I think the best advice here is to check and decide on the approach with your own legal department, so you'll have clear and established argumentation on why are your forms set up the way they are - in case somebody asks.
I believe there is no single interpretation of the GDPR and in reality, you will see different approaches. In our company, we took a more careful/conservative stand and we don't practice the formula you've described above. I personally think this is what the legislation demands. But as said, not everybody agrees with this point of view. There are many very good discussions also here in the community, I advise you to check them out.
2 of 2 people found this helpful
Matthew Antos-Lewis GDPR makes it very clear that you can't require an opt in to access content, so by making it impossible to submit the form you are probably in violation (<-- I say probably because #IAmNotALawyer).
I agree with Matjaž Jaušovec's advice that checking with your legal team and then documenting the decision and the reasons behind it are critical, but I would also point out that Article 4-11 says 'consent' of the data subject means any freely-given, specific, informed and unambiguous indication of the data subect's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement.
In this case by not allowing them to access the content/product/whatever without opting in, checking the box is not actually freely-given.
Absolutely agree with Christina Zuniga.
Standard I-am-not-a-lawyer-this-isn't-legal-advice applies, but - my interpretation is that it would not be compliant, as you're requiring them to opt-in in exchange for something they want (whatever the form is gating).
I am not a lawyer, but I have helped about 15 of my customers with those subjects do far, all of the them in the EU. Here is what I am now sure of: It depends on how the opt-in is labelled.
People tend 2 forget that there in fact are 2 opt-ins you need to get from some when you capture their information:
- Opt-in to send them communications, for a list of communication/ processes that should be detailed, usually in a separate page
The difficulty with the first one is that if the person does not opt-in, you cannot even capture the data. So for this one, making checking the box mandatory to fill out the form is OK. But many (if not most, I have not compiled stats) companies have chose to remove this opt-in box and just add a mention somewhere in the form (usually below or just above the button).
Regarding the opt-in to receive communication, it's not compliant to force the opt-in, unless you really need it for the service that the person requests by filling out the form. For instance, if the person registers to an event, you cannot force them to receive any communications. Furthermore, the registration by it-self authorizes you to send confirmation or reminder emails. But if someone registers to receive a newsletter, you can force the opt-in to receive the newsletter...