[Silhouette]

You're leaving out the possibility that the charities, like most other marketers, didn't bother to get affirmative consent originally.

But equally, you're leaving out the possibility that charities really were clear and honest about what they would like to send and really did provide a genuine choice, yet would fall foul of one of the technical requirements under GDPR that wasn't in force at the time. This is probably the case for most if not all of the charities I support myself, so absent evidence to the contrary I have to assume it was widespread practice.

People keep talking about the "spirit of the law", but there's a danger that this becomes a euphemism for "what I wish the law had said, even though it didn't". Usually when people contrast the spirit of the law with the letter of the law, they are making a point about avoiding the obvious purpose of legislation by relying on legal technicalities or subtle implications that most people wouldn't pick up.

In this sort of case, I don't see how it's against even the spirit of previous data protection law if a charity clearly and honestly stated that it would like to send information to donors about how their money was being used, which probably many donors would indeed like to receive, but for example they checked the box by default. There was an explicit provision for businesses to send marketing mail to previous customers or prospects without requiring consent at all, as long as it related to products or services similar to what the recipient had been interested in before and as long as some reasonable requirements about opting out were met, so clearly this isn't some absurd idea just dreamed up by charity fundraisers.

[TheCoelacanth]

Checking the box by default is a dark pattern designed explicitly to trick people into signing up without realizing it. People who did that knew what they were doing. I don't have any sympathy that they now have to go back and ask for real consent.

[Silhouette]

Checking the box by default is a dark pattern designed explicitly to trick people into signing up without realizing it.

There was no trickery involved. Not even slightly, not in even one case where I was choosing to be a supporter. The indications of what would or wouldn't be sent were invariably perfectly clear, and the only things that ever have been sent were in line with what was stated.

Again, "dark pattern" is too often used as a euphemism for "something I don't like". If you have a genuine option that is clearly shown, that's not a dark pattern. And if most of the people filling in the form are going to choose to turn on that option, I fail to see how having it turned on as the default is unreasonable either.

We're not talking about something presented deceptively in the middle of a long and complicated page full of other options to add some unwanted but chargeable extra on your holiday booking here. We're talking about charities doing important work wanting to show their supporters that the money they're donating is making a difference, and showing an immediately clear and readily understood option that is part of a short, simple form for supporters to fill in. They did ask for real consent. You just don't like how they did it, and I'm not sure why your personal opinion should outweigh widely established practice that was doing no real harm.

[TheCoelacanth]

It is well established that checking the box by default results in much, much higher conversion rates than leaving it unchecked. That clearly indicates that people are not really making a decision to consent when they leave it checked. That is exactly why the practice was disallowed by GDPR.

[Silhouette]

Maybe so, but that was still standard practice. If there was nothing deceptive or misleading about how the choice was presented, and if it genuinely was a choice that someone could easily turn off if that was their preference, I think it's quite a stretch to attach labels like "dark pattern" or claim that organisations weren't "following the spirit of the law".

There are going to be organisations wasting time and money on reconfirmation exercises for mailing lists they've been building up for a long time because despite using double opt-ins, only sending relevant messages to people who genuinely want to receive them, and providing readily accessible options to opt out again, they didn't record exactly what the wording said on their web site on 13 April 2008 when someone signed up to that list.

Clearly the GDPR sets out different requirements now, but my original comment stands: things are changing, and this is going to introduce significant burdens even on a lot of organisations that were following reasonable and honest practices when they collected personal data before.