News - Fresh Data Archive Article

Return to Fresh Data Blog
Return to Fresh Data Archive

International Data Privacy – “Consent” A Must In Europe

Date: December, 2011 --

The attention of the authorities in Europe has been distracted by the financial meltdown, and privacy and data protection officials do not appear to have been in the news much lately.   Much of this apparent “inaction” is only because there is much more terrifying news to occupy the headlines.  The data protection authorities are always vigilant to violations of the laws, and among those laws is the requirement that a business does not collect or use information of consumers without “consent”. 

Thus, one of the things any marketer mailing into Europe needs to think about is whether he, or his list source, has obtained the “consent” of the prospects to which he is sending offers.  Sending an unsolicited offer can result in severe penalties and the word “consent” is not self-defining.

Earlier this year, the Article 29 Working Party, the European authorities on this sort of thing, issued an opinion of what constitutes “consent” and the conditions under which “consent” will be considered to have been validly obtained under EU data protection law.  Consent must be “freely given,” “specific,” “unambiguous,” “explicit,” and “informed”.   

Below are some of the Working Party’s key conclusions, which will help marketers develop techniques to obtain valid “consent”:

  • Only statements or actions that indicate the data subject’s agreement constitute valid consent.  Mere silence or inaction, that is, opt-out, typically will not be viewed as valid consent, especially in an online context.  For example, default privacy settings used by online social networks, default Internet browser settings or pre-ticked boxes do not qualify as valid consent.
  •  Generally, standard on-line practice is to collect name, address and email and perhaps a company affiliation and employment level indicator.  Just collecting all this stuff is probably not enough for Europe unless you also actually ask for permission with a positive tick box.
  • And the consent must be given prior to collecting a name and contact data or other personal information.  This messes up the lay-out, but the consent box should be before the data collection form.
  • Keep a record of the consent.  You will need to build your database appropriately, with fields for date, web page version or other location identifier.
  • And here is the hard part. You can only use the information you get from the customer for the things you’ve told him you were going to do.  If the very clear, very obvious and available privacy notice you provide doesn’t talk about the data analytics exercises you are going to run, you are running a serious legal risk.  Similarly, if you are going to rent your list, be sure you clearly inform your customer of this intention. If you are renting it, be sure to verify that the list owner has done likewise.


Under the EC data law, getting the names and address correct is even more critical than in the US. A promotion piece sent to an incorrect address to someone with a similar name to your customer could bring an ugly inquiry from a data protection authority.  So the international address hygiene work Data Services does on your file protects you from more than just undeliverables and wasted paper/print/delivery.  It will save you a lot of legal fees and potential market embarrassment.