The current e-Privacy Directive (soon to be Regulation) states that the use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent. Recital 40 states, for such forms of unsolicited communications for direct marketing, it is justified to require that prior explicit consent of the recipients is obtained before such communications are addressed to them.The Directive states further ‘consent’ by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC - ergo the GDPR.
The GDPR defines - consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. So, the two pieces of legislation work together.
Example of where it's not freely given or specific - A college uses an application form that only allows applicants to opt-out of receiving marketing from commercial companies if they unticked three boxes covering marketing emails, post and text messages. Their wording of the opt-out also means that unticking the boxes would result in the applicant not receiving information about career opportunities and education providers or health information. In this example, applicants would feel obliged to let the college use their information for commercial purposes otherwise they’d potentially miss out on important information about their career or education.
Signifies agreement - It does not necessarily have to be a proactive declaration of consent – for example, consent might sometimes be given by submitting an online form, if there was a clear and prominent statement that this would be taken as agreement and there was the option to opt out. But organisations cannot assume consent from a failure to opt out unless this is part of a positive step such as signing up to a service or completing a transaction. For example, they cannot assume consent from non-response to an email, as this would not be a positive indication of agreement. The e-Privacy Directive states in Rectial 17 that consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website. Remember - no pre-ticked boxes.
NOTE that organisations cannot email or text an individual to ask for consent to future marketing messages. That email or text is in itself sent for the purposes of direct marketing, and so is subject to the same rules as other marketing texts and emails.
- No unsolicited direct marketing - unless you have obtained the personal details in the context of a sale, you are marketing your own similar products and you provide the option to opt out
- Use opt in boxes
- Give options to choose the method/s of communication i.e. email, text, phone or recorded call
- Ask for consent to pass their details to third parties for marketing and provide all details of third parties
- Record when and how you obtained consent and exactly what it covers
Where you have bought lists for marketing purposes, among the many issues to consider:
- there is a joint responsibility for you and the seller to ensure that the proper explicit consent was given, specifically for your organisation to use the personal data
- you need to maintain the quality of that data
- you must have a procedure for dealing with any inaccuracies within or complaints about the data
- you must ensure that a contract exists between you and the seller
Learn more about Managing Consent here
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018