Why do some GDPR emails require me to opt-out and some to opt-in?

It is not clear that the first kind of email is legal. A French association, la Quadrature du Net, is planning to launch a class action against five big tech companies (the famous "GAFAM") on May 28th about just this practice. Here is a summary of their arguments:

  • Article 6 §1 of GDPR lists six cases for processing personal data legally, one of these is user consent;
  • Article 4 §11 states that consent must be obtained in way that shows it is the will of the user in a clear, specific, informed and unequivocal way;
  • In the preamble of GDPR, it is explained that consent must be a positive action, and there can be no consent in case of silence, pre-checked boxes, or inaction;
  • Article 7 §4 states that when obtaining consent, it is necessary to consider whether processing personal data is absolutely necessary for providing a service.

As a consequence the "G29", the group of national data protection authorities in the EU, affirmed that if a user has no real choice, feels constrained, or will face negative consequences for refusing consent, then the consent given is not valid. The G29 therefore affirmed that GDPR guarantees that giving consent to processing personal data cannot be the counterpart of providing services.

Moreover if a company asks for consent as a legal basis for processing personal data, then they are forbidden from using the other legal bases of Article 6 for justifying their processing.

(The reasoning goes into deeper detail, if you can read French. What I have written above is just a summary.)

So the first email is essentially strong-arming you into accepting something illegal. If the class actions I mentioned above are successful, then you can expect smaller companies to follow suit and stop sending emails of the first kind (or face serious legal consequences).


Some quotes from the GDPR law:

[...] Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. [...]

[...] Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation [...]

[...] ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; [...]

[...] When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. [...]

GDPR requires explicit consent. If a service has been collecting personal data and you did not give explicit consent to it, then they must ask for your consent again, explicitly. I believe in theory a service also needs to ask for explicit consent again every time they modify their privacy policy, although I can't find statement on that. So I believe your example of "pseudo-implicit opt-out" is not legal in any case, even if you had previously given consent explicitly in a GDPR-compliant manner (and I doubt it), because they are now changing their privacy policy and asking you to accept it implicitly by simply continuing to use their service.


The 1st category are the big companies (like large e-mail providers) that will do what they want anyway and since you want to use their service you will have accept their conditions. Not doing that will prevent you from using their services.

The 2nd category are the more fair ones that ask you if you want to receive from them information or not. Usually, those are commercial companies and opting-out in receiving their offers will not prevent you to do business with them.

Tags:

Gdpr

Recent Posts