[DanBC]

This regulation is aimed at stopping the hidden checkbox, or the hidden clause in a ToS.

All you have to do to comply with it is be clear and direct when collecting personal data, and make a record of the permission granted.

Things like proper confirmed opt-in help.

[Silhouette]

All you have to do to comply with it is be clear and direct when collecting personal data, and make a record of the permission granted.

It appears that you also need to have been all of those things, as far back as you've been collecting personal data, even if no such requirements existed at the time. Organisations might not be in that position even if they followed accepted good practices when signing people up to their lists, so the GDPR may have unintended consequences here.

[DanBC]

That requirment has existed in the EU since 1995.

[Silhouette]

Please stop spreading misinformation. Things are changing with the GDPR.

In particular, the consent requirements are significantly stronger under GDPR than under either the 1995 directive itself (95/46/EC) or the implementations of that directive in various member states.

Organisations that followed reasonable and honest practices at the time of collecting personal data, for example when setting up a mailing list, could still find themselves out of compliance under the new rules.

[TheCoelacanth]

It has only changed for people who were playing stupid games with what consent means, like interpreting scrolling past an already checked checkbox as consent when it was clearly nothing of the sort. If you were being clear and direct with users about what they were signing up for, then you have nothing to fear from GDPR. I don't have any sympathy for business who were complying with the letter of the law while finding any excuse they could to subvert the spirit of the law.

[Silhouette]

I don't have any sympathy for business who were complying with the letter of the law while finding any excuse they could to subvert the spirit of the law.

Neither do I. It's the organisations who were complying with the letter of the law, the spirit of the law, and generally accepted good practices at the time and still won't be compliant under GDPR that I'm worried about.

As a concrete example, every single charity that I support regularly has written to me at some point over the past few months, in order to get the kind of explicit consent they apparently believe they need to continue communicating with their supporters exactly as they have been for years before.

Now, there are really only two possibilities here. One is that all of those charities have this wrong, despite their resources and surely having taken professional legal advice on their particular situations. The other is that the usual HN suspects who maintain that the GDPR isn't a big deal and doesn't change much in practice are underestimating the concerns the GDPR raises for these legitimate organisations wanting to send legitimate communications to people who have previously been happy to receive them.

Since those exercises mean my donations are being wasted on red tape instead of their intended purposes like literally helping to cure cancer, I think it's fair that I have a problem with that.

[TheCoelacanth]

You're leaving out the possibility that the charities, like most other marketers, didn't bother to get affirmative consent originally. If they had been following the spirit of the law instead of just what they could get away with, then they would have gotten affirmative consent previously. They are not immune from committing bad marketing behavior just because they are charities.

[DanBC]

It's interesting that you mention charities, because as we know in the UK many of them were breaking the law and there has been considerable regulatory action to bring them back into compliance with the existing PECR and DPA.

The fact that they're all contacting people saying "We need to re-gain permission under GDPR" just means that a bunch of organisations were, and still are, clueless about data protection. This, combined with the lack of fines, should be somewhat reassuring to the GDPR sceptics. The laws are widely broken; the regulator hasn't been seeking fines; this is unlikely to change in future under GDPR.