News & views

Getting people to say yes – the issue of Consent

Modern communication technology

In April 2016, Baroness Neville-Rolfe addressed a conference in London with the following remarks:

“Data… represents people. Individuals with personal lives, reputations and livelihoods increasingly enmeshed with the technology we rely on through the data they share.”

Changing mindsets to recognise data as ‘people’ rather than ‘units of information’ is fundamental to the expansion of the scope of Data Protection legislation, i.e. once you begin to think of it as People Protection legislation then the concept of Consent gains more credibility.

The GDPR defines consent as:

“Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her”

Let’s unpick this statement:

Freely given, specific and informed were all standards in the 1998 DPA legislation, so no change there. GDPR adds the word unambiguous – i.e. you can no longer get away with a cleverly worded, but slightly confusing statement to get someone to give you consent.  The language you use must be clear and plain.

A clear affirmative statement is also a new addition. Up until now, many marketing led organisations have relied upon inactivity to gain consent, i.e. by pre-ticking opt-in boxes. This is no longer permitted.

Similarly, you can no longer bury your marketing consent permissions within the body of lengthy terms and conditions or privacy policies. On this latter point, we have seen some new text for marketing consent where it has been renamed as a Contact Promise, this is a much more understandable, and customer friendly, label.

The key rules you need to follow when gaining consent are:

  • You must ask for it at the same time as you ask for the Personal Data it applies to.
  • The way you ask for Consent needs to be clear using simple to understand language.

What about my existing data?

At the moment the ICO have made it clear that the legislation will be applied retrospectively, i.e. any data which is not GDPR compliant on 25th May 2018 cannot be used for marketing purposes.  This is causing considerable angst among the B2B marketing community because a significant proportion of existing permissions will have been collected using pre-ticked boxes making them invalid. Named corporate B2B data, i.e. an email address is Personal Data and will have to be processed under GDPR, i.e. it will need to be an ‘opt-in’.

However, there is no need to panic as there is a choice for B2B marketers who can decide whether they are going to use Consent or Legitimate Interests for sending out marketing communications, including emails, and we will be covering this in a future newsletter.