The key point is that all consent must be opt-in consent – there is no such thing as ‘opt-out consent’”.
The ICO’s draft guidance for consent under the General Data Protection Regulation (GDPR) was published on 2 March 2017 and leaves little doubt as to how the ICO is viewing opt-out consent under GDPR.
Under GDPR, the issue of consent and how to validly obtain consent will be one of the key issues for all sectors, particularly for their marketing and fundraising functions. GDPR states that “silence, pre-ticked boxes or inactivity” should not constitute consent and the ICO has equated the opt-out mechanism with these banned methods. The draft guidance states: “The GDPR does not specifically ban opt-out boxes but they are essentially the same as pre-ticked boxes, which are banned”.
The consultation period on the draft guidance closed on 31 March 2017 and a number of responses were submitted. In particular, the Direct Market Association (DMA) has taken the view that the ICO has misinterpreted GDPR in respect of opt-out consents.
Whilst acknowledging the terms of GDPR, the DMA argues that: “after thorough debate within the EU Parliament and Council of Ministers, opt-out methods were not included within recital 32, but pre-ticked boxes were”. The DMA has therefore taken the view that the opt-out mechanism should not be equated to a pre-ticked box.
Other respondents, such as the Institute of Fundraising has called for further clarification surrounding the opt-out mechanism.
There is little doubt that the demise of the opt-out mechanism would have a significant impact for many organisations and we await the ICO’s finalised guidance on consent with interest.