ComplyTo - GDPR and Consent - When to use it

Consent - Use it as a last resort

Consent everywhere

Written by Kasper Mai Jørgensen, CEO of ComplyTo

Consent to one and consent to the other – You will soon not be able to make a shopping trip or information search on the Internet without suddenly having to give consent to everything.

I would venture to assert that 80% of the consent you give in GDPR's name is insignificant, invalid or, at worst, illegal.

In this post, I would like to make the rules of consent clearer for you with some very specific examples, to which most companies can give a nod of recognition.


Consent is when a company gives a person a choice and control over how the company may use that individual's information. One often uses consent in conjunction with newsletters, where companies, prior to electronic inquiries for legitimate marketing, must have the consumer's consent for the company to make contact. The GDPR’s verbatim definition of consent is as follows:

"Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

4 Consent Scenarios You May Know

Consent to newsletters

Whatever you do, do not ask subscribers to your company's newsletter to confirm their consent due to GDPR! You’ll probably end up either losing a large proportion of subscribers or standing in a grey zone.

In the period up to May 25, 2018, many Danes' inboxes were bombarded with mails from companies from whom they had opted to receive newsletters, asking that they confirm their consent under the GDPR. The problem is that the personal data regulation has never said that companies should ask their subscribers whether they will continue to subscribe. And furthermore, asking arouses suspicion that the company is in doubt as to whether it was legally authorised to send newsletters in the first place.

Certainly, consent to newsletters means that the company must make it loud and clear to the user what they agree to receive, and it should always be possible to unsubscribe from the newsletter. Consent can always be withdrawn.

The problem for the businesses that send confirmation messages to their subscribers is that, thereafter, they may neither send newsletters to subscribers who have refused to receive newsletters nor to those who do not respond to the mail. By asking, you have cancelled the prior consent, as they now have to take a position on whether they will continue to receive the newsletter or not.

And if you are or were in doubt that you have the consent of newsletter recipients, there is no other choice than to delete the contacts. But this actually has more to do with marketing rules and spam rules rather than GDPR. You should always have had consent to send newsletters.

Therefore, if you already had valid consent from a person to send newsletters, do not ask again and you can continue to send your exciting newsletters to subscribers.

Consent to cookies

I have stopped counting how many cookie popups have recently been updated in the belief that the company thereby complies with the EU’s personal data regulation. The problem is just that cookies are, basically, governed by the ePrivacy Directive.

In Denmark, cookies are handled by the Danish Business Authority and not the Data Protection Authority. The General Data Protection Regulation does not require a general cookie pop-up policy, although there may be individual instances where it is necessary, for example, by tracking cookies that follow a specific user's behaviour – this could be if you use Google Analytics or Facebook Pixel on your website. In these cases, if you use consent as a basis for collection, you must follow the consent rules of the GDPR – and they say that such cookies must be turned off by default (completely low-skilled, this means that the ”no-thanks” button should be as big and visible as the "yes please" button on the cookie pop-up).

In the vast majority of cases under GDPR, you use commercial interests as the purpose for using such cookies – and thus, under GDPR, you do not need to acquire consent. Of course, you still need to follow the current ePrivacy rules and have, at a minimum, a simple cookie pop-up informing that you use cookies – this is just not necessarily consent in the GDPR sense.

Consent from employees

I've seen many examples of employee identity forms and the like that are being sold as the solution to corporate GDPR issues. BUT – consent cannot be given where there is an unequal power relationship between the donor and the recipient of the consent. Therefore, the consent of an employee will not usually be the right way to go. And if you cannot find a legitimate/commercial interest or contractual obligation to process your employee's personal data – one can also argue whether such personal data are legal.

Consent about Customer Information

"My company stores your personal information so that we can sell you the product and we only collect your data based on your explicit consent." Something like this can be read in lots of privacy policies – and unfortunately, it's wrong and confusing. Sale of goods can be treated with either legitimate interest or contractual obligation as a purpose.

Personal data collected on the basis of consent must be deleted when the consent is withdrawn – and I am quite sure your accountant and the tax authorities will be highly annoyed if you delete your accounting, invoice and purchase history on a customer before 5 years have passed. With the above privacy policy, you must delete personal data if the customer requests it – and that clearly does not make sense.

Keep in mind that it is legitimate to store much of your customer's personal data for up to 5 years after you receive it, as the bookkeeping law is above GDPR in the sense that it provides a valid reason for storing customer information used in bookkeeping. You do not need to consent to it.

If you have any other questions regarding consent or the personal data act, please contact us through our chat in the lower right corner of the page.

More articles

Facebook and GDPR

Your company and Facebook share the responsibility for the company Facebook page.

Read more

GDPR for online shops

GDPR tips and a checklist for online shops.

Read more

Back to Blog Overview

Take me back