TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

DPO Confessional | How opt-in consent really works Related reading: Data Deletion Day




Consent is only one of several lawful bases for data processing available under the EU General Data Protection Regulation. The others — fulfilling a contract and legitimate interest being the most popular — are often preferred to consent because consent can be withdrawn by the data subject at any time.

Nonetheless, sometimes consent is the most appropriate — or only — basis for personal data processing. For example, although GDPR Recital 47 explicitly states that direct marketing may be based on legitimate interest, the ePrivacy Directive and the member state law implementing it (such as the U.K.’s Privacy and Electronic Communication Regulations) generally mandate the use of consent for email marketing and cookies.

The GDPR requires consent to be opt-in. It defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” It is not acceptable to assign consent through the data subject’s silence or by supplying “pre-ticked boxes.”

Consent for email marketing — Success!

The IAPP, like many organizations, invites new customers and members to enjoy some of our content or other products for free to sample the goods. Ideally, the potential new customer or member enjoys the experience and decides to return for more.

To help this person in their decision, the IAPP might send them an email. But do we have their consent to do so? Under U.S. and Canadian email marketing laws, the IAPP does not always need opt-in consent, although it must always allow the customer to unsubscribe or opt out of future messages. Given the GDPR’s opt-in standards, the IAPP decided — along with many other companies globally — to convert to an opt-in standard for receiving email messages about IAPP news and events and to apply this to everyone globally.

Here is how it works. A potential new member is offered the opportunity to receive a free study guide for an IAPP certification or perhaps a copy of the “Top Ten Operational Impacts of the GDPR.” They complete a form that requires inputting their email (to fulfill the order). Although under U.K. law it might be allowable to rely on “soft opt-in” to send a follow-up email for related goods or services, the IAPP now gives potential customers a choice: “Yes, I’d like to receive news and updates from the IAPP” or “No, I do not want to receive such messages from the IAPP.” These choices are recorded in our customer records management system. They can be changed from “yes” to “no” (or vice versa) — by the customer’s actions — at any time.

This system, implemented June 1, 2018, has yielded the following results: Prior to that date, the IAPP’s consent records showed that approximately 82 percent of customers in our database were subscribed to receiving marketing communications — either through a soft opt-in or through another lawful basis to receive marketing communication. After implementing our opt-in system, 69 percent of our customers are recorded as subscribed. These numbers hold true among EU-, as well as U.S.-based, customers.

Yes, the number of consenting “leads” went down — but only by about 10 percent!

When nearly seven out of every 10 potential leads affirmatively agrees to receive your follow-on marketing communications, after being given a clear choice to receive or not to receive them, we call this an incredibly positive result. It taught us not to fear opt-in consent, especially if you can stand by the quality of your products and services and your respect for data subject’s rights.

Consent for cookies — Meh.

Following our marketing opt-in campaign, we tackled cookies. This was a harder task, which I blogged about with our IT director in early August. The IAPP took a very conservative — that is to say, very privacy friendly — view of cookie consent, putting all marketing and analytics cookies in the “non-essential” category and setting them not to drop until a visitor agrees (opts in) to receive them. We admittedly encourage our website visitors to agree by making the “Accept” button green and attractive, but we also transparently offer information about the cookies that will be set and keep our word not to set them unless the visitor opts in.

This, by the way, is what I consider to be the correct interpretation of the GDPR’s consent requirements. Not all attorneys advise their clients this way, of course, but when I asked Fieldfisher’s Phil Lee, he kindly shared the following with me:

format_quoteI think it's pretty clear that the regulatory view these days is that consent has to be opt-in to meet the requirement that consent be "affirmative" – and you have to get that consent before any cookies (excepting strictly necessary cookies) are dropped.

There are still many sites, however, that will work on an implied or navigational consent model, arguing that clicking on a link on the site will amount to an affirmative action, provided it has been clearly communicated to the data subject in a cookie banner that doing so will be taken to infer their consent to cookies (and they have not chosen to opt out).

Strictly speaking … preferences and statistics cookies are not "strictly necessary" cookies, and so if doing things properly the visitor should be asked to opt in to them (they should not be pre-ticked — especially post-Google!).

However, what typically happens with many [cookie management tool] providers is that they provide the tool, but allow it to be configured by their customer, the website — since many websites will have strong views about what "type" of consent they want to give, or whether they want to treat (for example) analytics cookies as strictly necessary (even though, strictly speaking, they're not) and drop them without consent.

What are the results of our cookies consent program, which are consistent with Phil Lee’s point of view?

Well, let’s just say privacy professionals don’t like cookies. The current rate of full cookie acceptance is just 34 percent. This has, predictably, “done a number” on our website traffic analytics. That’s the price of privacy.


Opt-in consent can be a hard sell with marketing. It is likely to reduce the value of many lead-generation campaigns. That said, when customers are given a clear choice and they affirmatively agree to hear from you again, it’s a much stronger lead, a much happier potential customer. If they opt out, then perhaps it is time to come up with new ways to get their attention.

Regarding cookies and analytics, it may be time to find other ways to evaluate how customers interact with a site. Some options (no endorsement intended!) allow website owners to host their own data, anonymized, rather than involve third parties. Perhaps more such options will become the norm.


If you want to comment on this post, you need to login.