How to Opt-In/Out in Compliance with Data Privacy & Protection Regulations
Opt In Email Marketing Definition
Opt In Email Marketing is the method used to invite website visitors to sign up or “opt in” by providing affirmative consent to receive electronic marketing messages or promotions. In addition to email, SMS text has become popular and also requires an opt in.
Difference Between Opt-In & Opt-Out
There is changing viewpoint over the practices of opt out and opt in email marketing. We will explore this evolution and the newer opt in definition.
Opt-out consent was a previously accepted method of consent where the individual is silent and does not actively decline consent. Meaning, if the individual did not clearly decline to receive marketing emails, then their permission was presumed granted. In this method, a clear opt out or unsubscribe was to be made available in all communications.
More recently, there has been a change in the court rulings around the handling of consent, particularly in the EU. In the EU, the notion of opt-out consent is no longer accepted. Instead, opt-in consent has become more widely preferred or even required by a number of courts. Opt-in consent means that the individual has freely and expressively given their opt in consent or permission to receive marketing.
Does GDPR Require Double Opt In?
The GDPR does not call out a requirement for double opt in per se, however it has very specific requirements for handling consent or “opt in”. Under the GDPR, the standard for data privacy, consent is one of several lawful basis for data processing. One of the challenges with consent management is that consent can be withdrawn at any time, and a method for withdrawing consent, or opting out, must be provided.
As stated by Article 7 of the GDPR, the controller shall be able to demonstrate that the data subject has consented to the processing of her or her personal data. Of course, traditionally, a double opt in satisfies this requirement, but is not the only way it may be satisfied. It should be noted that the GDPR requires that consent be valid, explicit, freely given, and to be opt-in through a “clear affirmative action.” It is not acceptable to assign consent through the data subject’s silence or by supplying “pre-ticked boxes.”
Is Double Opt In Required in Germany?
Germany has deep roots in privacy, predating the GDPR. Though prior to 2018, though they didn’t have a law requiring double opt in, German courts have demonstrated that they are not satisfied with a single consent declaration and indicate a preference for the double opt in where an email is sent with a link that must be clicked to confirm the individual was indeed the requestor. As a result many German brands adopted that the double opt in practice prior to the GDPR.
How to Opt-In/Out in Compliance With Data Privacy Regulations
While many companies have been focused on compliance with the GDPR, other regulations should be noted as well. One of these is the EU ePrivacy Regulation with replaces the Directive that goes back to 2002 and has been through several recent draft updates. While it has become known as the Cookie Law, it has much broader ramifications for electronic communications including email marketing. The ePrivacy Regulation does not replace the GDPR but rather has been written to complement it.
Under the ePrivacy regulation, there is a requirement that the individual must actively tick a box to demonstrate their consent and that they must have a way to later withdraw that consent or “opt out”.
Is Cookie Consent the Same as Email Opt In?
Cookie Consent and Email Opt In consent are two different things. Cookie Consent is given to allow tracking cookies during a website visit whereas email opt in consent is given at a different time and only applies to receiving marketing emails. A person may consent to one but not the other so managing that appropriately is important. And in both cases the individual must be able to later opt out or withdraw their consent. It should be noted that EU court rulings take the same perspective for both: that is, “pre ticked boxes” are not acceptable in either case. Whether the website visitor agrees to tracking cookies or a consumer agrees to receive email marketing, that consent must be assumed, it must be given freely and explicitly.
What Is a Consent Manager and How Does It Handle GDPR or CCPA Opt In
The first step in determining how to manage consent is to identify where it is tracked and which applications or programs rely on it. In this case, it is often sales, marketing or support applications such as CRMs or marketing automation tools. Typically, this is handled by a preference manager or a consent management platform. The consent management platform may be a standalone system, or more often, part of the privacy compliance management platform or suite.
The consent management platform’s role is to handle the opt in or opt out consent, pass that information to other relevant systems, and to provide a mechanism for the consumer to adjust / change or withdraw their consent.
A consent management platform should be able to store the name or other identifier of the consumer / data subject as well as the date/timestamp of the consent. Typically consent management will include an intake mechanism such as a web form and web hooks or API for communicating with the relevant systems.
How We Can Help
Explore Our Consulting Services
Certification & Training
We would like to briefly show you the differences between anonymized and pseudonymized data, and explain why you should deal with this topicSchrems II Decision: Impact on Cloud Migration & More
When are the digital business operations into the cloud, companies must take into account the relevant applicable data privacy rules.What Is Data Minimization? Principles of Data Minimization for GDPR
The aim of this article is to give you a clear understanding of the data minimization principle and practical advice on how to implement it.