The GDPR states clearly that:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
What does it mean when we consider the subscription to a newsletter? It simply means that the “affirmative act” to press the “subscribe” button is enough to process the data IF the collected data is required for the newsletter service and the use of that data is clearly explained. The full GPDR paragraph contains even examples that are worth to be read.
If you offer the newsletter subscription asking for name and email and link your privacy page that explain what is your newsletter service, you’re not required to add other check-boxes. Of course you can’t say “subscribe our newsletter” and then sell the contact to a third party. If you need to have the consent for different data processing which are not strictly correlated, you have to explicitly ask them (for example with a separated check-box).
Here is where Newsletter lists help you. Let’s explain it with an example.
Your blog is a magazine and you offer the newsletter subscription to receive the latest published articles every Monday. When the user subscribes, it clearly expects to receive a message every Monday with a summary of your articles.
You should not send him marketing emails of products from partners. You should explicitly ask the permission to send that kind of communications.
That can be done setting up a list (name it “Product Offers”) which can be added to the subscription form. This is the most clear way to collect the consent. Of course in your privacy page you should add an explanation about that option, for example expanding the kind of products you’re going promote, if you are promoting them directly or if the contact is sold to your partners and so on.
How to link the privacy page
In Newsletter you can configure a privacy check-box with a label and a link which is added just before the “subscribe” button. The check-box can be removed and leave only a label linking the privacy page. That is the best option. Of course you can link the page elsewhere: check out the ICO privacy notes, transparency and controls page.
The consent collection is a continuous process
The relation with your subscriber does not end after the first subscription. You may create new services and new options for your subscribers and those services may require specific consents. For example, a subscriber which initially didn’t opt-in for your marketing messages can then change his mind checking the option on his profile panel.
That is a new consent, so even in the profile page you should link the privacy page where your profile options are explained.
You’re required to log every new consent you get. Newsletter logs every profile change for possible consents: check the “history” tab on the subscriber editing screen. The name change is not tracked: ability to change that data is a right but it’s not related to consents.
Using lists for specific consents, lets you to respect the user preferences. Your marketing emails will be addressed only to the “Product Offers” list, hence who opted-out or never opted-in the list do not receive them (without the risk of a full cancellation).
Progressive consent collection
Offering too many opt-in check-boxes, we know, is not the best choice. Specific consent for different data processing can be collected later. For example you can send an email with an opt-in button for your promotions, for a series of lessons and so on. The button is a special link to opt-in a specific list.
In this case the button click is an affirmative act, states that you explained clearly what means clicking that button.
Always leave in the profile panel the option to opt-out your various message channels.
Lists can be used for segmentation. That kind of data processing does not need consent is a legitimate interest try to better understand your public, target it with relevant content. Those kind of lists can be kept private and not available in the subscriber panel.