The impact of the General Data Protection Regulation (GDPR) and additional European county laws requiring active consent prior to sending marketing-oriented electronic communication is currently top of mind for many marketers. With respect to prospects and customers, I am often asked about the legality of a company requiring that a visitor provide his or her consent to receive marketing emails in return for the provision of gated, value-added marketing content (e.g. whitepapers, webinars). Leaving the discussions about brand damage or development aside for the moment, I’d like to describe why requiring an opt-in is legally permissible.
The issues at hand are the definition of consent under GDPR and the current national and soon-to-be-amended electronic privacy laws, along with the definition of a service.
Under GDPR, the definition of consent requires that the data subject must offer “a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” Of course, the ability to send marketing communication is covered by existing national laws written as a result of the longstanding ePrivacy directives dating back to the early 2000s. When the new ePrivacy regulation becomes law, it will harmonize the relevant legislation across all 28 sovereign countries of the EU (currently including the UK), and – for all intents and purposes – the EEA and EFTA countries. It will also align with the GDPR.
Let’s look at the elements of compliant consent in more detail:
A clear affirmative act. With originally unticked/unchecked boxes provided on a form, the data subject is required to provide positive action to indicate the affirmative act.
Freely given. Your company must not require the data subject to provide consent to marketing communication as a prerequisite for the delivery of its service. Your company must not exert or possess an unfair position over the data subject, such as in the case of an employer/employee relationship or if the information you are providing in the asset is required to allow use of the service/solution you offer.
Specific. Requesting consent to send marketing communication is specific – though what can be classified as marketing communication can be quite broad. A preference center can offer the data subject more specificity.
Unambiguous. Having gone this far, it’s pretty clear to the data subject what he or she is signing up for. One last step, however, would be to make sure that the opt-in is being undertaken by the person in question. To this end, practices such as the confirmed (double) opt-in have developed. This threshold of proof is required to ensure that no robots, other human beings or other Web devices can maliciously enter a person’s email address.
The relevant point in the discussion is whether the consent may be said to be freely given if a company is demanding an opt-in in return for a marketing asset. Companies may not withhold a service if consent to marketing is not given. I and many others would argue that your company is most likely not in the business of producing and selling white papers or delivering webinars. Your services, solutions and products for which payment is demanded do not require the delivery of these assets. Thus, these assets are unrelated to your contractual relationship with your customers. The data subject can freely choose to download the asset or not, and can decide whether the cost and read opt-in is a fair exchange. In any event, the ability to unsubscribe immediately after downloading the asset always remains.
Keep In mind that have provided here an explanation of the thinking of the many companies I speak to on this topic from a permission perspective. Neither SiriusDecisions nor I are willing or able to offer legal advice, and any final decision that your company takes in this regard must be done in consultation with legal counsel. As always, I am open to being shown inaccuracies in this approach or the error of the logic outlined above.