If, however, you are instead relying on legitimate interests to process personal data (checking always that the ePrivacy Directive does not require consent), then you do not need opt-in, but you must offer an opt-out.
Consent is just one of the six lawful grounds for processing, so do ensure that consent is actually required or is the most appropriate grounds for processing before you obtain it. You will be unable to change the grounds for processing at a later date without a very good reason, and it is almost never possible to swap to a different ground if you initially relied upon consent.
Opt-in particulars
The General Data Protection Regulations (GDPR) standard of consent requires the data subject to perform an affirmative act to indicate their consent. This means that the data subject must choose to take a clear action, such as such as ticking a box, to indicate consent. You cannot obtain consent using pre-ticked opt-in boxes, opt-out boxes or other default settings that are pre-set to opt-in.Recital 32 of the GDPR states:
“Consent should be given by a clear affirmative act . . . such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes, or inactivity should not therefore constitute consent.”This means that tick boxes are not the only way to obtain consent — you could, for example, collect consent through an oral statement such as someone saying “Yes, I agree." However, it may then be difficult for you to prove you had consent at a later date.
Similarly, you do not always need to use opt-in wording. If it is obvious that people are consenting, then opt-in wording is not necessary. For example, if a website provides a box for data subjects to enter their email address to receive newsletter updates, with a button underneath saying “Subscribe” or “Sign-up,” then the act of entering an email address and clicking the button will suffice as the affirmative act. You do not also need to add opt-in wording saying “I consent to processing of my email address in order to send me newsletter updates” in this case.
In the following figure, the user clearly knows that entering an email address and clicking Sign Up means consenting to being sent a daily email. You should also include a link to your Privacy Notice at the point that people enter their email address or other personal data.
If, however, you are proposing to use the personal data for more than one purpose, such as sending a free report and then sending further follow up marketing emails or sharing the personal data with other organizations, then you should use opt-in wording and a tick box to enable the granular consent that is required by the GDPR.
Opt-ins for lead magnets
I am often asked about what opt-ins are required for lead magnets and follow-up marketing emails. Lead magnets are typically free pieces of valuable content, such as a special report or a training series that online marketers will advertise in order to obtain the name and email address of people who are interested in the particular subject matter covered by the free content.The online marketer emails the free lead magnet to the person who has signed up, but they also want to send such person follow-up marketing about a related product or service.
My view is that in order to send the lead magnet, you do not need opt-in wording or a tick box for consent if it is clear what the person is signing up for (in the same way that it is clear that a person is signing up for the daily email). So, if, for example, my ad says “sign up for my free GDPR Checklist” and there is a box to provide the email address, I would not need a further tick box for people to signify their consent for their personal data to be processed in order for me to send them the GDPR Checklist. I would, however, need to link to my privacy notice with words such as “to see how we use your personal data, click here to read our privacy notice.”
If, however I wanted to send follow-up marketing emails to those people who had signed up for the GDPR Checklist, I would require consent to send such emails to individual subscribers and would therefore need to add a tick box for people to provide their consent to receive the further marketing emails.
The reason I would require consent to the follow-up marketing emails is because my organization is established in the European Union (EU) and therefore the ePrivacy Directive applies to me — this law (which is separate to, but sits alongside, the GDPR) requires prior consent for sending marketing emails to individual subscribers. As a result of the ePrivacy Directive requiring consent, the GDPR also requires consent. Hence, the tick box is required to obtain that consent.
If, however, your organization is established outside of the EU, the ePrivacy Directive does not apply and you may seek to rely on legitimate interests as a ground for processing the personal data for the follow up emails. You would need to carry out a Legitimate Interests Assessment form, keep it on file and provide the right to opt out.
Note that the ePrivacy Directive is soon to be amended to expand the territorial scope to match that of the GDPR, so that if the GDPR applies to you, the ePrivacy Directive will as well.
Instead of advertising the free lead magnet, you may choose to advertise the follow-up marketing (such as the newsletter that includes details of special offers) and, as a thank you for signing up, provide people with the free content. It is possible to incentivize the opt-in, though not to the point where people are penalized for not opting in, such as by differential pricing or refusing to provide a service.
When to use opt-out wording
Opt-out wording is a message to data subjects explaining that they must take action — such as ticking a box — to object to their data from being used in a certain way, such as objecting to their email address being used to send marketing emails. You should use opt-out wording (rather than opt-in wording) if you’re proposing to process personal data under the lawful grounds of legitimate interests, as opposed to consent.As an example, if you are established outside of the EU and therefore the ePrivacy Directive does not currently apply to you, you can use the legitimate-interests grounds for processing to send existing customers emails about similar products or services. In this case, you may use opt-out wording and ask people to tick the box if they want to opt-out of receiving future emails.
You should advise the person signing up of their right to object to the processing at any time, so that if they don’t want to opt out immediately, they can do so at any time in the future — for example, by adding the following words underneath your opt out wording: “you may unsubscribe at any time by clicking the link at the bottom of our emails."
If you are established in the EU, you need to consider the application of the ePrivacy Directive and the soft opt-in.
The following figure shows an example of opt-out wording for marketing communications that’s used whenever a new customer is providing personal data for a holiday they have just purchased. If this organization is relying on legitimate interests as lawful grounds for processing the personal data (and if established in the EU, the soft opt in applies), this opt-out wording is compliant.
The ePrivacy Directive and the soft opt-in
The ePrivacy Directive is a separate law to the GDPR and it has additional rules that apply on top of those set out in the GDPR. Specifically, it covers unsolicited electronic marketing, use of cookies, and confidentiality of electronic communications.The ePrivacy Directive was implemented into each member state law with certain variations. In the United Kingdom (UK), it was implemented as the Privacy and Electronic Communications Regulations (PECR).
The PECR requires consent for unsolicited marketing by email, fax, or text to individual subscribers. An individual subscriber is a natural person as opposed to a corporate subscriber which is a separate legal entity (such as a limited company, LLP, Scottish partnership, or a government body).
You may send unsolicited direct marketing emails and texts to corporate subscribers without consent. Note that corporate subscribers do not include businesses that trade as sole traders or partnerships.
Consent is required for unsolicited marketing by email, fax, or text to individual subscribers. If consent is required under PECR then, even if you think you have other potential grounds for processing under the GDPR, your lawful grounds under the GDPR should also be consent. In these cases, you will therefore need to use opt-in wording to obtain that consent, rather than relying on opt-out wording.
However, there is one instance when such consent is not required and this is known as the “soft opt-in” rule. In this case, you can instead rely on opt-out.
The soft opt-in rule applies where:
- You have obtained the data subject's contact details in the course of the sale or negotiations for the sale of a product or service to that data subject.
- The email marketing you send relates to similar products and services only.
- The data subject is given the option to opt-out at the time that its contact details are collected, and in each subsequent communication.
Explicit-consent opt-in wording
If you are relying on explicit consent when processing special-category data, you need to consider your opt-in wording even more carefully.The main difference between normal consent and explicit consent is that explicit consent wording must contain an express statement of consent. Put another way, you should explicitly use the word “consent,” rather than assume consent is obvious from the context (unlike the example of the “Subscribe” or “Sign-up” button above, these would not be sufficient for explicit consent). This means that, unlike normal consent, you cannot infer consent from a data subject’s actions, even if those actions make it apparent that the data subject is consenting.
Explicit consent opt-in wording needs to state expressly those elements of the processing that require explicit consent, such as the fact that automated decision-making is being used or that special category data (such as health data) will be processed for clearly specified purposes.
An electronic signature would be equally as compliant as a hand written signature.
If, for example, you were running a health spa and collecting personal data about health matters in case a user needs urgent medical treatment or to check that they are not allergic to any of the health treatments they will take, you would require explicit consent and would need to state the element of processing that requires the explicit consent. Your opt-in wording would therefore need to look something like the example shown.The explicit element of the opt-in wording should be separate from any other consent you’re seeking, so in the example here, you would not be able to have one signature to consent both to the processing of the health data and to direct marketing. The processing for sending direct marketing from related third parties would require further opt-in wording and tick boxes, as shown here:
If you are proposing to share personal data with third parties and those third parties need consent for their processing (for example, they plan on sending direct marketing emails to the data subjects), those third parties should be specifically named in the consent, as they are in the preceding figure.
Consent isn’t valid if you ask data subjects to agree to receive direct marketing from “carefully selected partners” or another, similar generic description. Nor is consent valid where data subjects are provided with a long list of general categories of organizations.
Opt-outs and suppression lists
The GDPR provides in Article 13 that you, as a data controller, must notify data subjects about their right to withdraw consent (where consent is the lawful grounds for processing) and to object to the processing (where legitimate interest is the lawful grounds for processing). This notification is typically included within the Privacy Notice.In addition, Recital 70 states:
“Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it’s related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”This means that the right to object (or, as it’s more commonly referred to, the right to opt out) should be set out at the point where you obtain the data subject’s details. You cannot merely include it within your Privacy Notice or your terms and conditions, where it would be easier to miss. In practice, you could do something similar to what you see here.
Here are a few other points to keep in mind regarding opt-outs:
- You must allow the data subject to opt out from all marketing activities. This includes postal marketing, email marketing, text marketing and any other marketing you send.
- You must comply with the request to opt out as soon as possible and without charge to the data subject. You cannot, for example, insist on a data subject calling a premium-rate phone number to opt out. Incidental costs, such as the cost of an Internet provider to send an email, aren’t considered as charging for the opt-out.
- If a data subject chooses to opt out, you should add the data subject to a data suppression list. Do this rather than delete all of the data subject’s details, in order to ensure that if the data subject ends up on your marketing list again, you know not to email them. This suppression list is typically provided and facilitated by your email marketing software.
A suppression list is a list of personal data about data subjects who have opted out of marketing where, rather than deleting the data subject’s personal data entirely, you retain just enough information to ensure that their preferences are adhered to in the future.
- If a data subject opts out from receiving direct marketing messages, you must not email them any direct marketing messages or ask them by email to opt in. Numerous large fines have been levied on data controllers who have sent direct marketing emails to data subjects who have previously opted out. (One example, among many, is EE Limited, a UK telecommunications provider that was fined £100,000 — approximately $122,000 USD — for sending promotional email messages to customers who had previously opted out of marketing communications.)
- If a data subject has opted out in a national list of preferences for direct marketing (held by some EU member states), don’t send direct marketing messages to that data subject. Screen these lists and cleanse your own lists of the data subjects who have opted out, before sending direct marketing communications.
If you have a specific opt-in from a data subject, it takes priority over their having opted out on a national list of preferences.