Call Center Management Featured Article
Blog: Double Opt-In Not Necessarily Required for GDPR Compliance
As businesses prepare for the General Data Protection Regulation to go into effect in the European Union, there’s much discussion on how to comply with GDPR. Businesses obviously want to prepare themselves in an effort to avoid non-compliance fines. But, they don’t want to needlessly back themselves into a corner in doing that.
That said, a recent blog by Paul MacKenzie of Ember Group will probably come as good news. It indicates that double opt-in may not be required for those operating in a business-to-business capacity. He comes to this conclusion based what he says in the Queen’s Counsel interpretation obtained by marketing automation outfit CommuniGater.
Before we get to the details on that, however, let’s define what we mean by double opt-in.
Moosend explains that “Double opt-in is an opt-in setting whereby an individual, upon signing up, receives an email with a verification link. To confirm that is was actually them who entered their email address to the signup box, the individuals need to click that link. Subsequently, the individual is usually notified that they have joined the online community/newsletter, etc.”
OK, now let’s return our attentions to the Queen’s Counsel and MacKenzie double opt-in and marketing email assessment. MacKenzie says that some businesses are wondering if they can email data where there’s no provable double opt-in statement and still comply with GDPR. And he suggests a look at Article 6(1) of the GDPR may offer some guidance on that. It says that you must be able to justify sending a marketing email using lawful processing conditions. It also talks about processing for the legitimate interests pursued by the data controller. This indicates that consent not the only basis, he points out.
GDPR, which aims to to standardize data protection regulations across the EU, goes into effect May 25.
As Adjust notes, GDPR also addresses:
- The right to be forgotten: users can now request to have their data deleted
- The need to provide explicit consent: businesses now have to ask users to collect, use and process data
- Mandatory data breach notifications: if a data leak occurs, authorities and users must be notified within 72 hours
- Privacy by design: data protection is a vital consideration throughout a project lifecycle
- A Data Protection Officer: Large enterprises are now required to employ someone dedicated to managing data protection
Edited by Mandi Nowitz