Consent cannot be inferred. It cannot be implied. A badly written opt-out buried in terms and conditions is not consent.
When is consent given?
The 1995 Data Protection Directive defines consent as:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
and
“the data subject has unambiguously given his consent”
By contrast, GDPR requires consent to be ‘demonstrable’. It states explicitly that consent can only be obtained by a ‘statement or by a clear affirmative action’.
The Privacy and Electronic Communications Regulations (PECR), which is based on Directive 2002/58/EC (often known the ePrivacy Directive), defines consent as that which comes from the Data Protection Directive, and so the consent under ePrivacy must be unambiguous, freely given, specific and informed.
Therefore, where emails are sent, PECR says that the recipient must have “previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender”.
Quite simply, if you have consent to send emails, you don’t need to ask again. If, however, you do not have freely given, specific, informed and unambiguous consent, then do not send.
However, it would not be unlawful to write to your contacts and ask for consent, because post is not electronic so PECR is not applicable.
Sending emails to people who have not opted-in is unlawful unless you have ‘soft opt-in’ (i.e. previous customers).
Marketing data gathered prior to May 25, 2018
Imagine the scenario: you hold marketing data, collected from lead generation firms, meetings, seminars etc maintained as a contacts database for marketing purposes. You have already contacted some of the people on this database, but others you have not.
How will this be affected by GDPR?
Will you need to contact all the earlier contacts to get consent?
Could this be deemed legitimate business use?
In summary:
For everyone you already have consent from, carry on marketing to them.
For anyone you do not have consent from, do not market to them.
The budget airline, Flybe, were fined because they still contacted those who had explicitly opted out, asking if they wish to opt back in, while Honda were unable to demonstrate whether or not it had consent to contact individuals. If you are not sure, then it is safer to assume that you don’t have consent.
The objective is to re-affirm consent in a GDPR-compliant way which must be done prior to 25 May 2018 and to be valid thereafter.
After 25 May 2018, you can only contact people for marketing purposes, and this includes confirming marketing preferences, from those whom you have obtained consent from in a GDPR-compliant way which you can demonstrate.
Obtaining consent
When seeking to acquire informed consent, then the default solution tends to be that you can obtain written consent from each and every customer. This is of course perfectly fine if it is manageable. But even overcoming this task leaves the burden of gathering the consent documents and filing them, and then ensuring the data is correct, etc.
Remember, consent is just one of the ways in which processing data might be justified. Therefore, consider the processes that you are seeking consent to carry out and look at alternative lawful bases.
If, for example, a library lends books to a member of the library, this could this be covered by ‘contract’. You could then either update the contract (thereby adding any additional needed provisions aside from GDPR consent) and have it signed by the library customers prior to lending new material, or have an addendum drafted.
It is also worth remembering that any function (such as the library example here) that fulfils tasks in the public interest will be able to show it has legitimate interests as a controller and the processing is necessary.
There are useful guidelines for consent from WP29 at https://iapp.org/resources/article/wp29-guidelines-on-consent/#
Contact our Data Protection and GDPR Lawyers Liverpool, Wirral, Merseyside and Across England & Wales
It is important that you have consent to process personal data otherwise you could face penalties. Our team provide clear, straightforward and up to date guidance on all aspects of data protection and GDPR to ensure your business is compliant. For a free initial consultation, contact our specialist team on 0151 659 1070 or complete our online enquiry form.
