Consent is only one of several General Data Protection Regulation. The others — fulfilling a contract and legitimate interest being the most popular — are often preferred to can be withdrawn by the data subject at any time.
Nonetheless, sometimes consent is the most appropriate — or only — basis for personal data processing. For example, although GDPR Recital 47 explicitly states that direct marketing may be based on legitimate interest, the ePrivacy Directive and the member state law implementing it (such as the U.K.’s pre-ticked boxes.”
Consent for email marketing — Success!
The IAPP, like many organizations, invites new customers and members to enjoy some of our content or other products for free to sample the goods. Ideally, the potential new customer or member enjoys the experience and decides to return for more.
To help this person in their decision, the IAPP might send them an email. But do we have their consent to do so? Under Top Ten Operational Impacts of the GDPR.” They complete a form that requires inputting their email (to fulfill the order). Although under U.K. law it might be allowable to rely on “blogged about with our IT director in early August. The IAPP took a very conservative — that is to say, very privacy friendly — view of cookie consent, putting all marketing and analytics cookies in the “non-essential” category and setting them not to drop until a visitor agrees (opts in) to receive them. We admittedly encourage our website visitors to agree by making the “Accept” button green and attractive, but we also transparently offer information about the cookies that will be set and keep our word not to set them unless the visitor opts in.
This, by the way, is what I consider to be the correct interpretation of the GDPR’s consent requirements. Not all attorneys advise their clients this way, of course, but when I asked Fieldfisher’s Phil Lee, he kindly shared the following with me:
[quote]I think it's pretty clear that the regulatory view these days is that consent has to be opt-in to meet the requirement that consent be "affirmative" – and you have to get that consent before any cookies (excepting strictly necessary cookies) are dropped.
There are still many sites, however, that will work on an implied or navigational consent model, arguing that clicking on a link on the site will amount to an affirmative action, provided it has been clearly communicated to the data subject in a cookie banner that doing so will be taken to infer their consent to cookies (and they have not chosen to opt out).
Strictly speaking … preferences and statistics cookies are not "strictly necessary" cookies, and so if doing things properly the visitor should be asked to opt in to them (they should not be pre-ticked — especially post-Google!).
However, what typically happens with many [cookie management tool] providers is that they provide the tool, but allow it to be configured by their customer, the website — since many websites will have strong views about what "type" of consent they want to give, or whether they want to treat (for example) analytics cookies as strictly necessary (even though, strictly speaking, they're not) and drop them without consent.[/quote]
What are the results of our cookies consent program, which are consistent with Phil Lee’s point of view?
Well, let’s just say privacy professionals don’t like cookies. The current rate of full cookie acceptance is just 34 percent. This has, predictably, “done a number” on our website traffic analytics. That’s the price of privacy.
Conclusion
Opt-in consent can be a hard sell with marketing. It is likely to reduce the value of many lead-generation campaigns. That said, when customers are given a clear choice and they affirmatively agree to hear from you again, it’s a much stronger lead, a much happier potential customer. If they opt out, then perhaps it is time to come up with new ways to get their attention.
Regarding cookies and analytics, it may be time to find other ways to evaluate how customers interact with a site. Some