Making consent clear, explicit, transparent, granular, and freely given is possibly
one the key GDPR principles. Makes a lot of sense and I totally support this
requirement. However this may not be as simple as it seems. GDPR states that
consent to processing should not be a pre-requisite to provision of a service.
How can this be achieved? The term processing is not fully defined and the word
‘avoided’ is not the same as ‘banned’, ‘forbidden’, ‘explicitly not allowed’. So, how
will companies interpret this?
For example...
We use SMS/email confirmation to verify the identity of new users on our text
marketing platform. To enable this we need new users to sign-up to our privacy
policy and consent check-boxes that state we will send email / sms to verify
them. These regulations suggest that we are not allowed to require them to
agree to this – and not allowed to make this a pre-requisite of accessing our
platform. That can’t really be the case can it? GDPR can’t really specify how you
verify a customer and using email/sms is very common. Do we simply claim
legitimate interest on this?
Also, we want to encourage our existing users to re-optin to our new GDPR
compliant privacy policy and consent options. However we are unable to
incentivise them [‘Get £5 FREE credit when you re-optin.’] – to complete the re-
optin process. These are existing customers that we already have consent from
and definitely could claim legitimate interest. So am I really not allowed to
incentivise them to opt-in to a GDPR privacy statement?
We could of-course offer a slightly different form of words to get around the
regulations but I really don’t think that I should be doing that. I don’t want to be
arguing semantics with the ICO or having to debate what exactly what ’should be
avoided’ actually means. These vagaries and badly defined regulations are going
to lead to all sorts of problems.
Any advice is more than welcome.
Good luck all.