Finally, the much-anticipated European privacy D-day has arrived. The General Data Protection Regulation (GDPR) is here… But how to deal with it now?
Yesterday I received a barrage of e-mails from various organizations with the question whether I want to (continue to) receive their newsletters. Most of them explained that they sent these e-mails because of the GDPR. This seems like a bit of a paradox: getting spammed for your consent because of the GDPR. (Though not the weirdest thing in the GDPR-craze by far; I seem to remember radio ads for an external ‘service provider’ offering to scour the Internet for contact details for you, ‘because the GDPR requires you to keep personal data correct’.) Does the GDPR really require you to send an e-mail to your entire customer base again to request a consent for the newsletter?
No. You should have had this consent for a long time, which has nothing to do with the GDPR. The mandatory consent for sending newsletters (‘commercial electronic messages’) by e-mail is regulated by the e-Privacy Directive and the national laws implementing it, which have already been in force since 2002. If you’ve already received consent before the 25th of May for sending your newsletter, you do (or did) not have to ask for this consent again because of the GDPR. And if you didn't have consent, it can be doubted whether you even had the right to send an e-mail to ask for consent. (To existing customers, maybe, but I seem to have received plenty of mails from companies from whom I have never purchased anything.)
Perhaps the GDPR made these companies realize they couldn’t adequately prove that they in fact have consent and tried to obtain provable consent from as many people as possible before the day the GDPR and its scary 20-million-euro fine maximum went into force.
Now May 25th has finally arrived and the world is still spinning, and in all likelihood, you didn’t find the supervisory authority at your doorstep this morning. Even if you may still have some actions to take to improve your own GDPR compliance (be honest). The supervisory authorities seem to be scrambling with their own implementation just as much as you are. (For example, I wonder when we can expect to obtain some model clauses for international transfers which actually comply with the GDPR.)
So how to obtain provable consent for a newsletter? Many companies already work with so-called ‘double opt-in’. After an e-mail address is submitted (usually through a web form) for a newsletter, send an e-mail to that e-mail address, containing a unique link to actually start the subscription. This will enable you to prove that the person behind that e-mail address actually wanted to subscribe.
This article was written by Matthijs van Bergen, in collaboration with Christophe Van Laethem.