Introduction:
Let’s start from the beginning…GDPR does not need to be complicated. I said it. It’s a blend of common sense and doing the right thing.
So why – 5 years on from the beginning of the GDPR era is there so much confusion?
Well, it’s hard to say, misinformation, poor training, ambiguity in the text? Who knows, but we’re here to help.
This blog will help dispel some myths around double opt-in, and hopefully help you understand when to use it – because it can be good, and when you might consider not using it, all within the regulation.
To help – and to validate this blog, I’ve added a number of source links, so you can see for yourself.
Need more help with your GDPR compliance, just get in touch!
As I said at the start, the easiest way to tackle this subject is from the beginning, and explain the elements that bring us to consent and opt-ins, so let’s get into it.
Legal Basis for Processing
Depending on what you’re doing there are 6 different legal basis for processing to choose from in accordance with Article 6 of GDPR.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
It’s always good to be sure, and it’s often that there are more than 1 legal basis for processing, depending on the activity. It is essential that you document your decision in line with Article 30 (Records of Processing Activities). This handy tool from the ICO can help you to define your legal basis for processing in just a couple of minutes. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/lawful-basis-interactive-guidance-tool/
Let’s dig further into Email Marketing specifically. You want someone to sign up to your mailing list, so that you can freely contact them with offers, information and anything in between, you’re likely to want to obtain their consent.
What is consent?
The GDPR definition of consent from GDPR Article 4(11) “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
In English, you have to demonstrate that the individual has made a free choice to sign up to you – and let’s not forget, that you have also provided a mechanism for them to change their mind, and unsubscribe in accordance with their rights.
What are the rights of individuals under GDPR?
There are a number of rights that individuals have under GDPR. THere’s a summary of each below.
Right to be Informed: Data subjects have the right to be informed about the collection, use, and purpose of their personal data by the data controller.
Right of Access: Data subjects can request access to their personal data and obtain information about how it is being processed.
Right to Rectification: Data subjects have the right to request the correction or updating of inaccurate or incomplete personal data.
Right to Erasure (Right to be Forgotten): Data subjects can request the deletion of their personal data under specific circumstances, such as when the data is no longer necessary for its original purpose or if the processing is based on consent and the consent is withdrawn.
Right to Restrict Processing: Data subjects can request the restriction of processing their personal data in certain situations, such as when the accuracy of the data is contested, or when the processing is unlawful.
Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and, in some cases, transmit it to another data controller.
Right to Object: Data subjects can object to the processing of their personal data, including for direct marketing purposes, based on their particular situation. The data controller must stop processing the data unless they have legitimate grounds to continue.
Rights Related to Automated Decision-Making: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects them, unless certain conditions are met.
You haven’t mentioned Consent?
I know – we’re coming to that now. It’s not stipulated under a data subjects rights, but is covered under the specific consent guidance.
Article 7(3) says:
“The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”
Basically, we’ll add it to the individuals rights – as summarised below:
Right to Withdraw Consent: If the processing of personal data is based on consent, data subjects have the right to withdraw their consent at any time.
What does PECR (Privacy Electronic Communications Regulation) say?
The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:
- they have specifically consented to electronic mail from you; or
- they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.
Source: https://ico.org.uk/for-organisations/direct-marketing-and-electronic-communications/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
What about double opt-in? Is this a requirement under GDPR?
In short – no. As with anything in life, there are pros and cons to double opt in, it depends what you’re doing. But the GDPR does not stipulate its use specifically.
Neither GDPR or PECR, nor the ICO guides really talk around Double opt in specifically, because it’s not a requirement. If it was a requirement there would be detailed guidance available for it.
Straight from the horse’s mouth, the ICO states:
“You may want to compile your own in-house marketing list using details of people who have bought goods or services in the past, or who have registered on your website or made an enquiry. However, you should not assume that everyone is happy to receive marketing just because they have provided their contact details.
You should make it clear upfront that you intend to use their details for marketing purposes. The best way to get clear consent for your marketing is to provide opt-in boxes that specify the type of messages you plan to send (eg by email, by text, by phone, by fax, by recorded call).
You should record when and how you got consent, and what type of messages it covers. If possible, you should also record whether the customer is an individual or a company, as different rules apply. If this is not clear, assume they are an individual.”
The key is in being transparent (how you’re using the data) and in recording the consent.
Source: https://ico.org.uk/for-organisations/direct-marketing-and-electronic-communications/guide-to-pecr/electronic-and-telephone-marketing/using-marketing-lists/#compiling
Why would I consider Double opt in?
I don’t want to use double opt in – what should I do?
The best way is to make sure that there is no ambiguity in your sign up process. By requiring a potential customer or client to tick the box, for example, you can easily demonstrate that individual has freely given their consent.
Summary
Under GDPR there is no need to implement a double opt in approach, but if you can demonstrate that you don’t have pre-filled check boxes or other ambiguous means, you’re simply adding a step to the process and potentially denying your business a legitimate lead.
That said, there are sound arguments over better engagement and lower bounce rates that should be considered. If your goal is to build numbers, considering the single opt in makes sense.
There’s also nothing stopping you from offering something to incentivise the opt in, such as offering a guide (we’ve not covered this above – but just so you know!) This will help to mitigate bad addresses – if someone wants what you’re offering, they will put a legitimate email address in.
“The ICO’s view is that it may still be possible to incentivise consent to some extent. There will usually be some benefit to consenting to processing. For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal. However, you must be careful not to cross the line and unfairly penalise those who refuse consent.”
That’s it! Hopefully you’ve found this blog useful, don’t forget, our experts are just a phone call away!
