Under data protection legislation:
* consent must be a positive action, that makes it clear the individual agrees to the use of their information for direct marketing;
* pre ticked opt-in boxes are not permitted – silence or inactivity from the data subject will not show consent.
* ensure consent for marketing is “unbundled” from other requests for consent;
* inform the individual what methods of marketing communication you are going to use, eg email, text, phone, automated call, post; and
* provide the individual with the option to choose their preferred method(s) of contact. (This is termed granular consent). Individuals should not be forced to agree to all or nothing;
* make it easy for the individual to withdraw consent and tell them how; and
* name your business and any third party relying on consent.
You should be able to identify the:
* name or other identifier of the individual;
* the time and date when they gave consent;
* the platform or mechanism you used to gain consent; and
* exactly what it covers.
You should be easily able to update these records on receipt of any changes.
You should archive the text of the website, leaflet, contract, and telephone script etc. you used to inform the individual at the time they provided consent. You should cross reference this information with customer records to enable you to have an accurate record of what they consented to if you need to retrieve it.
If you operate more than one brand or linked business you must be specific about which business gained the consent. For cross brand marketing you should provide the names of all the brands at the time of gaining consent. You cannot assume that if an individual is agreeing to marketing from one brand that they are consenting to marketing from all the brands.
If you are offering online services to children and you need to obtain consent, you must adopt age-verification measures and seek parental consent for children under 13.
If you pass the details of individuals to third parties for marketing purposes then you must specifically request this consent. You must provide the individual with the name of any/all third parties. There must be enough detail to enable the individual to make an informed choice over marketing.
You should also review existing/legacy consents and consent mechanisms to check they meet the GDPR standard. If they do, you do not need to obtain fresh GDPR compliant consent.
However if the consent is not compliant you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.