[stinky613]

> Part of this opt-in verification process must include clear documented proof that the person opted in with a full understanding of what they were signing up to.

Does anyone have any idea how to actually do that? How do I prove that a given user actively checked a box?

[matt_morgan]

The hard part here is not recording the check on the box--any email service provider will handle that. The hard part is the "full understanding." Historically lots of us have

a) been willfully unclear about what it means to subscribe to a list

b) changed what our mailings are like over time.

We can stop doing (a), with effort, but I don't see how (b) will ever go away. So this is going to be continuous, active effort with subscribers. I would like to think that very easy, reliable, one-click unsubscribe will be sufficient.

[justherefortart]

Make them take a quiz! That will help opt-in rates.

[IAmEveryone]

The article uses "beyond reasonable doubt" which is obviously a misapplication of the legal term of art. This being civil law, not criminal, the 50:50 proof, i. e. "preponderance of the evidence" should suffice.

In reality, I doubt there will be a practical difference to how it has been handled in the past here in Germany, where similar law has long been practice.

That means: your sign-up page needs a checkbox, that cannot be pre-checked, and that clearly states that it's an opt-in to receive these mails. This needs to be separate from any acceptance of ToS or anything else that is necessary for the transaction in question.

To verify the form submitter's identity, send a verification to their e-mail address (if you haven't already). Make sure the verification email does not already contain any advertisement itself.

[canadianwriter]

Would something like a verification email asking them to double verify answer that? They click the box, then they have to open an email and click a link also verifying it?

[Silhouette]

But is that sufficient under GDPR? Although a double opt-in has generally been considered good practice for a long time, it only demonstrates that a recipient has agreed to receive mail for some purpose, not for any specific purpose.

Even if you've been building up your mailing list for years, following generally accepted good practices, and only signing up genuinely interested recipients, it seems you could now to be in a position where either:

(a) when you signed people up, you provided sufficient information about what you would be sending to them and you can still produce evidence of that today;

(b) you need to contact everyone on your list to obtain explicit, specific consent for whatever you actually send to your list; or

(c) you have to remove anyone who isn't covered by (a) or (b) above (or delete your whole list).

As with so much about the GDPR, what will be accepted as reasonable evidence of informed consent for earlier subscribers to a mailing list is ambiguous, and the consequences of either doing too much or not doing enough are undesirable.

[cygned]

Yes, this is the way that is recommended the most.

[blowski]

You can't prove it, but you can persuade a reasonable person that they probably did. You could do this by showing them your processes, the UI as the user would saw it, the code that ends up storing that in the database. Also, if your complaint rates are low, they will probably assume that the issue is not on your side.

[andrewingram]

Short of quizzing the user, you can't prove that they understood. But our lawyers and compliance officers seem to think it's enough to make it so that a decision not to understand is intentionally made by the user.

Like T&Cs, everybody knows that most people don't read them. Nobody's going to start quizzing their user, so what's a reasonable compromise? Forcing the user to at least scroll through some (or all) of it before agreeing. You make it clear that the intention is for you to read it, and that you're agreeing to something you should have read.

[Isinlor]

I would really like to see that challenged in a court. A company cannot reasonably expect their users to read and understand tens or hundreds of pages of T&C legalize. No one reads them. That's the fact.

[vorpalhex]

Usually you'd save the users opt in time, and tie it back to their user account. You would need to make sure the opt in clearly explains what it's for. You would also save the context of the opt in - was it during account registration, when they visited a blog post, etc.

Obviously make sure to otherwise comply with the GDPR as you do this.

[DanBC]

This regulation is aimed at stopping the hidden checkbox, or the hidden clause in a ToS.

All you have to do to comply with it is be clear and direct when collecting personal data, and make a record of the permission granted.

Things like proper confirmed opt-in help.

[Silhouette]

All you have to do to comply with it is be clear and direct when collecting personal data, and make a record of the permission granted.

It appears that you also need to have been all of those things, as far back as you've been collecting personal data, even if no such requirements existed at the time. Organisations might not be in that position even if they followed accepted good practices when signing people up to their lists, so the GDPR may have unintended consequences here.

[DanBC]

That requirment has existed in the EU since 1995.

[Silhouette]

Please stop spreading misinformation. Things are changing with the GDPR.

In particular, the consent requirements are significantly stronger under GDPR than under either the 1995 directive itself (95/46/EC) or the implementations of that directive in various member states.

Organisations that followed reasonable and honest practices at the time of collecting personal data, for example when setting up a mailing list, could still find themselves out of compliance under the new rules.

[TheCoelacanth]

It has only changed for people who were playing stupid games with what consent means, like interpreting scrolling past an already checked checkbox as consent when it was clearly nothing of the sort. If you were being clear and direct with users about what they were signing up for, then you have nothing to fear from GDPR. I don't have any sympathy for business who were complying with the letter of the law while finding any excuse they could to subvert the spirit of the law.

[Silhouette]

I don't have any sympathy for business who were complying with the letter of the law while finding any excuse they could to subvert the spirit of the law.

Neither do I. It's the organisations who were complying with the letter of the law, the spirit of the law, and generally accepted good practices at the time and still won't be compliant under GDPR that I'm worried about.

As a concrete example, every single charity that I support regularly has written to me at some point over the past few months, in order to get the kind of explicit consent they apparently believe they need to continue communicating with their supporters exactly as they have been for years before.

Now, there are really only two possibilities here. One is that all of those charities have this wrong, despite their resources and surely having taken professional legal advice on their particular situations. The other is that the usual HN suspects who maintain that the GDPR isn't a big deal and doesn't change much in practice are underestimating the concerns the GDPR raises for these legitimate organisations wanting to send legitimate communications to people who have previously been happy to receive them.

Since those exercises mean my donations are being wasted on red tape instead of their intended purposes like literally helping to cure cancer, I think it's fair that I have a problem with that.

[skybrian]

Totally speculating, but "documented proof" seems to indicate that they would be satisfied by some sort of document? A screenshot would probably help? "Here is the screen where the user agreed to this" seems like it would be somewhat convincing. (If it's a screenshot then it will survive UI redesigns.)

Of course, from a security standpoint where the attacker is assumed to be totally untrustworthy, this is all nonsense since it would be trivial to fake. It does require a certain amount of trust that the company that will not stoop to faking documents.

I guess you could continue the charade by putting timestamped screenshots on a blockchain :-)