Unambiguously yours

There’s an old joke about a tourist in Ireland asking for directions and getting the reply ‘If I was you, I wouldn’t start from here’. To anyone in the position of wondering whether to contact all of the people on their mailing list to get GDPR-standard consent to send marketing, fund-raising or promotional emails and texts, I can only say this: I wouldn’t start from here.

With apologies to regular readers who already know (there must be six of you by now), the problem comes because most of the people advising on the solution don’t seem to know what the problem is. They think that the General Data Protection Regulation makes a significant change to the nature of consent from what is required now, and so they tell their clients and employers that there is an urgent need to carry out a ‘re-consenting’ exercise. A memo has clearly gone out – a distinguished correspondent has sent me two examples of organisations sending out emails to get consent in the past week, and yesterday, the charity Stonewall used Valentine’s Day as a prompt to beg its supporters to ‘not leave us this way’. It was lovely, and it is probably an admission that Stonewall have been acting unlawfully since at least 2003, if not 1998.

Here’s the problem. The 1995 Data Protection Directive defines consent like this:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed


the data subject has unambiguously given his consent

If you’re new to this, read those sentences a few times. Think about ‘freely given’. Think about the consent being an ‘indication’, something by which the person ‘signifies’ their ‘agreement’. Think about ‘unambiguously given‘. If you think that this be interpreted as an opt-out, where are your car keys? Consent, according to you, is me taking your car keys and leaving you a legalistic note somewhere that says that unless you tell me not to borrow your car, I can borrow your car. Or because I borrowed it another time and you didn’t object, I can keep borrowing your car until you tell me not to.

This is nonsense. Consent cannot be inferred. It cannot be implied. A badly written opt-out buried in terms and conditions, consent assumed because I made a donation, the fact that you have my email address and you assume that I must have given it to you with my consent for marketing rather than (for example) you bought it from a list broker who launders dodgy data like drug money – none of these examples constitute consent. Consent is consent. You asked and I said yes. We all know what it means and to pretend otherwise is to lie so you can persuade yourself that you can spam people.

Yes, the GDPR adds a couple of things. It requires consent to be ‘demonstrable’. It states explicitly that consent can only be obtained by a ‘statement or by a clear affirmative action’. But if you claim that the absence of the above phrase in the Directive is any help to the opt-out model, you’re lying to yourself. An opt-out is inherently ambiguous, and the directive says that consent cannot be unambiguous. I might have misunderstood the wording (especially if the language was clunky or technical, which it often is), the data may have been obtained for a different purpose and the consent option is buried in terms and conditions, I might just have missed it or forgotten. The Directive is clear.

Jump ahead to the Privacy and Electronic Communications Regulations, based on Directive 2002/58/EC (often known the ePrivacy Directive). The definition of consent comes from the Data Protection Directive, and so if the ePrivacy Directive says you need consent, what you need is unambiguous, freely given, specific and informed consent. The ePrivacy Directive is enacted by the Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR (which all good people pronounce as ‘Pecker’ and revel in the opportunities that doing so affords them).

PECR makes life even harder for the opt-outers. For emails, PECR says that the recipient must have “previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender“. If you think that a person can ‘notify’ you by not doing something (i.e. not opting-out), once again, where are your car keys?

Surprisingly given all the execrable practice to which the Commissioner happily turns a blind eye, Wilmslow fired a shot across everyone’s bows with three enforcement cases last year. Morrisons and Flybe are to some extent red herrings as they deliberately targeted people who had explicitly opted out of receiving direct marketing, so when the companies emailed them asking them to opt back in, it was plainly bullshit. The Honda case is more interesting, in the sense that Honda ignored everyone who had opted in (because they’d opted in) and everyone who had opted out (naturally). They contacted people where they didn’t know either way, where they held no evidence of consent. Despite the fact that in all three cases, the contact itself wasn’t selling anything, all were sent for marketing purposes, and here, the ICO argued that the organisations didn’t have consent for sending emails for marketing purposes. It’s been argued by idiots that all Honda were trying to do was comply with GDPR, but that’s patently false. They were trying to pack out their marketing list before a perceived change in the law (GDPR) while ignoring another law that was just fine thanks (PECR).

And now we come to the payoff. If Stonewall (and all the others) have consent to send fund-raising emails, they don’t need to ask again. If they don’t have freely given, specific, informed and unambiguous consent, they shouldn’t be sending emails for marketing purposes now, even if the purpose is to ask for consent from people who are happy to give it because the email is inherently unlawful. It wouldn’t be unlawful for Stonewall to write to all of its supporters and ask them for consent, because post isn’t electronic so PECR doesn’t apply. I would say that there is plainly a legitimate interest for them to use post to ask people for permission to send fund-raising and promotional correspondence by email, so there is no GDPR problem.

The problem with a re-consenting exercise is that the organisation is basically admitting to a PECR breach. The problem is exacerbated by doing that re-consenting exercise by email, because as Honda have demonstrated, doing so is in itself a breach of PECR. People complained to the ICO about the Honda emails, which is why they enforced. If you do a re-consenting exercise by email, anyone irritated enough by the request may well complain. Then what?

So what do I think organisations should do in the light of all this? Well, I wouldn’t start from here. But ignoring the law for a moment, this might be a time to be pragmatic. If you send people content that they want and you don’t annoy them (email being less annoying and distracting than phone or text in my opinion), if you have nice big bright unsubscribe buttons, and if YOU RESPECT BLOODY UNSUBSCRIBE REQUESTS (Hello Daily Telegraph), what’s the risk? Why draw attention to yourself?

I am convinced that sending emails to people who haven’t opted-in is unlawful unless you’ve got the soft opt-in (which because it’s predicated on data gathered through a sale, most charities won’t have). But many organisations have been content to do that for years despite it being unlawful now. So what’s actually changing? I think everyone should comply with the law because privacy – the right to be left alone – is a vital foundation for a civilised society. But if you’re sitting on a mailing list and you’re not sure what to do with it, I would forgive you if you took a slower, longer path, taking every natural opportunity to get renewed consent from existing contacts, getting strong unambiguous consent from anyone new, and hoping that churn and natural wastage gets you where you need to be. And if you’re wrestling with this right now and you’ve read this far, good luck and best wishes.


  1. Brilliant. Thank you for this. As ever, you speak a lot of sense.

  2. Matthew Page says:

    I’m getting rustier and rustier on this, but I thought GDPR added stricter requirements of being able to prove you have consent, some kind of audit trail? In cases where we gained consent at some point, have been consistently emailing people for a while, have consistently given a clear means to unsubscribe, but can’t point to the piece of paper/precise wording then isn’t there a need to get fresh consent with a provable audit trail?

    By the way, I got the “I wouldn’t start from here” answer once when asking for directions. First person we spoke to upon my arrival in Loughborough, 25 years later I’m thinking I should probably have taken that as some kind of warning…

  3. What about the transparency requirements in Article 13 and 14? GDPR will require organisations to re-write their privacy notices, as most don’t inform people, rather they confuse people with legalise waffle. If a consent was obtained but lacked some information in Article 13, would it be valid? Furthermore, shouldn’t an organisation also adopt a layered and user friendly approach to privacy in order to be GDPR compliant?

  4. Adrian Beney says:

    Thanks for this, Tim. It’s the “demonstrable” that is causing lots of angst. In amongst organisations that don’t have consent, there are others that the process by which they obtained consent is OK, but the proof is harder since they didn’t record the specific moment and circumstances of the acquisition of that consent. They just, for example, added someone to the list of people who get the e-newsletter, because that’s what the person asked for.

    Some organisations are taking the view that if they can demonstrate the process – opting in, unambiguous, appropriate privacy notice, freely given etc., then that satisfies Article 7(1). But that doesn’t provide a bomb proof audit trail on the acquisition of the consent from any one individual. So others feel they need to do what Stonewall did in order to have that individual audit trail. I’ve given a specific example on the LinkedIn comments on this article. I’d be interested in your take on that.

  5. Concur. I would add a couple of nuances. In some Member States, including the UK, much of the Directive was not implemented adequately or at all. So to locals, much of the GDPR may indeed be a little new.

    On PECR, I’m unfailingly amused by the fact that many sites technically require you to have cookies pre-switched on for the site before (a) you can read their cookie policy (b) they can recognise your consent to whatever rubbish they’re asking of you, let alone access the rest of what passes for their data protection Notices. These automatic fails become very obvious very quickly if you simply set your browser to reject cookies by default. Yes, it’s a pain continuously having to set site exceptions in your browser (especially 3-4 distinct exceptions for certain multi-site companies), but invaluable intelligence for selecting quick-win litigation targets…

    It also annoys me that many sites (especially media, as well as the usual suspects) completely unnecessarily refuse (by simply not functioning otherwise) to accept session cookies and instead require full persistent cookies. As session cookies are sufficient for almost all processing, such behaviors pro tanto fail the fairness test for consent and contract, and the necessity test for all bases except consent.

  6. Andrew Richards says:

    I was talking to a friend of mine who runs an eBay business about this the other day. Her confusion was in the interplay between the DPA / GDPR and PECR.

    She has, as part of her checkout process, a tick-box which says “I consent to receiving monthly marketing emails” and there’s a pre-ticked box.
    Under PECR, this soft opt-in works as this is an existing customer, so the expression of consent is fine.

    But this pre-ticked box is NOT valid consent under DPA or GDPR, where consent must, as you say, be an active choice. So she’s left with using Legitimate Interest as her lawful basis for processing, even though the tickbox says “I consent….”

  7. Just had an email from CRN that included “10 Tips to Help Comply with GDPR” very thoughtful of them I thought. However looks like everyone will have to turn to MSP’s to help get clients ready when this takes effect in May 2018. My first problem is what is an MSP? I have checked the internet and found many different possibilities including being a Member of the Scottish Parliament (which i am not) Here are the tips if you didn’t get the email..
    1. You will need to Know the law
    2. You must discuss compliance with clients
    3. Identify the covered Data
    4. Monitor client environments
    5. Centralize security management
    6. Implement real time alerts….s….s..
    7…. I am now bored of typing any more of this!

    Oh just noticed this is really just an advert for a company that provides managed services… I don’t think they had my permission to email me with this??

%d bloggers like this: