The General Data Protection Regulation (GDPR) is the new law aimed at protecting individuals’ privacy and their personal data. All companies that send commercial emails to any person living in the EU must comply with this law when it goes into effect on May 25, 2018 – including non-EU companies.
If you collect or process personal data from any natural person residing in the EU, the GDPR requires you obtain the person’s specific, informed consent that unambiguously indicates the person’s wishes or it must be given by a clear affirmative action.
When you collect a natural person’s (aka data subject’s) personal data, the GDPR requires you to do the following:
- It must be done lawfully, fairly, and with transparency.
- Data must be collected for a specific, explicit, and legitimate purpose.
- The data collected must be limited to the data necessary for the purposes for which it will be processed.
- You must erase or rectify inaccurate data without delay.
- You must keep the data for a period that is no longer than necessary for the purpose for which it will be used.
- You must protect the data subjects’ personal data with appropriate security measures.
Requiring specific informed consent, means you can’t hide the consent information in your terms of service. The data subject has to know what they’re signing up for and give their explicit consent to use their data. If you give people who visit your website the option to add themselves to your mailing list, that, since you won’t know where they live (especially if all they’re providing you is a name and email address), the sign-up form should comply with the GDPR requirements.
I suspect it also means that dropping your card in the bowl to try to win an iPad at a booth and a conference won’t be sufficient to establish explicit consent to add a person to your email list unless there’s verbiage adjacent to the bowl that doing so is a clear affirmative action of consent. Hmm . . . perhaps event organizers who have EU attendees should provide their expo vendors information about obtaining consent under GDPR.
If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.
You can also connect with me on Twitter, Facebook, YouTube, or LinkedIn.
One response to “GDPR Compliance: Informed Consent Required”
[…] about how, under this law, when you want to add a person to your email list, you must get their specific informed consent and you must be able to prove that you obtained their consent to be on your […]