can of spam on a strainer
PHOTO: Dani Armengol Garreta

Happy GDPR Compliance Day. If you're like me, you spent the last few weeks finding out all of the newsletters and email lists you were signed up for but forgot. 

The deluge of emails brands have sent out asking prospects, customers and content subscribers to re-consent to data processing could, as it turns out, be a waste of time. Why? Because in many cases it isn't a GDPR mandate. Further, brands can lawfully process personal data using five other ways, outside of consent — and you only have to obtain one of them, according to the GDPR, the new data protection law from the European Union that went into effect today.

“It is unfortunate that a lot of companies are blindly asking for consent when they don’t need it because they have either historically obtained the consent to contact a user,” said digital policy consultant Kristina Podnar. “Or better yet, the company has a lawful basis for contact. Lawful basis is always preferable to consent, so I am uncertain why companies are blindly dismissing that path in favor of consent.”

GDPR: You Don't Necessarily Need to Seek Consent Again

Another reason why your re-consent campaign may be unnecessary? GDPR says so. According to GDPR literature (Recital 171), “it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of” Directive 95/46/EC. The EU adopted that data protection directive in 1995 and required consent in its regulations. If your brand has complied with that consent requirement, no need for re-consent campaigns (note: GDPR now supersedes Directive 95/46/EC). 

Many companies have already documented their processing activities and are gaining consent from data subjects in GDPR-compliant ways, using “opt-in” contracts through which users or clients can affirm consent, according to Chaitanya Chandrasekar, co-founder and CEO of QuanticMind. “But, if you’re unsure or haven’t mapped out entirely your processing activities,” he said, “it’s impossible to accurately reflect what your users or clients are consenting to when they complete a consent request.”

Related Article: Will There Still Be Marketing After GDPR?

Why Ask for Consent When There's 'Legitimate Interest'?

Chandrasekar added that of the six lawful, GDPR-compliant ways companies can get the green light to process individual personal data, consent is the “least preferable.” According to guidelines in Article 29 Working Party from the European Commission, "a controller must always take time to consider whether consent is the appropriate lawful ground for the envisaged processing or whether another ground should be chosen instead." 

Marketers should consider if the rationale for processing personal data meets any of the five requirements outside of consent. According to Article 6 of the GDPR, they include:

  • Contractual necessity
  • Compliance with legal obligations
  • Vital interests of a natural person that may not be the data subject
  • Public interest
  • Legitimate interests, ie., as in the case of preventing fraud. 

“In particular,” Chandrasekar said, “‘legitimate interest’ is probably the best alternative to consent for sending marketing emails or spam email."

Does Your Processing Have Legitimate Interests?

What constitutes lawful processing of personal data for legitimate interests? According to Article 6(1) of the GDPR, legitimate interest triggers when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” 

The Data Protection Network offers guidance (registration required) to help companies assess how they might leverage “legitimate interests” as an alternative to consent, and includes a template for conducting a Legitimate Interests Assessment (LIA).

Related Article: GDPR Is Almost Here: A Risk-Based Approach to Data Protection

The GDPR Re-Consent Campaign Fallout

The re-consent campaigns have also been recognized as a practical pain from some in the thick of it. It's causing angst amongst email weary customers and prospects, consent fatigue and even some legal issues

Further, the Twitter Universe is telling us more stories of the downfalls of re-consent campaigns, such as:

Reports of unintended privacy breaches

Unrealistic opt-out options for users

Inbox overload

Procrastination callouts

GDPR compliance tips for vendors

Practical pain for brands with little gain

But did provoke joy in others ...

One Brand's Consent Campaign Offerings

One MailChimp user tweeted this week that it seems the EU has "effectively killed newsletter with GDPR." He said he sent "get consent" emails through MailChimp and reported these numbers: 100 percent delivery rate, 37 percent open rate, 0 percent given consent. MailChimp is an email marketing and marketing automation provider.

CMSWire asked MailChimp spokesperson Courtney Baldasare about the topic of consent emails and GDPR and showed it the tweet from its client. "Regarding email consent," Baldasare said, "if consent originally obtained is GDPR compliant, businesses don’t need to re-obtain it. Customers will have an option to launch an email 're-consent' campaign which allows them to access new GDPR consent." MailChimp, she added, is providing customers with this email template that’s customizable.

As for those on the receiving end of these consent requests? It may not always be smart to turn a blind eye, according to Podnar. "Yes, we are all annoyed by the crazy number of emails in our inbox, but people would do well to read through them regardless of how annoying they might be," Podnar said. "In some instances, it is an opportunity to clean up your inbox by not responding, in other instances there are privacy implications that you will want to understand for the future."