The GDPR and the Danish Marketing Practices Act state that if you can’t prove your consents, then they don’t exist. It is your responsibility to make sure you have consent from your users - you are accountable.
Businesses today are generally online and collecting large amounts of data about their users and customers. Those who can’t document that they have obtained compliant consents are taking a huge risk - as proper documentation is a requirement for compliance. In this blog, you can find out more about the rules for consent, including the data you need to collect and document to ensure compliance, and the consequences if you can’t prove obtained consents.
There are a number of steps that can be taken to ensure compliance, including mapping out data flows, your processes, and storing your data securely. But one of the most crucial steps you can take to ensure compliance, is to have consents from your users. And if you can’t prove the consents, they don’t exist in the eyes of the data authorities, the law, the GDPR and marketing law regulations. This is important, because without consent evidence - you don’t have the right to access or use the data, or e.g., to nurture your leads. The consequences of not being able to document consent can therefore be costly, which is why documenting consent and having an audit trail is essential.
The requirements for obtaining and documenting consent come from different and sometimes overlapping legislation, and are dependent on the different types of consents you need to collect. Some of the consents that you should always obtain and be able to document are as follows:
As an example, email marketing consent must be obtained from people, before you can send them newsletters and other types of email marketing, i.e. nurture leads, prospects, potential clients, etc.
The rules regulating how to obtain a compliant consent come from the GDPR, the marketing practices Act and guidance from authorities like the ICO (the English data authority), the Danish Consumer Ombudsman and CNIL (the French data authority). Listed below are some of the overall EU rules you need to be aware of, and what they relate to.
EU legislation for ensuring proper consent
|Legislation||What is defined|
|GDPR art 4(11)||The definition of consent|
|GDPR Article 7||Consent requirements|
|GDPR art 30||Documentation|
|Recital 82 in GDPR||In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.|
|The E-privacy Directive||Cookies rules|
|The E-commerce Directive||Rules regarding e-commerce and service providers|
These rules should be followed alongside local marketing rules, which are country-specific. In Denmark, companies are obligated to follow the Danish Marketing Practices Act. Article 10 of the Danish Marketing Practices Act covers the rules around email marketing and includes how to ensure compliance in obtaining email marketing consent.
There are a number of different data points you need to collect to have sufficient consent evidence, these are:
Additionally with the email marketing consent, you also have to be able to document that you gave them information about how to unsubscribe.
Being a legal requirement in regards to the validity of your consents, the benefits of being able to document your consents are somewhat implicit. We have, in the past two years, started to see the consequences of GDPR, in the form of fines and negative press. Avoiding these are obvious benefits, but there are other risks to not documenting consents. With more opportunities to collect data about our consumers than ever, a database can provide a competitive advantage in marketing and sales. Obtaining these insights and databases require at the very least time and effort, and in some cases money. So imagine if the whole database, along with all the insights suddenly had to be deleted. This is just one consequence a rising number of companies has been met with, after failing to secure proof of consent.
Another consequence businesses have experienced is that the value of a business could also decrease dramatically. Since GDPR came into effect, valuation of businesses by VCs (venture capital) and business angles have also been based on whether a company had the rights to their data, and if they were compliant. And if they weren’t transactions were either stopped or the valuation of the business decreased.
In summary without a compliant consent businesses risk:
One way of documenting consents and ensuring compliance is through consent management solution Legal Monster. With Legal Monster you can track and store given consents and maintain an overview of obtained consents.