I'm working on a web application where the main purpose/functionality is notifying users when there have been changes to regulations in a particular industry.
The application is subscription based, i.e. you have to pay for an account and using it is a choice. Any email addresses for accounts we hold are active users and we do not harvest this data from anywhere. So all email addresses we have are for real users who actively use the software.
We are designing a setup wizard which allows users to set preferences on what information they receive.
One of the settings is yes or no as to whether the application should send notifications via email. This raised debate as to what the default setting should be.
The argument for "no" was that users should explicitly give their permission to receive automated emails and therefore this was the correct default.
The argument for "yes" was that the users have implied consent because they are using an application whose sole purpose is to inform them about changes, and email delivery is the primary way of doing this.
The application is still usable if the user doesn't receive emails because the data which is present in the emails is visible inside a web-based interface. The disadvantage of using the application in this way is that - unless the user logs in - they will not necessarily be aware of any updates. Therefore defaulting email opt-in is preferable.
The pre-sale marketing material for the application makes it clear that email delivery is the main delivery method for the information and getting it directly to your inbox is an advantage of using the system.
What are people's thoughts on this? We are based in the UK but deal with customers worldwide. Is this covered or referred to by GDPR?