The Worst of GDPR – and A Way Out Of The Woods

From a reader’s point of view, the worst thing that has come out of GDPR rules is that people are no longer sure whether they are still signed up to the sites, newsletters, emails etc. that they want to be signed up to.

If they had only received a handful of GDPR emails, they would have gone through them and clicked on the ones that asked for a click to confirm they could still count on their readers.

If they had received many emails, but they had all been consistent and they had all asked for a re-consent – or none had asked for a re-consent – then people would have known where they stood (though they would have wondered why they got the ‘we don’t need your re-consent’ emails at all).

But when there have been many emails and inconsistent statements – some ask for consent and some say they don’t need to request re-consent but they are sending an email anyway – people are just deleting the emails en masse and letting the future take care of itself.

Suzanne Dibble

Suzanne is a lawyer. I am a member of a private group (Small Business Legal Academy) she set up a couple of years ago. It has given me access to templates for documents such as a hiring a freelancer, setting customer rules for wholesale contracts, and a host of others templates.

More recently, she founded a group to deal specifically with GDPR for small businesses. Yesterday she wrote to people in her SBLA group and GDPR group, and I am setting out here the relevant paragraphs in her email regarding re-consent:

Hello David,

I can’t tell you how many times I have started writing this email.

Too many times, anyway.

…Anyway, I digress.

This GDPR email.

I am NOT going to ask you to opt in again to receive my emails… Because I don’t actually need to.

Now, while some of my business friends can get away without explaining themselves fully, I cannot.

I know I need to set the example and be absolutely transparent with you.

I can’t expect you to be satisfied with a wishy-washy explanation like “I don’t need to”. Not from me, anyway.

So, stand by for the “full inner workings explanation” of how we have arrived at this email:

Firstly, my lawful ground of sending you non-marketing emails under GDPR… is legitimate interests.

In addition, direct marketing is a legitimate interest of my business. We know this due to the recitals of GDPR. The ICO say that the lawful ground for sending marketing emails to corporates and to individuals who are customers is likely to be legitimate interests.

Let’s face it, if I couldn’t tell people how I can help them, my business would have been as dead as a dodo quite a few years ago and GDPR certainly doesn’t have the aim of closing down businesses.

I have balanced my legitimate interests with your rights and interests and decided (acting fairly) that there’s nothing against your rights and interests in the emails I do and will send to you.

After all, I don’t send spammy emails three times a day. I don’t prey on the vulnerable, and I give you the right to opt out of receiving my emails in every email.

So, having done my legitimate interests balancing test, I am happy that I can rely on legitimate interests to send emails (and to send unsolicited marketing emails to corporates and individuals who are customers) and have kept the assessment form on file.

The ICO say that for sending unsolicited marketing emails to individuals who are not customers, the lawful basis of processing is likely to be consent. PECR also requires consent in these circumstances.

So do I have pre-existing valid consents for sending unsolicited marketing emails to individuals who are not customers?

All of the consents I have obtained have been freely given.

All of the consents have been specific and informed.

All of the consents have involved an unambiguous indication by clear affirmative action.

I have clear records of all of the consents.

I have always provided the right to opt out.

So yes, I have valid consents.

Hence, I will NOT be asking you opt in again…

Thank goodness for that I hear you say… 🙂

You can of course always opt out at any time. I have an unsubscribe button at the bottom of all of my emails.

Peace, love, and GDPR blessings 🙂

Suzanne (Dibble)

Multi-award winning lawyer and GDPR expert

PS for the avoidance of doubt, you do not need to do anything to keep receiving my emails and of course you can unsubscribe at any time.

Are You Happy With Your Consents

If you asked people to opt in to your newsletter/emails/whatever, and your original opt-in was a double opt-in (the recipient signed up with an email address on your site and also confirmed their desire by clicking on the link that arrived in their email inbox) and then you don’t need to get consent again.

Double opt-in has been around for a while and the reason for it and the reason I say you ‘have’ to have double opt-in is that if you are not, then some malicious person could sign up with someone else’s email and you would be sending newsletters to someone who never requested them.

Emailing someone who didn’t request you to email them has been outlawed – at least in the UK – under the regulations (Privacy and Electronic Communications Regulations) for a long while. GDPR highlights it and makes the penalties stronger.

What If You Have A Website – Can You Go To Sleep Now We Are Past 25th May?

Just because we are past the 25th May doesn’t mean people running websites can turn off and tune out.

To comply with the regulations you need a page that sets out your privacy policy, a page that sets out your cookie policy (or a section about cookies in your privacy policy page) and a means for your visitors to signify cookie consent or an indication of where to go to find out more.

If your site is built on WordPress, you are in luck because the very latest version (4.9.6) practically does it all for you, at least gives you the framework to write out your privacy policy statement.

If you haven’t already got a page setting out your privacy policy then go to your admin dashboard, and in Settings, you will see a section named ‘Privacy’ – click on that and choose the ‘Or: create new page’ WordPress will do that for you and set out the sections you need to fill in.

You still have to read up on the GDPR requirements (who collects the info, what kind of info, etc.) but the bones of it are there.

Next, you need a page in which you set out your cookie policy. OR, you can put the cookie policy in a section in the Privacy Policy page. The contents are pretty standard, so find a good site (the BBC, Marks and Spencer, WordPress, Google, etc.) and crib the bits you need.

Finally, you need a cookie consent form. You can no longer tell people that you deem their consent by them continuing to use your site, or maybe you can, but it’s easy to be safe rather than sorry. You need a little banner that people can click to say they are alright with cookies. They don’t have to click it – you just have to have it there for them to click.

I have tried various plugins and the one I use on our e-commerce site is called EU Cookie Law (by Alex Moss and others). It is in the WordPress repository and it is free. You can style it as you want and place it bottom right, top right etc – and link it to your Cookie Policy page.

At A Deeper Level

What is it all about, anyway?

You blog and someone reads your blog and comments, or reads your newsletter.

Or you sell something online – a pen, a book, a woolly hat, an iPhone case – and you get paid. You have the name, address, email address, and maybe some other information such as birthday or the customer’s liking for woolly hats. Surely, none of it is the kind of stuff that the framers of GDPR (the General Data Protection Regulations) are really worried about?

They are worried about people who have other people’s ‘sensitive personal information’ as the GDPR rules define it – racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

What happens in reality is that we all get swept up in the dust storm and have to comply. In the pre-digital age, whenever governments brought out these kinds of regulations, businesses went to see their lawyers and the printers rubbed their hands with glee at the thought of all those reprints they would be asked to do – of brochures and leaflets and notices – all the stuff that would be necessary. Od course, there were far fewer businesses.

But in the digital age where we do it all ourselves, it’s a pain. It’s a pain for thousands and thousands and thousands of bloggers and small businesses to work out what the rules are and comply – when it is surely (surely?) blindingly obvious that 99.9% of what is intended to be protected has nothing at all to do with those bloggers or those small businesses.


Sledgehammer – Walnut – Crack