From a reader’s point of view, the worst thing that has come out of GDPR rules is that people are no longer sure whether they are still signed up to the sites, newsletters, emails etc. that they want to be signed up to.
If they had only received a handful of GDPR emails, they would have gone through them and clicked on the ones that asked for a click to confirm they could still count on their readers.
If they had received many emails, but they had all been consistent and they had all asked for a re-consent – or none had asked for a re-consent – then people would have known where they stood (though they would have wondered why they got the ‘we don’t need your re-consent’ emails at all).
But when there have been many emails and inconsistent statements – some ask for consent and some say they don’t need to request re-consent but they are sending an email anyway – people are just deleting the emails en masse and letting the future take care of itself.
Suzanne Dibble
Suzanne is a lawyer. I am a member of a private group (Small Business Legal Academy) she set up a couple of years ago. It has given me access to templates for documents such as a hiring a freelancer, setting customer rules for wholesale contracts, and a host of others templates.
More recently, she founded a group to deal specifically with GDPR for small businesses. Yesterday she wrote to people in her SBLA group and GDPR group, and I am setting out here the relevant paragraphs in her email regarding re-consent:
Hello David,
I can’t tell you how many times I have started writing this email.
Too many times, anyway.
…
…Anyway, I digress.
This GDPR email.
I am NOT going to ask you to opt in again to receive my emails… Because I don’t actually need to.
Now, while some of my business friends can get away without explaining themselves fully, I cannot.
I know I need to set the example and be absolutely transparent with you.
I can’t expect you to be satisfied with a wishy-washy explanation like “I don’t need to”. Not from me, anyway.
So, stand by for the “full inner workings explanation” of how we have arrived at this email:
Firstly, my lawful ground of sending you non-marketing emails under GDPR… is legitimate interests.
In addition, direct marketing is a legitimate interest of my business. We know this due to the recitals of GDPR. The ICO say that the lawful ground for sending marketing emails to corporates and to individuals who are customers is likely to be legitimate interests.
Let’s face it, if I couldn’t tell people how I can help them, my business would have been as dead as a dodo quite a few years ago and GDPR certainly doesn’t have the aim of closing down businesses.
I have balanced my legitimate interests with your rights and interests and decided (acting fairly) that there’s nothing against your rights and interests in the emails I do and will send to you.
After all, I don’t send spammy emails three times a day. I don’t prey on the vulnerable, and I give you the right to opt out of receiving my emails in every email.
So, having done my legitimate interests balancing test, I am happy that I can rely on legitimate interests to send emails (and to send unsolicited marketing emails to corporates and individuals who are customers) and have kept the assessment form on file.
The ICO say that for sending unsolicited marketing emails to individuals who are not customers, the lawful basis of processing is likely to be consent. PECR also requires consent in these circumstances.
So do I have pre-existing valid consents for sending unsolicited marketing emails to individuals who are not customers?
All of the consents I have obtained have been freely given.
All of the consents have been specific and informed.
All of the consents have involved an unambiguous indication by clear affirmative action.
I have clear records of all of the consents.
I have always provided the right to opt out.
So yes, I have valid consents.
Hence, I will NOT be asking you opt in again…
Thank goodness for that I hear you say… 🙂
You can of course always opt out at any time. I have an unsubscribe button at the bottom of all of my emails.
…
Peace, love, and GDPR blessings 🙂
Suzanne (Dibble)
Multi-award winning lawyer and GDPR expert
PS for the avoidance of doubt, you do not need to do anything to keep receiving my emails and of course you can unsubscribe at any time.
Are You Happy With Your Consents
If you asked people to opt in to your newsletter/emails/whatever, and your original opt-in was a double opt-in (the recipient signed up with an email address on your site and also confirmed their desire by clicking on the link that arrived in their email inbox) and then you don’t need to get consent again.
Double opt-in has been around for a while and the reason for it and the reason I say you ‘have’ to have double opt-in is that if you are not, then some malicious person could sign up with someone else’s email and you would be sending newsletters to someone who never requested them.
Emailing someone who didn’t request you to email them has been outlawed – at least in the UK – under the regulations (Privacy and Electronic Communications Regulations) for a long while. GDPR highlights it and makes the penalties stronger.
What If You Have A Website – Can You Go To Sleep Now We Are Past 25th May?
Just because we are past the 25th May doesn’t mean people running websites can turn off and tune out.
To comply with the regulations you need a page that sets out your privacy policy, a page that sets out your cookie policy (or a section about cookies in your privacy policy page) and a means for your visitors to signify cookie consent or an indication of where to go to find out more.
If your site is built on WordPress, you are in luck because the very latest version (4.9.6) practically does it all for you, at least gives you the framework to write out your privacy policy statement.
If you haven’t already got a page setting out your privacy policy then go to your admin dashboard, and in Settings, you will see a section named ‘Privacy’ – click on that and choose the ‘Or: create new page’ WordPress will do that for you and set out the sections you need to fill in.
You still have to read up on the GDPR requirements (who collects the info, what kind of info, etc.) but the bones of it are there.
Next, you need a page in which you set out your cookie policy. OR, you can put the cookie policy in a section in the Privacy Policy page. The contents are pretty standard, so find a good site (the BBC, Marks and Spencer, WordPress, Google, etc.) and crib the bits you need.
Finally, you need a cookie consent form. You can no longer tell people that you deem their consent by them continuing to use your site, or maybe you can, but it’s easy to be safe rather than sorry. You need a little banner that people can click to say they are alright with cookies. They don’t have to click it – you just have to have it there for them to click.
I have tried various plugins and the one I use on our e-commerce site is called EU Cookie Law (by Alex Moss and others). It is in the WordPress repository and it is free. You can style it as you want and place it bottom right, top right etc – and link it to your Cookie Policy page.
At A Deeper Level
What is it all about, anyway?
You blog and someone reads your blog and comments, or reads your newsletter.
Or you sell something online – a pen, a book, a woolly hat, an iPhone case – and you get paid. You have the name, address, email address, and maybe some other information such as birthday or the customer’s liking for woolly hats. Surely, none of it is the kind of stuff that the framers of GDPR (the General Data Protection Regulations) are really worried about?
They are worried about people who have other people’s ‘sensitive personal information’ as the GDPR rules define it – racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
What happens in reality is that we all get swept up in the dust storm and have to comply. In the pre-digital age, whenever governments brought out these kinds of regulations, businesses went to see their lawyers and the printers rubbed their hands with glee at the thought of all those reprints they would be asked to do – of brochures and leaflets and notices – all the stuff that would be necessary. Od course, there were far fewer businesses.
But in the digital age where we do it all ourselves, it’s a pain. It’s a pain for thousands and thousands and thousands of bloggers and small businesses to work out what the rules are and comply – when it is surely (surely?) blindingly obvious that 99.9% of what is intended to be protected has nothing at all to do with those bloggers or those small businesses.
Photograph Works 
As the lawyer on your site points out indirectly, people are unsure what they have to do…
…and even as a simple blogger it’s a lot of work and you’re not sure if you did everything correctly. But I guess there’s a lot of panic around.
LikeLike
Yes, panic and fear.
Thanks for commenting. I see you have a privacy policy and legal disclosure section. I like the way you embedded the information in a JPEG so it cannot be scraped.
LikeLike
Thanks.
Yes, it was a lot of work to get all this together. But I thought I at least try to write something, as most of the generators were not really made for sites hosted on WordPress.com
LikeLike
The amount of emails has been overwhelming. I’ve been signed up for a lot of stuff over the years.
Then there are Facebook groups with pictures of people that are named. I wrote to the Swedish Data Protection Authority and asked the question about what to do with all the photos [named faces] … we have a virtual gold mine in one of the groups I administer. I got a long reply, filled with links, and when you’re not accustomed to read legal texts it feels frustrating.
LikeLike
The world is waist deep in text, links, photos… how can it possibly be policed, even if it were understood? 🙂
LikeLike
Yeah … I don’t know, I think I’ll resign from that group.
LikeLike
Are you an Admin for the group?
LikeLike
Yes, but not the only one.
LikeLike
It’s certainly very complicated and no one seems to be entirely sure what they’re doing or supposed to do. As a freelancer, who doesn’t send any marketing emails but obviously needs to collect some of the customer’s data for invoicing purposes, I’ve spent hours and hours reading up on the rules and regulations and honestly, it’s been a waste of time. I never used people’s data for anything else than making an invoice, and that’s what I’m going to do in the future as well, GDPR or no GDPR. So, from my perspective, it’s ultimately good business for lawyers and more sticks thrown in the way of small freelancers. It’s a shame. The original idea was perhaps good, but it somehow went wrong.
LikeLike
I wonder how much feedback and how aware of the discontent the framers of the legislation are aware of?
Maybe there is a bigger plan behind it – to break up the power of Google, Facebook, etc by denying them some of the data they rely on. Or maybe it is just a huge exercise in cracking a walnut with a sledgehammer.
LikeLike
I’m inclined to think it’s an exercise in futility without any deep underlying motive… But let’s hope I’m wrong.
LikeLike
Thanks, a great article, David: This is a welcome, in depth article that has clarified for me some lingering questions that I have had these past few weeks as I have waded through hundreds of emails requiring my action.
The lawyer whose email you quoted was the most transparent of anyone, kudos to her, and thanks for sharing what she wrote.
LikeLike
Thanks. I’m glad you found it useful.
LikeLike
An excellent and well-written post. There’s been so much misinformation and disinformation (frankly). Thanks for sharing the lawyer’s email too.
LikeLike
Thank you for the kind words. I thought I had done a half-decent job of it, but the proof is in the reading, so I am glad to have your opinion.
LikeLike
I’ve only had a handful of emails from sites, etc, that I subscribe to for newsletters, etc, because I subscribe to so few! And to be honest, I’d probably not remember ones that anyone might remove me from…
I’ve had specific problems with writing my privacy policy because of some health issues, but eventually I decided the best thing to do was to to summarise as best I could the main points, give links to all the essential stuff about wp.com’s use of cookies, etc, and add some links myself to support pages so that people could have more control over their own data if it was something I couldn’t do for them. I still don’t know if the page is okay but by now I simply can’t work on it anymore so it’ll have to do.
LikeLike
I don’t think I am being blasé when I say that of all the hundreds of millions of websites out there, the powers that be are most unlikely to single out any but the most egregious cases. I just read your privacy policy and you have put thought into it rather than just boilerplate any old guff.
LikeLiked by 1 person
Thanks. And yes, I’m sure you’re right. Anyway – even if not, there’s a warning long before any possible fines.
LikeLiked by 1 person