GDPR: (re)confirming consent, an error to avoid

With the entry into force of the General Data Protection Regulation (GDPR) on May 25th, you’ve probably received dozens of emails asking you to consent (or re-consent) to the processing of your personal data.

Now, you may be wondering if you should do the same for your own business.

The answer is no, and here’s why:

Firstly, the GDPR only concerns you if your company is active on the European market.

If your company doesn’t deal with European consumers, you don’t have to worry about the GDPR. It’s much more important to ensure that you comply with the Canadian Anti-Spam Law (CASL), which is almost as severe as the GDPR but focuses on Canadian companies, and commercial electronic communications to and from Canada.

If, however, you are active in Europe, whether you are physically present there or not, compliance with the GDPR is your concern, but this is not a reason to bombard your contacts with requests for confirmation of consent. It is a harmful and often useless step because there are other ways to put you in good standing.

Counterproductive results

From a marketing perspective, confirmation of consent is probably the worst legal basis to justify the processing, use and storage of personal data.

Indeed, companies having opted for “consent confirmation” campaigns have been able to note the danger of these. For example, many of their contacts took the opportunity to withdraw their consent in frustration following the avalanche of similar messages received. This is a quick and easy way to destroy your marketing database.

The same thing happened in 2014 when CASL came into force. Thousands of messages were received by consumers asking if they would agree to continue receiving business messages. These messages were initially useless because a temporary provision gave the sender an implicit right to send messages until July 2017. Above all, these emails damaged the reputation of several companies and had the opposite result; the loss of consent of the vast majority of their marketing contacts leading some SMBs to bankruptcy.

A request for consent probably not necessary

Firstly, explicit consent by means of a form in accordance with a European Parliament directive on the protection of privacy (Directive 95/46 / EC) is also valid for the GDPR. If your forms comply with the Canadian Anti-Spam Law, then your consents respect the GDPR. It is, therefore, unnecessary to waste your time and that of your clients to ask them for a new consent.

In addition, the GDPR provides five other legal bases to justify the collection and processing of personal data. These five legal bases are: the contractual necessity, the respect of a legal obligation, the safeguarding of the interests of the person concerned or another physical person, the public interest and finally, the legitimate interests (article 6 of the GDPR).


“Legitimate interest” as an ally

From a marketing perspective, “legitimate interest” is definitely the most interesting and easy option to use. Section 6 (1) (f) of the GDPR defines it as treatment “necessary for the legitimate interests of the controller or a third party unless the interests or fundamental rights and freedoms of the person concerned prevail, which require protection of personal data, in particular where the data subject is a child.” 1

In other words, your interest in developing your business justifies that you collect and use the relevant personal information of your contacts for your email marketing campaigns as long as it does not affect the rights of your contacts. For example, if you use the name and email address that someone has provided to you, to send them interesting promotional information and give them the opportunity to unsubscribe, you are in the justified under “legitimate interests”. On the other hand, this would not justify collecting and processing irrelevant personal information such as his Social Insurance Number or his sexual orientation.

Think strategically

It’s not because email sendout providers like MailChimp or Cyberimpact are offering you a consent request email template that it’s relevant to use it. Unfortunately, these companies often have limited knowledge of these regulations and their compliance requirements. It’s better to put yourself in the shoes of the average consumer who has received 23 emails of this type this week and who is expecting you to have more interesting emails.

If you are afraid that some of your consents are not in compliance and you need to get a confirmation, go step by step to reduce the impact on your database.

Start by separating all your European contacts from the other contacts in your database and group them according to the different legal bases that may correspond to them. If some contacts do not fit into any of the six legal bases and you have not obtained them by a consent form, you must send a consent confirmation message only to those contacts, making sure to do so in a tone that corresponds to relationship style that you develop with your customers. A too “legal” tone will bother your customers or at worst scare them.

In short, the GDPR should not push you to make mistakes in panic mode but is an issue that you must take seriously if you do business with Europeans. It’s also an opportunity to structure and enrich your databases and digital marketing strategy by building the trust of your customers.

As with CASL, it is not enough to have “consent” to comply with the GDPR. All other regulatory requirements must be met, which only a formal compliance program can provide.

If you want to comply with the GDPR to strengthen the trust of your European customers or avoid fines and legal proceedings, contact one of our advisers today. The Certimail team offers GDPR compliance programs tailored to the constraints of Canadian SMBs that can even be combined with a CASL compliance process, saving you time and money.


GDPR & CASL: When to use “Legitimate Interests” or “Consent” as a lawful base

If you are a Canadian marketer and you send emails to the European Union (E.U.), under GDPR you’ll need to justify why you collect and store data for each of your contacts. And by data, I’m referring to contact information (first name, last name, email address, etc.) and how you use this data (marketing, transactional, etc.).

The lawful bases

Because GDPR governs data security and protection, an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

From a purely marketing perspective, there are two lawful bases that one will cite regularly in their records and documentation: “Legitimate Interests” and “Consent”.

  • “Legitimate Interests” as a lawful base can be relied upon for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
  • “Consent” as a lawful base is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement.

Which lawful base to apply for email marketing purposes…

Knowing that:

  • Under CASL, which governs commercial electronic messages, a consent status needs to be attributed to and documented appropriately for each contact, for you to have the legal right to send them electronic commercial messages. Either “express” or “implied” consent.
  • Under GDPR, which governs data security and protection, a lawful base needs to be attributed to and documented appropriately for each contact, for you to have the legal right to store and use a contact’s information.

Hence as a Canadian marketer (sending marketing messages to the E.U. ) , you must take into consideration and comply with the rules of GDPR -AND- CASL , thus adding a certain complexity.

Despite this complexity, there are totally legitimate, quick, and easy solutions for you to use:

For B2C email marketing

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR.

However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as “implied consent” under GDPR) moving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
  • Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

This process, not only enables you to comply with GDPR, but also gives you “express” consent under CASL.

For B2B email marketing

Particularly for those in sales, many of our contacts can be filed and recorded as “Implied Consent” under CASL, and as “Legitimate Interests” under GDPR.

You are required, however, to document the Legitimate Interests Assessment for each contact (LIA):

Whoa, that’s a lot to take in and document! But wait… whether you’re marketing B2C or B2B, or both, the arrival of GDPR is a great opportunity and occasion to convert “implied consent” Canadian contacts to “express consent” contacts, and classify E.U. contacts under “Consent” as a lawful base. See this article, “How to Write Emails to Get Consent for GDPR (and CASL)“.


Understandably, different sized organisations and types of messages need to be taken into consideration. Be sure to adapt accordingly to your organisation’s structure, operations, and unique situation.

Applying both CASL and GDPR legislations responsibly and taking the appropriate action is not at all an easy task. There are many details to pay attention to and to follow. It can be a difficult, time-consuming, and frustrating task if you are not completely versed in both legislations. In addition, mistakes can run costly fines for individual executives and companies alike.

If you need help or have questions, you can leave a comment or contact us at any time.