Happy GDPR Compliance Day. If you're like me, you spent the last few weeks finding out all of the newsletters and email lists you were signed up for but forgot.
The deluge of emails brands have sent out asking prospects, customers and content subscribers to re-consent to data processing could, as it turns out, be a waste of time. Why? Because in many cases it isn't a GDPR mandate. Further, brands can lawfully process personal data using five other ways, outside of consent — and you only have to obtain one of them, according to the GDPR, the new data protection law from the European Union that went into effect today.
“It is unfortunate that a lot of companies are blindly asking for consent when they don’t need it because they have either historically obtained the consent to contact a user,” said digital policy consultant Kristina Podnar. “Or better yet, the company has a lawful basis for contact. Lawful basis is always preferable to consent, so I am uncertain why companies are blindly dismissing that path in favor of consent.”
GDPR: You Don't Necessarily Need to Seek Consent Again
Another reason why your re-consent campaign may be unnecessary? GDPR says so. According to GDPR literature (Recital 171), “it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of” Directive 95/46/EC. The EU adopted that data protection directive in 1995 and required consent in its regulations. If your brand has complied with that consent requirement, no need for re-consent campaigns (note: GDPR now supersedes Directive 95/46/EC).
Many companies have already documented their processing activities and are gaining consent from data subjects in GDPR-compliant ways, using “opt-in” contracts through which users or clients can affirm consent, according to Chaitanya Chandrasekar, co-founder and CEO of QuanticMind. “But, if you’re unsure or haven’t mapped out entirely your processing activities,” he said, “it’s impossible to accurately reflect what your users or clients are consenting to when they complete a consent request.”
Related Article: Will There Still Be Marketing After GDPR?
Why Ask for Consent When There's 'Legitimate Interest'?
Chandrasekar added that of the six lawful, GDPR-compliant ways companies can get the green light to process individual personal data, consent is the “least preferable.” According to guidelines in Article 29 Working Party from the European Commission, "a controller must always take time to consider whether consent is the appropriate lawful ground for the envisaged processing or whether another ground should be chosen instead."
Marketers should consider if the rationale for processing personal data meets any of the five requirements outside of consent. According to Article 6 of the GDPR, they include:
- Contractual necessity
- Compliance with legal obligations
- Vital interests of a natural person that may not be the data subject
- Public interest
- Legitimate interests, ie., as in the case of preventing fraud.
“In particular,” Chandrasekar said, “‘legitimate interest’ is probably the best alternative to consent for sending marketing emails or spam email."
Does Your Processing Have Legitimate Interests?
What constitutes lawful processing of personal data for legitimate interests? According to Article 6(1) of the GDPR, legitimate interest triggers when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The Data Protection Network offers guidance (registration required) to help companies assess how they might leverage “legitimate interests” as an alternative to consent, and includes a template for conducting a Legitimate Interests Assessment (LIA).
Related Article: GDPR Is Almost Here: A Risk-Based Approach to Data Protection
The GDPR Re-Consent Campaign Fallout
The re-consent campaigns have also been recognized as a practical pain from some in the thick of it. It's causing angst amongst email weary customers and prospects, consent fatigue and even some legal issues.
Further, the Twitter Universe is telling us more stories of the downfalls of re-consent campaigns, such as:
Reports of unintended privacy breaches
Brilliant. Another GDPR consent email.— Michael Tidd (@MichaelT1979) May 23, 2018
This time with 269 - yes 269 - other people's email addresses clearly shown in the address bar.#missedthepoint
Unrealistic opt-out options for users
Tumblr’s #GDPR #consent user interface lists the hundreds of ad companies they share your data with. It’s quite confronting!— SHIBA COMPUTER (@helveticade) May 25, 2018
👍👍 for allowing you to see this and opt out
👎👎 for making you have to tap every single one individually to completely withdraw your consent pic.twitter.com/YJadufsAmJ
I'm now getting repeated reminder #GDPR "consent-spam" from some companies that I've already clicked "yes" to.How unbelievably stupid— Dean Bubley (@disruptivedean) May 21, 2018
One thing that #GDPR has taught me is that companies will leave things until the very last minute. I don't have a single GDPR consent email over 6 weeks old. Why do companies leave stuff so late?— Gary Williams (@Garyw_) May 23, 2018
GDPR compliance tips for vendors
Dear companies that follow me on Twitter,— Allan (@neebone) May 23, 2018
please stop with the "GDPR" email re-opt-in messages. You're already covered by existing law if you obtained consent. Email is already a time sink as it is.
Practical pain for brands with little gain
My opt-in rate for GDPR-consent emails is declining rapidly as this week goes on.— Dillon Compton (@comptly) May 23, 2018
But did provoke joy in others ...
Inbox Zero may actually be achievable thanks to GDPR.— Theo (@tprstly) May 25, 2018
GDPR: the great unsubscribing— Rachel Happe (@rhappe) May 25, 2018
We should do this collectively every year - digital spring cleaning!
One Brand's Consent Campaign Offerings
One MailChimp user tweeted this week that it seems the EU has "effectively killed newsletter with GDPR." He said he sent "get consent" emails through MailChimp and reported these numbers: 100 percent delivery rate, 37 percent open rate, 0 percent given consent. MailChimp is an email marketing and marketing automation provider.
CMSWire asked MailChimp spokesperson Courtney Baldasare about the topic of consent emails and GDPR and showed it the tweet from its client. "Regarding email consent," Baldasare said, "if consent originally obtained is GDPR compliant, businesses don’t need to re-obtain it. Customers will have an option to launch an email 're-consent' campaign which allows them to access new GDPR consent." MailChimp, she added, is providing customers with this email template that’s customizable.
As for those on the receiving end of these consent requests? It may not always be smart to turn a blind eye, according to Podnar. "Yes, we are all annoyed by the crazy number of emails in our inbox, but people would do well to read through them regardless of how annoying they might be," Podnar said. "In some instances, it is an opportunity to clean up your inbox by not responding, in other instances there are privacy implications that you will want to understand for the future."