With the EU General Data Protection Regulation in the home stretch, users can probably expect the deluge of compliance emails to dry up. But are we already in danger of consent fatigue, and does this even need to be the case?
In what appears to be panic mode, thousands of companies are pinging mailing lists to get (in some cases, get again) affirmative opt-in consent from their subjects, ostensibly to comply with the GDPR. In particular, companies that don’t have clear documentation about how they acquired consent in the first place — perhaps they inherited or bought their mailing list — are asking users to click the all-important “I agree” button.
But this “re-consent everyone” approach could be overkill and according to Partner at Hogan Lovells Eduardo Ustaran, CIPP/E, “Some marketing departments are going to be pretty unhappy when they realize that a misunderstanding of the law is the cause of a massive reduction of their databases,” he told The Privacy Advisor. “This is an unfortunate mistake that is propagating all over our mailboxes as a direct consequence of the GDPR panic. In reality, the majority of these emails are being sent to people with whom the sender already has a commercial relationship and for which consent is not even needed.”
The point is: Consent for email marketing is already a requirement under European e-privacy law, which allows this type of marketing on an opt-out basis for existing customers. So if you have your unsubscribe button in place all is well. The GDPR does not change that at all.
“For the vast majority of data processors, there is no need to worry. Those who comply with the existing data protection rules will not have a great need for adaptation and do not have to fear penalties,” GDPR Rapporteur Jan Philipp Albrecht said.
“It is clear to me that companies deciding to recollect consents in April and May 2018 really did not consider their steps well and have shot themselves in the foot,” said Lukasz Olejnik, an independent cybersecurity and privacy researcher and consultant. “With all the other companies doing the same thing, users are finding an unprecedented volume of consent-recollection messages in their mailboxes. This short-term fatigue will inevitably result in mechanic clicks on 'No, thanks,' or outright ignoring the emails altogether.”
For users, however, this is a good opportunity to get automatically off mailing lists. “The most counterintuitive feature of the GDPR is that by far it offers the most consistent, if not the most intuitive way of unsubscribing and withdrawing consent: not doing anything,” Olejnik added.
Paul Breitbarth, director of strategic research and regulator outreach at Nymity, said he was curious to see if companies took notice of this: “Will companies take out of their mailing lists anyone who does not respond to a request for renewed consent? Since consent needs to be an affirmative action, staying silent cannot be interpreted as implied consent. As always with data protection, I’m afraid it is not black and white, but the basic rule is that consent provided before the GDPR remains valid if it meets the GDPR standard: freely given, unambiguous (so no pre-ticked boxes), specific and fully informed. The consent does need to be demonstrable, so records are indeed required."
Realistically, the only companies that need to panic sending out re-consent emails for marketing are those that cannot currently demonstrate this consent was legally obtained, which would already put them in breach of EU law, namely Article 13 of the ePrivacy Directive which stipulates that communications, including email, may not be sent without prior consent, unless there is an existing customer relationship.
Breitbarth states it clearly: “If I buy something from a store, they can send me their communications based on legitimate interest, with a clear unsubscribe/opt-out. But if there is no existing relationship, and I only want a newsletter to stay informed on promotions, but never buy, consent is indeed required.”
Pat Walshe, data protection and privacy consultant, is concerned that companies are conflating the two laws to the detriment of users: “Some see the GDPR re-consent emails as a good thing in that they raised awareness of the GDPR. I think they are eroding privacy in that people see the GDPR as an annoyance and a burden. They may indeed suffer consent fatigue and ignore the really important email that affects their privacy more," he said. Do the emails need to be sent? In my view not because 'new data protection law/the GDPR requires it,' as many seem to be claiming. We need to split emailing marketing into two parts: The GDPR regards the processing of data to inform the sending of a marketing email, and the ePrivacy Directive regards the sending of the communication itself,” Walshe continued.
A company needs to have a legal basis under the GDPR for the first step, and then meet the ePrivacy Directive rules, which have regulated email marketing since 2002.
GDPR Recital 171 sets this out: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”
In its published advice, the European Commission also points to Recital 171. Recital 47 also references marketing in the context of legitimate interest.
In the U.K., the Information Commissioner’s Office recently published a myth-busting blog on re-consenting: “You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do, there is no need to obtain fresh consent.”
The ICO also points out that in some cases “it may not be appropriate to seek fresh consent.” If companies are unsure how they collected the contact information in the first place, they may have no grounds for contacting the user at all.
“Contacting people who have opted-out of all communications in the past is illegal since those data should not have been part of a database anymore,” Breitbarth explained. “They are likely retained longer than strictly necessary, although there is an argument to be made to retain the opt-outs to avoid they get back into the mailing list when merging databases, or similar. In any case, using opt-outs now to ask again for consent is a no-go,” he said.
“If a company acquired personal data, it still needs to have grounds to process it,” Olejnik said. “In case of bulk mailing address lists, if there are no grounds for processing, consent may be the simplest one. Users may then reply asking how the company has got their private data in the first place. So companies need to carefully consider their actions to avoid any potential reputation crisis.”
So in the vast majority of cases, those emails cluttering up inboxes are unnecessary, unless the company is using them as a fig leaf to paper over cracks in previous lack of compliance, something some users might start to notice.
If you want to comment on this post, you need to login.