GDPR: Dramatic Change in Permission Requirements

By Ken Magill

The EU’s General Data Protection Regulation goes into force in May and will be a permission
game changer for many organizations that serve Europeans.

It requires, among other things, explicit, provable permission from individuals to use their
personally identifiable information to send direct-marketing campaigns to them. The GDPR also
requires clear unambiguous explanations as to what the information will be used for, and the
collection of no more data than is necessary to execute the campaigns for which permission has
been granted.

From the text of the regulation:

Consent should be given by a clear affirmative act establishing a freely given, specific,
informed and unambiguous indication of the data agreement to the processing of
personal data relating to him or her, such as by a written statement, including by electronic
means, or an oral statement. This could include:


  • ticking a box when visiting an internet website


  • choosing technical settings for information society services or another statement or conduct
    which clearly indicates in this context the data acceptance of the proposed processing of
    his or her personal data


  • silence, pre-ticked boxes or inactivity should not therefore constitute consent


Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”

The GDPR also requires additional explicit permission to use European consumers’ information
to send any direct-marketing that falls outside the scope of the original consent. It also allows
consumers to revoke consent at any time and “the right to be forgotten,” or the right to erase their

The law also requires marketers—referred to as “controllers”—to be able to prove consent:

“Where processing is based on the data consent, the controller should be able to
demonstrate that the data subject has given consent to the processing operation. … [A]
declaration of consent pre-formulated by the controller should be provided in an intelligible and
easily accessible form, using clear and plain language and it should not contain unfair terms. For
consent to be informed, the data subject should be aware at least of the identity of the controller
and the purposes of the processing for which the personal data are intended.”

Does this mean email marketers will have to re-permission their house files?

Not necessarily.

It depends on how explicit and transparent the permission process was in building the file.
“GDPR is very specific,” said J. Trevor Hughes, president and CEO of the International
Association of Privacy Professionals. “You can’t capture consent for a very broad purpose and
interpret it broadly. The other thing that is pretty clear under GDPR that you can’t do is condition
access to a service on consent.”

There may be some marketers who send messages only to their own list who look at their
permission practices and decide they’re already in compliance with GDPR, said Hughes. Others
may have to re-permission their files.

“It depends,” Hughes said. “So many of these things are going to be on a case-by- case basis. The
expectation, though, is that specific consent means specific to the thing that you’re doing. You
should start from the point that if you’re doing something new, you need something new.”
One positive aspect of the GDPR’s requirement that marketers only collect the data they need is
that they will theoretically present less of a target to hackers.

“If you don’t have it they can’t hack it,” said Hughes. “That’s a pretty healthy hygiene idea that
the GDPR puts forward but so do good database architects:

If you don’t need it, don’t collect it in the first place.”

By | 2019-06-20T17:42:14+00:00 February 22nd, 2018|0 Comments

About the Author:

Leave A Comment