I had a recent experience where one firm didn’t ask my consent and tried to nudge me into doing something that I was firmly opposed to.
In today’s article I’d like to highlight the conditions for a valid consent.
GDPR : how to collect a valid consent?
There are 5 conditions to fulfil for having a valid consent :
- The customer’s act must be clear and affirmative
Forget about policies that a customer implicitly accept by continuing to use your website. This doesn’t work anymore ! The customer must do an explicit action like clicking on a button or ticking a box.
- The customer must be informed
You, as a company, have the duty to inform the customer at least on who is the data processor, the purpose of the data processing and the possibility to withdraw consent
- The information given to the customer should be unambiguous
Leave no room for interpretation. Explain clearly what you’ll do with the data
- The consent must be specific to a data treatment
You can’t ask for a general consent. You must be specific and if needed collect several consent for the different data collected and underlying data treatments
- The consent should be freely given
If the subject doesn’t want to give you access his / her data, you shouldn’t restrain the access to the service unless the data collection is really necessary to do so.
What should I do if I haven’t collected consent before ?
My advice, if you collected data (for instance emails) and used without prior consent is to start from scratch again or to ask the data subjects to specifically give their consent for further use.
Let’s take a concrete example. You had collected thousands of emails addresses over the years to build a mailing list. You used for instance the email addresses from your Linkedin connections or (worse) scrapped these email addresses from internet.
Should I stop sending my wonderful newsletter to my Linkedin connections ?
If you keep sending your newsletter after May 25th 2018, you may end up with troubles. Providing a link to unsubscribe is not sufficient. You must be able to prove that you collected subjects’ consents prior to sending them your amazing newsletters. Among those people who got your newsletter without asking, at least one of them will be pissed off and will make use of GDPR to put you in trouble.
I’ve seen “GDPR experts” on Linkedin sending unwanted newsletters to acquaintances.
What about B2B relationships ?
There is a debate about using “legitimate interest” as an excuse to not ask prior consent. I think this debate doesn’t make sense from a customer viewpoint. This is a technical discussion between lawyers and I strongly advise firm not to count on that to send unwanted correspondence. Even if it becomes legal or tolerated it doesn’t mean that customer will accept it.
Let me give you a concrete example. I’m involved in a number of companies and as a consequence my address had been published in national business registries several times. This is a legal requirement in most countries. I’ve received for years unwanted direct marketing correspondence from firms that scrapped my information from legal documents published on the web. I gave my consent to the State to publish that data (that’s the law). But I never gave any permission to those firms (selling office supplies) for spamming me. I never complained to them but they pollute my mailbox and I will obviously never buy something from them.
Getting consent is more important than ever. Whether or not there may be a legitimate interest for direct marketing doesn’t matter. It’s the customer’s perspective that counts. If the customer isn’t happy with your data treatment practices he may quit. Customers don’t complain (only a tiny fraction do). Most of them just quit. Keep this in mind because data protection is becoming a new antecedent of customer satisfaction.
Image : shutterstockTags: customer satisfaction, GDPR