greyed out unless the visitor ticks the opt-in box.


      So, the action to tick the check box and opt-in is on one hand voluntary, but in reality given you can't submit the form without doing so, it is forced. Seems very murky to me. Does anyone have legal clarity?


      Thanks in advance!

        • Re: Legality of 'forced opt-in' in EU?
          Matjaž Jaušovec



          I think the best advice here is to check and decide on the approach with your own legal department, so you'll have clear and established argumentation on why are your forms set up the way they are - in case somebody asks.


          I believe there is no single interpretation of the GDPR and in reality, you will see different approaches. In our company, we took a more careful/conservative stand and we don't practice the formula you've described above. I personally think this is what the legislation demands. But as said, not everybody agrees with this point of view. There are many very good discussions also here in the community, I advise you to check them out.



          • Re: Legality of 'forced opt-in' in EU?
            Christina Zuniga

            Matthew Antos-Lewis GDPR makes it very clear that you can't require an opt in to access content, so by making it impossible to submit the form you are probably in violation (<-- I say probably because #IAmNotALawyer).


            I agree with Matjaž Jaušovec's advice that checking with your legal team and then documenting the decision and the reasons behind it are critical, but I would also point out that Article 4-11 says 'consent' of the data subject means any freely-given, specific, informed and unambiguous indication of the data subect's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement.


            In this case by not allowing them to access the content/product/whatever without opting in, checking the box is not actually freely-given.

            2 of 2 people found this helpful
              • Re: Legality of 'forced opt-in' in EU?
                Sonali Jadeja

                Absolutely agree with Christina Zuniga.

                You're legally required to obtain explicit consent in a free,specific,unambiguous manner. If form couldn't be submitted without opting in, you're basically forcing the user and are not GDPR compliant. In addition to this having been optional, you should also provide a link to your privacy policy and an link to unsubscribe. I believe your legal team will point you in the same direction - do get their seal of approval!

              • Re: Legality of 'forced opt-in' in EU?
                Anne Angele

                Standard I-am-not-a-lawyer-this-isn't-legal-advice applies, but - my interpretation is that it would not be compliant, as you're requiring them to opt-in in exchange for something they want (whatever the form is gating).

                • Re: Legality of 'forced opt-in' in EU?
                  Grégoire Michel

                  I am not a lawyer, but I have helped about 15 of my customers with those subjects do far, all of the them in the EU. Here is what I am now sure of: It depends on how the opt-in is labelled.


                  People tend 2 forget that there in fact are 2 opt-ins you need to get from some when you capture their information:

                  1. Opt-in to store their data, in accordance with your privacy policy (that should be provided, usually on separate web page)
                  2. Opt-in to send them communications, for a list of communication/ processes that should be detailed, usually in a separate page


                  The difficulty with the first one is that if the person does not opt-in, you cannot even capture the data. So for this one, making checking the box mandatory to fill out the form is OK. But many (if not most, I have not compiled stats) companies have chose to remove this opt-in box and just add a mention somewhere in the form (usually below or just above the button).


                  Regarding the opt-in to receive communication, it's not compliant to force the opt-in, unless you really need it for the service that the person requests by filling out the form. For instance, if the person registers to an event, you cannot force them to receive any communications. Furthermore, the registration by it-self authorizes you to send confirmation or reminder emails. But if someone registers to receive a newsletter, you can force the opt-in to receive the newsletter...