In the days and weeks running up to May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect, companies around the world were bombarding their existing customers with new privacy notices that outlined the compliance to the regulation and asked them to opt in to accept these changes. To many of these companies’ chagrin, the response was underwhelming. As the British publication The Independent so aptly put it, “The huge influx of emails has been met with something between weariness and confusion….A whole host of posts mock the increasingly aggressive ways that companies are asking people to agree to receive more emails.” Indeed, some publications, such as Mashable, invited readers “to take this opportunity to clean out our poor, detritus-ridden inboxes. Thank you, GDPR, for this enormous favour.”

Whatever consumers’ feelings were about the deluge, Dallas attorney Sara Hollan Chelette, co-chair of the cybersecurity litigation practice at Jackson Walker LLP, argued that it was a good thing. “In my opinion, the emails served their purpose,” she said. “Consumers were informed that there were important changes made to the privacy policies disclosing how their personal data was treated and they were given the new privacy policies to review.” Although some argued that too many emails at once had led consumers to ignore them altogether, she said, another school of thought is that the volume of the emails underscored the importance of the changes.

Companies, not surprisingly, have been in a panic about the weak response. The irony is — not to rub salt in the wounds of these companies — according to the view of many experts we spoke with, the request for an opt-in was not necessary. GDPR is a complex regulation that has spawned a wide range of often conflicting opinions about what the regulators meant when they crafted it. For example, we only spoke with one expert that thought the opt-in was necessary.

This conflict matters greatly now as companies decide how they will move forward. To give them a better sense of this complex landscape, we have outlined the theories for both cases.

Related Article: An Introduction to the GDPR

The Opt-In wasn’t Necessary

Sankar Krishnan, partner at Capgemini, said that this conundrum companies have gotten themselves into — what do they do now if a customer hasn’t opted in? — is entirely of their own making. “This whole thing has taken a life of its own and I don’t think it was the intention of the regulators to set this kind of precedent,” he said. His belief, he said, was that the regulators intended companies to notify their customers of the new regulations and protections. “A lot of these companies were advised by lawyers that they needed the consent from the consumer,” Krishnan continued. “But all GDPR says is the consumer has the power over his information and that information has to be protected and data privacy has to be ensured. Somehow this has been misinterpreted to mean that a company needs new consent.”

Related Article: 5 Experts Share Advice on Preparing for GDPR

The Effort Is What Counts

That companies made the effort is what matters to regulators, Zachary Paruch, product manager and legal analyst at Termly, said. “While the GDPR is strict in its requirements for the proper notification of policy changes and obtaining consent, it is also reasonable legislation in its expectations,” he said. “If a company makes reasonable efforts to inform and notify its users of policy changes and updates — whether or not the end users actually take time to appreciate these efforts — then they will likely be okay in the eyes of privacy watchdogs.”

This "being reasonable" approach is not a get-out-of-jail card however. Paruch warned that notification is only one small aspect of GDPR compliance and whether or not a company's emails were ignored, that company will still have to obtain informed consent for each and every instance of data collection and use that is not one of the five other legal bases covered by the GDPR (more on this in a moment). “Ultimately, regardless of whether your end users saw your policy update emails, as long as you have done your due diligence regarding notification, you will still fall on the right side of the GDPR if you've taken all the steps stipulated by the legislation to ensure compliance,” he concluded.

Learning Opportunities

Six Lawful Basis For Data Processing

The crux of the issue is that much depends on under which lawful basis a company processes data, SignalFx’s Chief Security Officer, Marzena Fuller said. “In many cases they don’t have to do anything as they may be within GDPR compliance,” she said. For example, both contract and legitimate interest do not require consent from individuals. “The most common misconception is that GDPR requires consent for data processing, which is only true for those companies that have adopted the consent legal basis,” she said.

Fuller explained that GDPR provides six lawful bases for data processing and it requires that a company select the most appropriate one given the purpose of the data processing and the relationship with the individuals. “To meet transparency requirements the legal basis should be communicated to customers in a privacy policy or privacy notice; however, acknowledgement is not required. For the purpose of direct marketing a company should make it easy for individuals to object to further communication — opt-out via unsubscribe link,” she said.

Indeed, according to Chaitanya Chandrasekar,  co-founder and CEO of QuanticMind, companies should remember that consent is only one of six lawful ways companies can process individual personal data, and it’s the least preferable. “According to the WP29 ‘a controller must always take time to consider whether consent is the appropriate lawful ground for the envisaged processing or whether another ground should be chosen instead,’” he pointed out. As for the multitude of companies that did send out opt-in privacy notices, “It could be that they simply didn’t consider strategically or critically enough their approach to consumer data, or their rationale for using it, said Chandrasekar. 

The Argument that the Opt-in was/is Necessary

There is language in GDPR, however, that supports the other case — namely that the opt-in was necessary and also that consumers need to respond for companies to proceed to have a relationship with that customer. Vincent Rejany, product manager, data management at SAS put it succinctly: Silence is not acceptance, he said. Having communicated a privacy policy is a good first step, but it is not enough for complying with GDPR. “Article 7 mentions that controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. When relying on consent, this one should be specific, informed, non-ambiguous, and freely given,” he said.

What To Do Now

If you believe opt-in was necessary you have little choice but to keep plugging away: additional outreach will be necessary if you want to secure that permission. So re-evaluate your approach and give it another go.  

Assuming you believe that the opt-in was not necessary, the becomes, how does one proceed? Fuller recommended that the first step a company should take now is determine whether the previously selected lawful basis is in fact applicable and accurate. The best way to make this determination is to consult with an experienced privacy attorney, she said, but as a brief primer she offered that of the six legal basis — contract, legitimate interest, consent, legal obligation, vital interests, and public task — the ones that typically apply to B2B and B2C are contract, legitimate interest, and consent. “Consent is the most difficult and restrictive to obtain, as it requires each individual to provide direct consent before any data processing can occur, including direct email communication,” she said. She also shared that in most cases companies choosing this legal basis. were not aware of the other legal basis that were available to them.” She also noted that more than one basis can be selected given different purposes of data processing.

None of this is to say that companies should stop communicating with their customers about the regulations, said Adam Prince, VP of Product Management, Compliance and Migration at Sage. “Companies can — and should — integrate data privacy messaging and education into their marketing efforts.” For example, he said, companies can host webinars about data privacy, conduct surveys around GDPR knowledge in their industry or produce whitepapers and blog posts about what the company is doing to protect customer data.