Personal data and mailing lists

[brightncheerful]

Important changes ahead for the processing of personal data and the need for consent - https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

General Data Protection Regulation (GDPR) coming into force 25 May 2018

Amongst other things:
a) the £10 fee for finding out what they know about you is to be scrapped.
b) For mailings, assumed opt-in is no longer acceptable and a double opt-in process must be performed for anyone signing up.

[Slarti]

If you process personal data for direct marketing purposes

You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse.

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-to-object/

That is going to upset the junk mail industry.

Slarti

[stewamax]

When you visit the ICO's website, the following is displayed: We have placed cookies on your device to help make this website better. You can use this tool to change your cookie settings. Otherwise, we’ll assume you are OK to continue.
Hmm... relying on implicit consent .... something the ICO is dead against in most contexts where it stresses the need for individuals to explicitly opt in.

The visitor to their website is not told what goes into the cookies, and the ICO should not assume that the cookies are personal to the visitor, given that PCs can be shared.

An own goal perhaps?

[chas49]

When you visit the ICO's website, the following is displayed: We have placed cookies on your device to help make this website better. You can use this tool to change your cookie settings. Otherwise, we’ll assume you are OK to continue.
Hmm... relying on implicit consent .... something the ICO is dead against in most contexts where it stresses the need for individuals to explicitly opt in.

The visitor to their website is not told what goes into the cookies, and the ICO should not assume that the cookies are personal to the visitor, given that PCs can be shared.

An own goal perhaps?

The ICO page about cookies says

You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent can be implied, but must be knowingly given.

and

Do we need consent from the subscriber or from the user?

Regulation 6 states that consent should be obtained from the subscriber or user.

In practice you may not be able to tell who is the subscriber and who is a user – which means you may not be able to distinguish between consent provided by the subscriber and by the user. The key will be that valid consent has been provided by one of them.

PECR does not say whose wishes should take precedence if they are different. If there appears to be a conflict – for example, if a subscriber or user previously consented but now the current user of the same device objects – it would seem sensible to rely on the most recent indication. This would mean you always respect the current user’s preferences, even if you cannot be sure of the subscriber’s preferences.

So I think they are complying with the rules as they state them...

Although it's not clear how you withdraw the consent once given on their site

[chas49]

Actually on the cookies page (https://ico.org.uk/global/cookies/) the say

We are planning to enhance our cookie tool to allow users to more easily change their cookie settings after their initial choice.

Not sure if you can easily change it at the moment though

[stewamax]

The ICO should be leading by example.
Implicit consent has a place, but this isn't it. The fact that 'explict consent or no cookie' negates much of the effectiveness of cookies is immaterial.
It is not sufficient to assume consent if someone doesn’t opt out. ‘Qui tacet consentire videtur’ (‘silence denotes consent’) didn’t save the Man for All Seasons Sir Thomas More’s neck and it wouldn’t save the ICO's, whatever weasel words they use to qualify their stance

For example, the widely publicised issue of NHS practitioners releasing personal records to the new Health and Social Care Information Centre, as provided for in the Health and Social Care Act 2012 which says [Section 261. (2) (b) (1)]: “Information falls within this subsection if …(b)the information is in a form which identifies any relevant person to whom the information relates or enables the identity of such a relevant person to be ascertained and (i)the relevant person has consented to the dissemination”. Nowhere in the Act is there a definition of 'consent'; the NHS is blithely interpreting 'consent' to mean that if I didn't reply to my GP Practice's letter asking me if I wanted to opt out, then I must be opting in. In other words, doing nothing implies consent.

Implied consent is a valid doctrine if by my subsequent actions a reasonable person would construe that I had consented. But my continuing to browse a website that contained an 'assumed opt-in' for cookies is not implied consent: I may not have even noticed the 'cookie message'.
Sorry ICO - I beg to differ.