As previously discussed, the General Data Protection Regulation (GDPR) created heightened consent standards for companies processing and sharing personal data of EU data subjects. When processing personal data under the GDPR, consent must be freely given, specific, informed, and unambiguous. Further, the GDPR requires affirmative action by the user, forcing them to manually “check/click” opt-in boxes. This removes the potential for “implied consent” under past acceptable practice, where the consent box was already “checked/clicked” for users; under that practice the user gave “implied consent” unless the box was manually “unchecked” (withdrawing their consent).
While the GDPR governs the processing and sharing of personal data, a second set of regulations has already been regulating electronic direct marketing (EDM). The Privacy and Electronic Communications Regulations (PECR) sets rules that organizations must follow when sending EDM. As a result, when organizations process personal data for use in EDM campaigns, there must be compliance with both the GDPR and PECR.