I've been working on setting up a GDPR compliant member sign-up process that includes to opt-in for the optional Community Newsletter (to promote content using Bulk Mail).
GDPR has quite a few requirements which Invision Community software fulfills nicely. E.g. the consent to receive e-mails is correctly recorded in the Admin panel.
One thing though kept me digging for more information. When using double opt-in procedures, is one transactional email sufficient to confirm the member sign-up AND the receipt of the newsletter? Or would a user have to confirm each item (member account and newsletter) separately?
I've run a few tests on other websites and out of 6 examples, 5 of them separated the verification e-mails. So this made me think, whether only one verification email might is sufficient or not.
Studying other resources, they hinted as well that one verification mail might not be enough. Phrases like "Consent must be specific, Consent must be unambiguous, etc.." and statements on gdpr.eu like "If you have more than one reason to conduct a data processing activity, you must obtain consent for all those purposes. So if you store phone numbers for both marketing and identity verification purposes, you must obtain consent for each purpose."
In the end I contacted https://ico.org.uk (The UK’s independent authority set up to uphold information rights in the public interest....) and explained the use case. I asked if "giving consent" is done via the sign-up form and the respective checkboxes, or whether the individuals consent is only given by clicking a link in a verification email. The answer was, that consent is given on the sign-up form and as long as this information is unambiguous and separated by using e.g. checkboxes, then this should be fine. The verification email is about verifying the senders email address and not really about giving consent....
My findings so far:
- Double opt-in not a requirement as long as the consent can be documented. However, double opt-in is a relatively easy way to prove consent and that explains why most services use this option. In our case using Invision Community, consent is documented in the admin panel. So double opt-in is nice to have any mainly to verify the e-mail address.
- So the path Invision Community has chosen seems to fulfill GDPR requirements, i.e. as long as the relevant text next to checkboxes etc. point out clearly what the data is used for etc..
Have some of you come across the same issue? Would you agree to my findings?
IDEA: To make it even more bullet-proof, a good option would be, that if a user ticks the box for the newsletter, a separate verification mail just for the newsletter is sent out.