In this GDPR FAQ mini blog, we discuss the following issue: Are organisations required to get opt-in consent each time they send a marketing communication?
Our Frequently Given Response:
Not necessarily. Please see the eighth and ninth instalments of our GDPR FAQs mini blog series. In some scenarios, organisations will be able to rely on soft opt-in under PECR and legitimate interests under GDPR to send marketing communications without getting express consent.
Where consent is required, the consent must be granular, clear, specific and opt in.
It will no longer be sufficient for organisations to use pre-ticked boxes, or negative consent wording (such as “tick this box if you don’t want to receive marketing communications from us”). Consent must be given via a positive action.
Consent must be granular, so if an organisation wishes to send marketing communications to an individual and also wishes to transfer or sell the individual’s personal data to another organisation, it will need to seek consent separately to those two processing activities.
If you seek consent and don’t obtain it, you can’t subsequently decide you wish to rely on another ground for processing, such as legitimate interests. If you don’t get consent, you should no longer use the data for that purpose. It’s therefore preferable to rely on a ground other than consent where possible.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.