The irony of the non-compliant GDPR consent email

GDPR desperation is reaching fever pitch

I'm certainly not the only one to have been bombarded by GDPR consent emails over the past month. If you've signed up to a service, played a game or indeed used the internet at all in your life, chances are that at least one company - but more likely hundreds - has been keeping your details for marketing.

It wasn't until the email barrage began that I realised just how many marketing lists we are all on, and GDPR has already proven its value in stopping contact from all of them, wholesale. But the most hilarious/worrying factor (depending on which side of the fence you sit on) was how many of the emails themselves appeared non-compliant.

Organisations seem to have been taking the run-up to the GDPR on Friday as an opportunity to test the regulation's boundaries. I've seen emails with consent pre-filled, with requests for blanket approval and even some that threaten a reduction in service.

Emotional blackmail is a common way to try to retain consent

There's no doubt that these organisations aren't adhering to the spirit of the law, and are just toeing the line when it comes to the word.

Recital 32 of the GDPR, for example, states that ‘Silence, pre-ticked boxes or inactivity should not...constitute consent'; and Article 7 says that ‘the request for consent shall be presented in a manner which is clearly distinguishable from the other matters'. You can't get much clearer than that.

Another section of Article 7 (7.4/Recital 43, if you're interested) specifies that consent requests must be kept separate from other parts of the contract, like terms and conditions. The ICO also has its own guidance on the regulation, setting out a template for how companies should run consent campaigns.

Basically, the ICO is probably wise to most - it would be short-sighted to say all - of the ways that organisations might try to weasel out of compliance.

If the way that many companies are approaching consent is any guide, then many of them still (one day before the regulation comes in to effect, at the time of writing) do not fully understand the implications of the GDPR.

There might be the temptation to pay lip service to the legislation and hope that you can carry on as before; but that's short-sighted at best, and asking for trouble at the worst. As well as significant fines, companies operating in this way also run the risk of losing something else: the trust of their customers.

GDPR is the most consumer-friendly piece of legislation that has been drafted in years, and tricking people into staying on marketing lists is not the way to make repeat sales.

Instead, organisations have the chance to build trust now, by giving customers the power to hear from them (and those who choose to do so are guaranteed to be the ones most open to being sold to).

The ill-conceived consent campaigns currently clogging our inboxes are likely to be found in breach of the regulations, and companies will have to spend time and money re-running them.

Worse, in the long-term, they will cost themselves something more nebulous, but just as valuable: consumer confidence in their brand.