Making Sense of Consent Under the GDPR

With the General Data Protection Regulation (GDPR) quickly approaching, we’ve had many customers asking questions about the different legal bases for processing data. Of the six legal bases (consent; contract; legal obligation; vital interests; public tasks; and legitimate interests), perhaps those causing the most confusion and uncertainty are consent and legitimate interests. Carmel covers legitimate interest in her blog, so in this blog, I will cover the topic of consent. As a previous blog in our series eluded to, a key change in the upcoming GDPR enforcement is how companies are able to gain consent from their data subjects. Previously, implicit or opt-out consent was allowed in certain circumstances. As an example, under previous laws, it was acceptable for email marketers to pre-check their opt-in boxes when signing users up to receive their emails:

That all changes after May 25, 2018. For most companies, this will drastically change how they’re able to opt users into their services. 

GDPR sets a new standard for consent. Under the GDPR, “consent” means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11)). While the concepts themselves are not new, the enforcement and potential consequence of non-compliance are unknown territory. 

I’m sure many of you are asking yourselves if your current consent practices comply. I’ve provided the following questions to see how they stack up:

  • Is your current consent unambiguous? Does it require a statement or clear affirmative action in order to opt someone in? Inaction, pre-checked boxes, or opt-out language is in violation. An example is included below:
  • Is current consent freely given? Does the data subject have a genuine choice to provide their data? Will they be negatively impacted if they withhold consent?
    • If the data subject has no genuine or free choice or is unable to refuse or withdraw consent easily and without detriment, (Article 7(3)), you are in violation.
    • If the conditions of a contract (including the provision of a service) are conditional on consenting to the processing of personal data that is not necessary for the performance of that contract, (Article 7(4)), you are in violation.

  • Is the current consent specific? Does it include all purposes/reasons for the data processing which will occur? Below is considered sufficient for email collection:
  • Is the current consent informed? Does the language make the data subject aware of their right to withdraw? Does it make it clear who the data controller is and the purposes of collecting the data?
    • A great example is included below of a company doing a great job informing their users of their ability to access or withdraw data:

  • Are you keeping accurate records of consent? This includes who, when, how, and what you’ve told data subjects.

If you’ve answered no to any of these questions, you’re not alone. Return Path works with many businesses that still have updates to make in order to be fully compliant with GDPR come May 25, 2018. To help your teams prepare, I’ve detailed how Return Path is updating our consent practices to ensure our GDPR Compliance:

  • Updating our Privacy Policy: Return Path has always maintained a very transparent Privacy Policy. However, to better comply with GDPR, we’re moving to a single Privacy Policy across all products in the organization. This allows users to more easily access all policy related information in one spot vs. multiple privacy policies. The Privacy Policy will more clearly inform users how their data will be processed and shared. It will also outline exactly how data subjects can exercise their right to access or remove data.
  • Updating consumer application disclosures: Although the previous disclosure language within Return Path consumer applications (Shopami, Whisker Widget, Organizer, Unsubscriber) disclosed that we share data with third parties, we will be updating the disclosure to be more transparent about how that data is used to ensure data subjects are making an informed choice. We will also be including an unchecked checkbox in close proximity to the sign-up/download of the product.
  • Updating Certification Program standards: We realize that the new GDPR practices impose a higher duty of consent than our current certification standards. We’re reviewing the standards at this time to determine a consent standard which will be better aligned with GDPR. We will be releasing more details around these updates very soon.

While this may feel like a large undertaking, updating your consent practices will help customers to understand and feel more at ease with how your business is processing and utilizing their data. In the long run, this will create a more positive experience for them and improve their relationship with your business. Check out our blog post on how consumers benefit from the GDPR to understand this further!

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time