GDPR Requirements for Consent: What You Need to Know

March 6, 2018 Michelle Miles


GDPR Requirements for Consent: What You Need to Know

Image with head and quote "the art and science of asking questions is the source of all knowledge".

If “the art and science of asking questions is the source of all knowledge,” then webinar attendees left our GDPR presentation a whole lot smarter.

For those of you who missed our recent webinar, Fearless Marketing Strategies for GDPR World,you missed a good discussion. The most popular topic of the day was “consent.” We had many questions regarding GDPR compliance requirementseverything from permission to retain personal data, to what to do if you are unsure if consent exists, or are missing the documentation to back it upall very valid questions! Our answers: GDPR loves documentation and hedging your “consent bet” now is better than a risky gamble later on.  

GDPR Documentation for your Database

We’ve covered the topic before, but it’s worth another mentionauditing your database for GDPR compliance may be painstaking and time-consuming but it is also highly recommended; appropriate documentation is just as necessary as capturing consent. To verify consent, all EU records in your database should have:

  • opt-in date and timestamp
  • opt-in source
  • opt-in IP address (if available)

For records that are questionable, better safe than in doubt is the rule of thumb. Run a whitelisting (verification) campaign now, so there’s no question regarding if, how or when consent was obtained. No one wants to be fined €20 million or stop European marketing operations due to records you thought were compliant but are not.  

And just a reminder, track BOTH data consent and email consent as one does not guarantee the other. Having said that, email consent can constitute data consent, if appropriate privacy policies are acknowledged.

Bundling Consent: What to Do and What to Avoid

Our webinar audience was also very savvy regarding stipulations about bundling consent, with 53% answering our presentation poll correctly.  

GDPR Poll Questions

When using content (such as a whitepaper) to attract interest, per GDPR, opting-in to marketing communications cannot be assumed or bundled with another action. You may, however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset. And always ALWAYS link your forms to your privacy policy! This sample is an excellent example of a GDPR compliant form:

GDPR Compliant Form


As we talk more and more about consent, we’re frequently asked another question: does CASL (Canadian Anti-Spam Law) compliance mean you are also GDPR compliant? Aren’t the two processes for capturing consent very similar? In a word, yes and no. (OK, two words) The opt-in process is similar, as both consent intake process should include an unchecked checkbox on a form and capturing date/timestamp, opt-in source and opt-in IP, and a link to your privacy policy. If you’re already using this methodology for CASL, you can extend it to your GDPR operations.

However, while both regulations are permission-based, that’s where the similarity ends. We like to think of GDPR as “CASL on steroids”—GDPR extends much further than CASL and with stiffer penalties. GDPR goes beyond permission to email, extending into cookies, data processing and other elements that are not governed by CASL.

The distinct geographic differences aside, here’s a summary of how the two legislations compare:



CASL regulates communications and the company sending them. Ex: non-profit organizations sending fundraising messages are exempt.

GDPR protects the individual—control of data collection, usage and storage belong to the data subject, not limited to email communication. No company is exempt.

Covers electronic messages sent: email, text messages, social media communications.

Covers all communications PLUS the collection and retention of personal data in general—much more than just email.

Excludes fax messages and fax numbers.

Includes ALL data that can personally identify an individual.

Excludes messages that will be opened outside of Canada or in a foreign country.

Covers European residents regardless of country of citizenship. If you are living in Europe even temporarily, GDPR covers you during the length of your stay.

Includes some clauses for sending cold communications without permission.

No marketing communications may be sent without express consent.

Implied consent is permissible in some instances if a business relationship exists from a commercial transaction, or a non-business relationship such as a club/association membership exists, or, the individual makes their email address publicly accessible.

No implied consent; express consent or legitimate interest is required to send marketing communications.

The process for obtaining express consent includes providing the purpose and description of messages you’ll be sending; requesting company’s complete contact information is included along with the option to unsubscribe.

Express consent includes permission to retain personal data and send marketing communications, two separate actions.  Consent may be withdrawn at any time; additionally, an individual may request a transfer or complete removal of all data.

The maximum fine is $10 million.

No cap on fines. The penalty for non-compliance is €20 million or 4% of global revenues, whichever is higher.

$1.5 million: total fines issued in the first three years of implementation

$6 billion: estimated penalties in the first year of enforcement (Oliver Wyman, June 2017)

Never Stop Learning

We can’t say it enough: keep advancing your GDPR knowledge. For those who attended our live webinar, thank you for your participation and excellent questions. For those who missed it, the on-demand presentation—including 40 minutes of questions from your industry peers that you might have too—will enhance your understanding of consent as well as the impact of GDPR on your privacy policy, data enrichment practices, cookie usage and more. When it comes to GDPR, there’s always knowledge to be gained; 100% of our webinar survey respondents said they learned something new. In my mind, that’s a mission accomplished and a win for us all.


Advance your Marketo skills, ask your GDPR questions and meet the Perkuto team at Marketing Nation Summit, April 29 – May 2, 2018. Register as Perkuto’s referral and save $300 when you use promo code Perkuto300.  


Previous Article
The Perkuto MarTech Mélange
The Perkuto MarTech Mélange

Good morning, savvy readers. Today, we’ll cover email marketing myths that have long since expired, will ex...

Next Article
The Perkuto MarTech Mélange
The Perkuto MarTech Mélange

Happy March! This Saturday, we’ll talk about what it takes to create a successful demand generation funnel,...