Schedule a demo
back button


« Do I need to collect consent? » – Mythbusting marketing obligations in a GDPR and CCPA era

May 5, 2020byYannig Roth

Any marketer even remotely interested in the legal landscape around 2016 heard all sorts of discourses about GDPR. The regulation would be the end of newsletters, of solicitations, of targeted advertising. Companies would face tremendous fines if they failed to become compliant within a year. Two years after GDPR came into effect, marketing still exists and internet users only see two differences with how it was before: fewer pre-ticked boxes in registration forms, and more cookies consent notices every time they visit a website. Customer experience has increasingly become more tedious, while marketing departments are still unclear how to handle data collection and processing in a compliant way.

Why are marketers so concerned with GDPR?

Following the digital transformation trends, most marketing departments have been relying on data collection to follow prospects, create campaigns, feed their CRM and target their visitors with massive campaigns of emailing. The arrival of GDPR changed the trend and set new rules, particularly in regards to the collection and use of personal data. For marketing departments, frantic data collection as a whole is now called into question, with two main concerns:

  • what are marketing departments allowed to collect?
  • when should marketers ask permission to their prospects, and what for?

While hundreds of blogs and whitepapers have been written about these questions, the answer is simple: you can collect anything, as long as you have good reasons to do so. And a good reason, in GDPR language, is called a legal basis.

What is a legal basis?

The legal basis is the legal ground that allows a company to carry any data processing. Article 6 of GDPR lists the 6 possible legal basis but companies usually operate within of of the following:

  • Performance of a contract to which the data subject is party
  • Legitimate interest of the data controller
  • Consent

This is why the department of operations at an insurer can collect so much personal data about their customers: they are performing a contract with the data subject. 

On the other side, marketing carries more complexity when it comes to picking a legitimate basis for personal data, because most marketing interactions happens before a contract is set between the company and the customer. In most cases, the data processing carried out by the marketing team relies either on (1) the “legitimate interest” of the company, or on (2) explicit user consent.

Legitimate interest means that the company collects and use data to perform a definite action that benefits them, like prospecting, or raising awareness, or improving their service. Legitimate interested is then the most flexible legal basis: the company can carry a data processing as long as it has a definite purpose in mind, and that this purpose is not overridden by the individual’s interests, rights, or freedom. 

But then comes the next question: how to translate this into an actual way of doing marketing? Who sets the limit? Legal questions like this one are all but common sense for most professionals.

It is often a gray area: the company has a legitimate interest in raising awareness about its products, but this interest is not important enough that it can collect all the lifestyle and habits data of their customers. Yet, determining the right amount of data and collection methods that fit this balance is complex. Thus marketers usually decide to rely on consent to carry their data processing activities.

It comes with other concerns: Do customers have to consent to receive each new campaign? Is consent valid for all types of processing? Should marketers ask for the same consent periodically?

Validity of consent

While GDPR sets a limited number of principles with regards to the validity of consent, operational staff have a hard time translating it into actual marketing elements. Section 4 of GDPR sets out the following principles:

Consent should be freely given

The data subject must be able to say no. They can choose to consent or not to consent without suffering degradation of service or other negative consequences if they refuse. For example, when downloading a whitepaper that will be communicated by e-mail, making the receipt of the e-mail conditional on the provision of other personal data (surname, first name, position, company, etc.) does not allow the data subject to consent freely. This is precisely why – to download our whitepaper – we only ask for your email address!

Twitter became famous for their “worst practice” of free consent, by offering its users to unsubscribe if they refused the Terms and Conditions. Those terms and conditions contained the principles of data collection and use, which cornered user in consenting to everything is they wanted to use the service at all.

Consent should be specific

The data subjects consents to the processing of a specific type of personal data for a clearly defined purpose (a single purpose, for a single processing operation, in the GDPR words). It should be clear which processing you intend to carry out and are asking consent for. Each purpose thus requires to collect a specific consent: if a company wishes to use a prospect’s e-mail address to send them other relevant whitepapers, and to communicate this address to a partner who would also like to send promotional content, the two consents must be requested separately, with a clear distinction between the purposes. The data subject must be able to say yes to the first, and no to the second.

Consent should be informed

Informed consent means that the data subject knows who is processing the data, what will happen to the data, the purpose of the processing and how they can change their mind and withdraw their consent. Sadly, this is where we see the worst implementations: instead of improving transparency, it results in a list of bullet points with generic information that checks the boxes of GDPR without respecting the spirit of the law. If you want to collect consent according to the rules of GDPR, you should clearly state who handles the processing, who decides what the data will be used for, why this or that type of data is collected, and how the data subject can withdraw their consent if they change their mind about the processing. And anyone should be able to understand those information without reading a 2-pages long pop-up.

Consent should be unambiguous

In a word, there should be no doubt that the data subject has given their consent. Pre-ticked checkboxes, dark patterns, passive consent “by continuing to browse this website, you accept..”, or any other design that discourages or prevents the person from making a positive act of consent will invalidate consent. According to GDPR Recital 32, “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

How to create a seamless GDPR-compliant user experience

This is theory. In practice, most companies are struggling to integrate compliance to their user experience. They try to be serious about consent, and add pop-ups to their website, send periodic emails or push notifications. As customer journeys have grown increasingly complex, they end up asking for the same consent three times on three different channels.

CRM software and GDPR: a failed match

Usual marketing tools like CRM software have not been designed to take into account consent and privacy issues. Their monolithic nature incentivizes marketing teams to ask for the same consents again and again, to fail to respect customer choices from one device to another, and to create discontinuity between the Web, mobile and offline experience. Best case scenario? Creating segments, tags and custom emailing campaigns to deal with consent issues.

Marketers juggle with emails and forms to deal with consent issues, even though these means are detrimental to the seamlessness of the customer experience as a whole. It also adds complexity when a customer requires erasure of their data: the marketing team will have to dig CRM notes, segments or attachments and manually make changes, hoping no mistake will be made in the process.

While marketing teams understand the need to streamline data collection, it is perceived as additional and unfair complexity that does not benefit them.

Ensure GDPR compliance with a Preference Center

Best practice to ease consent collection and respect GDPR obligations is to put a Preference Center in place, in addition to the traditional CRM. Brands are increasingly adopting Preference Centers, as we describe in our Preference Center Barometer. Besides plain GDPR compliance, it helps centralizing information about customer preference and data collection in one place, acting like a Single Point of Truth for marketing teams. Integration with other marketing tools like CRM software is seamless, ensuring accuracy and real-time updates of customer data.

The team has an overview of permissions, consents and preferences for every prospect in the database. This information is also made available to the customers, giving them control over what they want to share and under which conditions. From a transparency point of view, gains are tremendous. From the marketing point of view, it also ensures a better data quality: customers can withdraw consent if they deem necessary, they can correct wrong or outdated information, and indicate the channels of communication they prefer.

For French-speaking visitors:

We are hosting a webinar about Preference Centers on May 13th.

Related articles

June 10, 2020byYannig Roth

Is marketing is driving your company to data overload? Here is how to solve it

Do you remember how marketing looked before 2010? Marketing studies, the holy 4 P’s— product, price, place, promotion, the marketing mix… Data-driven marketing was barely taught in business schools. Things have changed — and they have changed a lot. Data-driven, Big Data, data analytics are now part of our vocabulary, and the traditional marketing mix approach…

Read more




April 15, 2020byYannig Roth

Why CRMs failed to deliver customer-centric marketing, and how Preference Centers can help

Five years ago, most marketers still believed that understanding customer behavior was about collecting massive amounts of data about them. They quickly realized it was not. The key of marketing success has not changed: delivering the right information at the right time to the right person – only means vary over time.

Read more


Preference Center

Preference Management

July 20, 2020byYannig Roth

What are the requirements of a TCF v2 compliant consent notice?

On a website or in a mobile app, the notice is the first and main consent UI that users interact with. That’s where most users get informed on purposes and vendors that consent is collected for, and how users will make a choice to give or deny consent. As a result, the content of a consent…

Read more




TCF v2

July 1, 2020byYannig Roth

Are your websites and apps compliant? A look at Irish cookie consent regulation

Last April, the Irish Data Protection Commission (DPC) published updated guidance on cookies and other tracking technologies. The “Guidance” was issued with a report based on a cookie audit of 38 companies, and the results of the audit were not good. The survey found that 35 of the 38 companies were not in compliance on…

Read more






May 29, 2020byRomain Gauthier

Looking back at our PrivSec panel: Respecting legislation and promoting data ethics

The ePrivacy regulation is not yet in place, but cookies and other tracking mechanisms are under scrutiny by Data Protection Authorities (DPAs). It is imperative that organizations understand the implications of cookies and respect consent, paying particular attention to how they collect, store and deploy personal data through their web trackers. I was recently invited by…

Read more