1

I'm working on a web application where the main purpose/functionality is notifying users when there have been changes to regulations in a particular industry.

The application is subscription based, i.e. you have to pay for an account and using it is a choice. Any email addresses for accounts we hold are active users and we do not harvest this data from anywhere. So all email addresses we have are for real users who actively use the software.

We are designing a setup wizard which allows users to set preferences on what information they receive.

One of the settings is yes or no as to whether the application should send notifications via email. This raised debate as to what the default setting should be.

The argument for "no" was that users should explicitly give their permission to receive automated emails and therefore this was the correct default.

The argument for "yes" was that the users have implied consent because they are using an application whose sole purpose is to inform them about changes, and email delivery is the primary way of doing this.

The application is still usable if the user doesn't receive emails because the data which is present in the emails is visible inside a web-based interface. The disadvantage of using the application in this way is that - unless the user logs in - they will not necessarily be aware of any updates. Therefore defaulting email opt-in is preferable.

The pre-sale marketing material for the application makes it clear that email delivery is the main delivery method for the information and getting it directly to your inbox is an advantage of using the system.

What are people's thoughts on this? We are based in the UK but deal with customers worldwide. Is this covered or referred to by GDPR?

Andy
  • 320
  • 1
  • 7
  • Pre GDPR, I think the default should be yes. Now GDPR is in place it probably has to be no, as the legislation is so strict on informed consent. – paj28 Aug 14 '19 at 12:32
  • That's really the reason the question has been asked. I've updated it to reference GDPR. – Andy Aug 14 '19 at 12:34
  • I'd be inclined to say no, but I'm not a lawyer. This might be better on [Law.SE](https://law.stackexchange.com/) – Philip Rowlands Aug 14 '19 at 12:35
  • @PhilipRowlands thanks I'll ask it on there as well – Andy Aug 14 '19 at 12:36
  • Since this is about what would pass regulation, this is a better fit on Law. We don't want to give you bad regulatory advice and get you (and us) into trouble. – schroeder Aug 14 '19 at 13:03
  • You can contact the ICO for their thoughts on this. So straight to the source. – schroeder Aug 14 '19 at 13:11

1 Answers1

1

You have an argument for yes as the default, but you will have to go to the ICO/court if someone wants to challenge that. As the case law for GDPR is very thin on the ground, you are potentially the test case, which is a bad place to be.

If it goes to court, it will cost time and money. Even if it doesn't get to court, you will be paying lawers so it will cost time and money.

Personally I would choose option 3, not have a default and require the user to select yes or no.

Edit:

To clarify the following line gives a solid answer for why you would be paying lawers if someone challenged this is:

The application is still usable if the user doesn't receive emails because the data which is present in the emails is visible inside a web-based interface

The argument is that you can sign up for the service and not want emails. This implies that signing up is not explicit consent.

chris
  • 19
  • 2
  • There aren't 3 options. Emails are either enabled or disabled. The question is what the default should be. – Andy Aug 14 '19 at 12:41
  • 1
    I would recommend no, if you cant make the wizard force a user selection. – chris Aug 14 '19 at 12:46
  • Court is not the place. The ICO is the place. Case law might be thin, but the guidance from the ICO is not. And the best advice is to contact the ICO for their advice before implementing anything. It doesn't cost anything. – schroeder Aug 14 '19 at 13:11
  • @Andy The explanation "Ask the user for consent when they register" is pretty clear. –  Aug 14 '19 at 13:12
  • @MechMK1 but there is explicit consent by the nature of signing up for the service. It's in the user's interest to be emailed because that's why they are there. You could create a disruption in service by defaulting to no when the user then expects emails and then doesn't get them. It's the nature of the consent that requires ICO opinion. – schroeder Aug 14 '19 at 13:17
  • I would argue that displaying "By signing up for *this service* you explicitly consent to receiving e-mails from *this service*. More information about the kinds of e-mails can be found in our privacy policy" is a **much** stronger argument for claiming users consented to it than implicit consent. I say this because implicit consent can be much more dangerous than just adding a potentially awkward-looking UI element. –  Aug 14 '19 at 13:21