Why do some GDPR emails require me to opt-out and some to opt-in?

Question

I've noticed a trend in emails I've recieved as a result of GDPR, some of them are sort of 'opt-out' (or pseudo-opt-out where you just need to stop using their service) like so:

Our updated Privacy Policy explains your rights under this new law and will become effective on May 25, 2018. By continuing to use our site or app after this date, you are agreeing to these updated terms.

Or they require you to opt-in:

Hi, this is another one of those General Data Protection Regulation ("GDPR") emails where we request permission to email you, even if you are outside of the EU.

We hope that you'll opt in to continue to receive an email every now and then about our latest updates.

What differentiates the two requests? Are they storing different data on me, or is it more to do with their service? I've seen some companies that only email me about promotions etc (similar to the second quote above), and they have the pseudo-opt-out message, so I don't think it's service related.

The first example there isn't giving them permission to keep emailing, unless they previously used a true opt-in method, but notifying users of updated terms. Not all of these are directly related to GDPR - some companies are using it as an excuse to change terms. Note that the top one doesn't specifically mention GDPR — Matthew, May 23 '18 at 09:38
It could very well be just the way the legal nonsense has been written. Although I am not a lawyer so don't take my word for it. — , May 23 '18 at 10:30
Interesting question, voted up and posted an answer, but can I ask why this question is considered on topic here? I recently asked a question about GDPR from an INFOSEC point of view, yet it was moved to law.SE anyway. Just trying to understand — reed, May 23 '18 at 13:17
@reed Personally I agree, I deem this to be more of a legal question than an InfoSec one. Just because technology is related, doesn't mean it belongs here so to speak. — , May 23 '18 at 14:12
This seems to be a question about law, not IT security. This makes it off-topic here. But considering the good answers it received I would like to suggest to migrate it to Law Stack Exchange. — Philipp, May 24 '18 at 08:42
@Philipp GDPR is all about information security though, which is the name of the site. So I understand why it got posted here anyway. — Mast, May 24 '18 at 11:22
Some actuall care about (the intent of) the law, others try to employ a "cookie banner 2.0". Soon we will see who is right and who gets sued. Furthermore some may want you do opt-in to more data collection than you are required to accept and they just try to mail you an opt-in link, while others are protecting your data but still must allow an opt-out (and deletion) option. — allo, May 24 '18 at 11:52
I'm not seeing this question is about GDPR at all. As asked, it would not be on-topic on Law.SE. To ask, "which is more in line with GDPR" it would be a legal question. I deem this to simply be a privacy policy question with a GDPR angle. — schroeder, May 25 '18 at 09:03

score 111 · Accepted Answer · edited May 27 '18 at 02:28

111

It is not clear that the first kind of email is legal. A French association, la Quadrature du Net, is planning to launch a class action against five big tech companies (the famous "GAFAM") on May 28th about just this practice. Here is a summary of their arguments:

Article 6 §1 of GDPR lists six cases for processing personal data legally, one of these is user consent;
Article 4 §11 states that consent must be obtained in way that shows it is the will of the user in a clear, specific, informed and unequivocal way;
In the preamble of GDPR, it is explained that consent must be a positive action, and there can be no consent in case of silence, pre-checked boxes, or inaction;
Article 7 §4 states that when obtaining consent, it is necessary to consider whether processing personal data is absolutely necessary for providing a service.

As a consequence the "G29", the group of national data protection authorities in the EU, affirmed that if a user has no real choice, feels constrained, or will face negative consequences for refusing consent, then the consent given is not valid. The G29 therefore affirmed that GDPR guarantees that giving consent to processing personal data cannot be the counterpart of providing services.

Moreover if a company asks for consent as a legal basis for processing personal data, then they are forbidden from using the other legal bases of Article 6 for justifying their processing.

(The reasoning goes into deeper detail, if you can read French. What I have written above is just a summary.)

So the first email is essentially strong-arming you into accepting something illegal. If the class actions I mentioned above are successful, then you can expect smaller companies to follow suit and stop sending emails of the first kind (or face serious legal consequences).

edited May 27 '18 at 02:28

Deduplicator

182
6

answered May 23 '18 at 15:57

N.I.

992
1
6
8

28

Oracle site presented me with a cookies dialog. No details and a big "Accept all" button. Then I had to go through multiple page setup to disable their sh*t. Finally was directed to HTTP to again go through the same process. This shouldn't be legal. – akostadinov May 23 '18 at 19:19
4

"giving consent to processing personal data cannot be the counterpart of providing services". Does that mean that Google, Facebook, etc. should allow the users to choose between free plans (with the usual tracking, ads, etc. as it is now) and paid plans (with no processing of personal data at all, no consent for anything) for all their services? It would make sense, and it would be cool. – reed May 23 '18 at 23:28
2

@reed No. In your example, processing personal data is still a counterpart for providing services. – N.I. May 24 '18 at 00:21
10

But processing personal data is actually the main business model of those companies. So are you saying that the GDPR means the death of such a business model? No free services anymore, everything paid? On second thought some parts of the GDPR might suggest so, but I suspect it won't be interpreted so strictly in practice. – reed May 24 '18 at 00:50
14

@reed The companies need to find a new business model if they want to continue operating in the EU, yes. Or at least find a way to make their model legal. I am not certain why you would think that courts will not interpret the law strictly. – N.I. May 24 '18 at 01:05
2

@NajibIdrissi: Without going too much off-topic, there is such a concept as _legislative intent_. Courts can resolve ambiguities in law by looking at the results of the conflicting interpretations and comparing those to the stated intents of that law. Hence, if one GDPR interpretation allows a certain business model and another doesn't, the chosen interpretation may very well depend on whether the legislation was intended to allow that business model. – MSalters May 24 '18 at 07:30
1

@MSalters 1. Are you certain that you are not applying American concepts to European law? 2. Have you read the preamble of the gdpr, the discussions of the European parliament that are quoted on the QDN's webpage, or hell the quotes from the G29 that I mentioned? Because it is quite evident what the intent of the law is. – N.I. May 24 '18 at 13:15
@NajibIdrissi: Those preambles wouldn't be there if not to formalize legislative intent. So, yes, I'm sure that it's not a purely American concept. Also, note that I mostly agree with you observation that consent is not freely given when it's mandatory to receive (logically unrelated) services; just see my recent GDPR answers over on Law.SE. – MSalters May 24 '18 at 13:32
2

@MSalters I would be happy to take you at your word, but can you produce any source for legislative intent being a concept outside the US? Regarding the second part of your comment: so you were just taking an opportunity to flaunt your knowledge and were not making any actual point? – N.I. May 24 '18 at 13:41
1

@NajibIdrissi It's certainly a concept in *UK* law, at least - Google for "parliamentary intent" or "parliamentary intention" and you'll find plenty of results. http://www.statutelawsociety.co.uk/wp-content/uploads/2017/11/The-Myth-of-Parliamentary-Intent-text.pdf (a paper attacking the notion as incoherent) begins by noting that *"Time without number judges have referred to the intention of Parliament. The intention of Parliament is seen as the key to the interpretation of statutes. Indeed, the interpretation of statutes is thought to consist in ascertaining the intention of Parliament."* – Mark Amery May 24 '18 at 18:23
1

@NajibIdrissi: India definitely has the notion of legislative intent, as apparently more commonwealth nations do. That's no surprise given their heritage. Continental Europe got it via Friedrich Carl von Savigny's "teleological interpretation" (interpret the meaning of he law from it's τέλος, purpose or intent) – MSalters May 24 '18 at 20:25
I'm not sure if I fully agree with your sentiment about statement 1... If you continue to use a service, then there's a clear legal, contractual basis for your data being processed... If you do not want any of your data processed, then you have to stop using the services (this could be as simple as your email address is your username) - it's not strong arming you into anything, just updating terms to continue to use the services in question. – RemarkLima May 24 '18 at 22:01
@reed It will only be applied so strictly to non-EU companies. – chrylis -cautiouslyoptimistic- May 24 '18 at 23:41
An activist group is already filing complaints based on this http://www.bbc.co.uk/news/technology-44252327 – benxyzzy May 25 '18 at 13:29
1

@MarkAmery: That is not particularly interesting, as both the US and the UK use common law. Under [civil law](https://en.wikipedia.org/wiki/Civil_law_(legal_system)), the basic rules of how a court works are very different. This is the system used throughout most of Europe and is far more relevant than what they do in the UK. – Kevin May 26 '18 at 15:36
3

@RemarkLima The important difference is **"Do they need to process your data to provide the service?"** If they need your data, then in most cases they do not even need to ask for consent. But if they plan to do things with your data which is completely unrelated to the provided service (aside from financing it) - then they need your free and willing consent! – Falco May 28 '18 at 09:11
@Falco I completely agree, that's what I was meaning! – RemarkLima May 28 '18 at 09:15
2

(-1) This answers confuses two completely separate issues. The first email is basically informing you of a change in the conditions of service, with the usual boilerplate about continuing use implying you accept the change. The change seems to be required to meet the GDPR requirements regarding information but sending emails would anyway be illegal if the sender hadn't collected consent beforehand so it's not strong-arming you into consenting to anything you hadn't consented to before. – Relaxed May 28 '18 at 19:14
2

The class action you are referring to does not mention emails at all, it's based on the nature of the agreement itself (bundling consent for different types of data processing that are not required to render the service), which would be just as problematic *even if the user consents to it in response to the second email or without ever receiving an email.* – Relaxed May 28 '18 at 19:17
2

@reed Consent to processing required to provide service is not required. Eg, when you order at online shop, they don't need your consent to process your address **for the purpose of sending package**. The shop can ask for extra consent to **additional** processing, like spam later. So, Facebook doesn't need your consent to process and host your profile, because that is the service provided. As for ads, processing your data results in better ads: better paid for them, more relevant for you. Without your consent to personalized ads, they'll just show you more of random ads to make up for that. – Agent_L May 28 '18 at 19:33
@akostadinov If this were actually important to very many people (or more important than getting free service and more accurate results), then businesses that don't do this stuff with data would already exist and be profitable. What shouldn't be legal is statists trying to decide what values everybody has. – jpmc26 May 29 '18 at 05:31

score 19 · Answer 2 · edited Jun 16 '20 at 09:49

Some quotes from the GDPR law:

[...] Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. [...]

[...] Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation [...]

[...] ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; [...]

[...] When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. [...]

GDPR requires explicit consent. If a service has been collecting personal data and you did not give explicit consent to it, then they must ask for your consent again, explicitly. I believe in theory a service also needs to ask for explicit consent again every time they modify their privacy policy, although I can't find statement on that. So I believe your example of "pseudo-implicit opt-out" is not legal in any case, even if you had previously given consent explicitly in a GDPR-compliant manner (and I doubt it), because they are now changing their privacy policy and asking you to accept it implicitly by simply continuing to use their service.

Assuming they are choosing to use the consent justification. It may be those emailing "opt-out" links are claiming legitimate interest, but offering an opt-out to comply with other rights. — Neil P, May 23 '18 at 15:24
GDPR does not require explicit consent - this is just one of 6 lawful bases for processing. — symcbean, May 24 '18 at 12:14
@symcbean, you are right, in some cases you don't really need the user consent for everything. But in this particular case I think we were talking about consent (opt-in, opt-out, etc.) and as far as I understand it should be explicit. — reed, May 24 '18 at 22:24
*If a service has been collecting personal data and you did not give explicit consent to it, then they must ask for your consent again, explicitly* makes little sense. If they don't have consent, they cannot process your data even if it's only to ask for said consent. The most charitable interpretation is that these email are just the usual “we've changed our conditions of use“ email, unrelated to the notion of consent under the GDPR. — Relaxed, May 28 '18 at 19:21
@Relaxed, you might have given *implicit* consent in the past, or not-explicit-enough consent for GDPR. The contrast I was pointing out is between implicit / explicit, not between consent / no-consent. — reed, May 28 '18 at 19:56
@reed I got that but that does not solve the problem. If implicit consent is not good enough then you don't have consent, period. Whatever the standard is, you need it to have met it *before* sending an email. Maybe they think they can get away with it but the law certainly does not say you have to ask for consent again, what is says is that you have to stop using the data. — Relaxed, May 28 '18 at 21:35

score 11 · Answer 3 · answered May 23 '18 at 10:28

11

The 1st category are the big companies (like large e-mail providers) that will do what they want anyway and since you want to use their service you will have accept their conditions. Not doing that will prevent you from using their services.

The 2nd category are the more fair ones that ask you if you want to receive from them information or not. Usually, those are commercial companies and opting-out in receiving their offers will not prevent you to do business with them.

answered May 23 '18 at 10:28

Overmind

8,779
3
19
28

31

"Not doing that will prevent you from using their services." is forbidden by GDPR and I know an association (called "La Quadrature du Net" if you are interested) that has already planned to launch class actions against 12 big companies (including Google, Apple, Facebook, Amazon, Microsoft...) next Monday, and the main complaint is this. – N.I. May 23 '18 at 15:37
3

@NajibIdrissi can you provide a link to that article specifically? The quadrature website is a little dense. – Matthew FitzGerald-Chamberlain May 23 '18 at 15:53
4

@MatthewFitzGerald-Chamberlain I wrote an answer containing a summary and a link. – N.I. May 23 '18 at 15:59
1

@Najib - yes, that is correct, but the big oppressors don't really care. They will keep doing what they do. – Overmind May 24 '18 at 05:04
1

@NajibIdrissi on what I can read, the action is started on Friday 2018-May-25 (not next Monday). Here is a link for French version : https://gafam.laquadrature.net/ – Pacopaco May 24 '18 at 13:36

score 10 · Answer 4 · answered May 24 '18 at 22:26

Firstly, there's no case law yet, and different lawyers are interpreting the rules in different ways: some are playing very safe, others are sailing closer to the wind. Some probably reckon that they are unlikely to be high on the list of people worth prosecuting. (Let's face it, no-one's going to prosecute a sports club for keeping a note of who last fixed the lawnmower).

Secondly, consent is only one of the ways in which data retention can be permissible. Others include the existence of a contract, the need to comply with laws and regulations, and "legitimate interests" (which is very much open to interpretation: but for example an insurance company can retain your claims history so that it can detect a pattern of fraudulent claims).

Thirdly, contrary to appearances, existing consents don't need to be renewed for GDPR; if you consented last year, that's (probably!) quite good enough.

IANAL - I have read the regulations, though.

score 6 · Answer 5 · answered May 24 '18 at 21:11

As other answers have stated, GDPR requires explicit, informed, unambiguous consent. Plus, according to the accountability principle, data controllers shall be able to demonstrate that. In theory:

Organisations that are sending opt-out e-mails did already have your explicit consent properly recorded (e.g. when you subscribed to a newsletter, or signed a contract), and maybe they are updating their privacy policies to better align to GDPR, and thus they send you an e-mail, and they take advantage to remind you that you can always opt out.
Organisations that are sending opt-in e-mails did not have proper consent recorded, and they are rushing to get your consent recorded and stored in their brand new GDPR management tools.

In practice:

Some organisations that are sending opt-out e-mails maybe are walking on thin ice, and they trust that their oldfashioned consents will be recognized by authorities, when it comes to it.
Some organisations that are sending opt-in e-mails were already outside the law (with respect to the the previous directive and the Member State laws), but they are now regretting as they are becoming afraid of the fines.

Or, it depends on the lawyer each of them has hired.

score 5 · Answer 6 · answered May 24 '18 at 11:15

On top of the areas already mentioned here, there's a section of GDPR relating to data retention. A lot of the e-mails which are asking people (or at least the ones I am getting) to opt in are also stating that they haven't had any interaction with (or rather, from) me for a few years, and therefore if I want to continue to receive their e-mails still, then there's the need to re-opt in. This lets them know that their data are up-to-date, and anything else can be removed.

Whilst the UK data protection act already states that data cannot be kept for longer than needed, it was largely ignored and mailing lists continued to grow. GDPR, however, requires that data are removed after a reasonable amount of time. If you opt-in, you're resetting the clock on their data being relevant.

Agent_L · Answer 7 · 2018-05-27T11:44:31.063

There are 2 things in play here:

whenever the old consent is still valid, because it was asked in way that was already compliant with this incoming law (which gives an impression of an opt-out, but it's merely continuation of your old opt-in) vs. the old consent was found insufficient or void so you need to renew it, eg. because the checkbox was ticked by default (it actually was opt-out back then so it has to be replaced by a brand new opt-in).
whenever the company wants to keep things going as they were (again, old opt-in that feels like opt-out now) or are they using the opportunity to ask you for more permissions than they already had (opt-in to something entirely new, like emails).

It seems that you're dealing with the first case here. First company merely updated it's policies and deemed old consents good enough while the second one deemed your old consent void under the new law and asks you to consent anew.

GDPR is not new, here where I live it had 2 years vacatio legis, so in theory sites could be prepared since 2 years at least. It's perfectly imaginable that some consents are already compliant (in reality, nobody cared until the bill came into force).

About case number 2, there is example on https://gdprhallofshame.com/ where zoom are trying to do exactly that.

Why do some GDPR emails require me to opt-out and some to opt-in?

7 Answers7