GDPR requires that organizations have a lawful basis for processing data. One such basis is consent, which according to the GDPR has to be explicit and freely given:
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Art. 4(11)
This means that the mechanism for acquiring consent must be unambiguous and involve a clear affirmative action.
While you shouldn’t ask for consent if you’re carrying out a core service or process personal data by law, you should ask for it when you’re offering a non-essential service, like sending marketing emails.
So, how does the GDPR affect marketing consent? What does it mean in practice? It means that leads, customers and partners need to physically confirm that they want to be contacted. Therefore, pre-ticked checkboxes or any other type of consent by default are not allowed.
The regulation also gives a specific right to withdraw consent; it must, therefore, be as easy to withdraw consent as it is to give it.
Interested in a complete overview on consent guidelines across Europe? Check our GDPR Cookie Consent Cheatsheet!
GDPR not only sets the rules for how to collect consent but also requires companies to keep a record of these consents. It means that you must be able to provide proof of when and how you got consent and what they were told at the time.
Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users.
Compliance solutions for websites, apps and organizations: collect GDPR consent, document opt-ins and CCPA opt-outs via your web forms.