Kafka strikes again: GDPR requires consent, but you can’t ask for it

UPDATED 22nd of May 2018

This post has been getting a lot of traffic recently. I wrote it more than a year ago. Since then I’ve been working almost exclusively on GDPR implementation for clients and my understanding of the regulation has deepened. I’m going to leave the post as it was originally written below, but here’s an improved version of the key points:

  1. GDPR does not necessarily require consent for data processing. Consent (Article 6.1a) is ONE of SIX grounds for processing. Most marketing and fundraising data processing can be justified under Article 6.1f – the legitimate interest of the processing organisation. And lots of other processing is either to do with a contract or other agreement you have with the data subject (6.1b), or it’s required by law (6.1c).
  2. Sending emails and texts for marketing and fundraising DOES require consent, but that’s because of the 15-year-old Privacy and Electronic Communications Regulation 2003 (PECR) and hasn’t changed because of GDPR.
  3. If you don’t have a valid PECR consent you CAN’T email now and ask for one – that part of the original post is entirely correct. 
  4. What you should do is update your privacy policy to tell people exactly what you’re doing with their data, why you’re doing it, how long you’re going to keep it, how you’re going to keep it safe and what their rights are.
  5. Then you need to tell them about your new privacy policy.
  6. And then you need to stick to that policy and do only, and exactly, what you say you’re going to do.

The point is that asking for consent now just highlights that the emails you’ve been sending for the last 15 years, including the one asking for consent, were illegal. That would be bad (see below). 

Here’s the original post from May 12th 2017 unedited:

I’ve let this one fester for a while – partly because I’ve been angry about other things, and partly because you must be bored with my ranting about the GDPR by now. But I really can’t let this one pass.

A key principle – perhaps the key principle – of the GDPR is the requirement for explicit consent. You can only use personal data for the specific purposes to which the user has consented. Many companies have realised that this means their existing marketing databases will be useless come May 2018, so they’ve taken the apparently logical step of writing to their customers and prospects to ask them whether they consent to receiving marketing communications.

Which would be fine. Except that first of all (even under existing law) they have to prove that the customer has already consented to receive marketing communications. Because an email asking for consent to receive marketing is itself…a marketing email. So if they’ve already explicitly opted-out of marcoms, or they haven’t specifically opted in to emails asking them to opt in, you can’t write to them.

No. I’m not making this up.

Here’s the ICO fining Flybe £70,000.

Here they are fining Honda £13,000.

Flybe were evidently sailing (flying?) pretty close to the wind – if I’ve opted out of marketing emails, it seems likely that an email asking me to opt-in with the lure of a prize draw will have something of the lead balloon about it.

The Honda case is more interesting. Essentially they claimed that their email wasn’t marketing but customer service, and the ICO disagreed. Also interestingly, Honda dealers are separate corporate entities and Honda relies on a mandated policy template to cover the transfer of data from dealers; it looks as though their implementation of that policy was poor and this wasn’t picked up.

So, in summary, if you can’t absolutely, positively prove that someone has consented to receive marketing communications, you can’t send them a GDPR arse-covering consent request. And if you absolutely, positively can prove it, you probably don’t need to send them a GDPR arse-covering consent request.

So for all those customers and prospects where you currently have vague – or no – consent data, you’re going to have to think again. The advertising and social media folks must be hopping up and down with glee. I love the irony of a data protection regulation that arose in no small part as a response to fears about Facebook being likely to become a major driver of Facebook ad revenue in its implementation year.

2 thoughts on “Kafka strikes again: GDPR requires consent, but you can’t ask for it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.