Explicit Consent and Deleting Your Customers, The GDPR Cornerstones

This post is part of our series: Find Out Fast If Your Business is GDPR Ready. Our goal is to help businesses make sense of privacy and data. AE is your Babel Fish for Legalese 🐠

What Explicit Consent Means

Clearly, telling your customers what you’re going to do with their data makes good business sense. Trust is essential, especially these days.

Email marketing has taken a clear approach to email sign-ups for many years, thanks to changes like Canada’s anti-spam legislation (CASL) and other countries that have followed suit. This clear understanding between an email customer and a business follows this simple pattern: You sign up for an email newsletter, and the business tells you how often they’ll email you, what kind of content you’ll receive and how to unsubscribe. Excellent!

This concept of clearly spelling out how customer data is to be used is now being spread across every part of your customer data thanks to the GDPR. At AE we think this is  good thing. Being more transparent and honest is good for everyone.

How To Implement Explicit Consent

You need to be able to tell a customer what you’ll be doing with the data you ask them for. This is especially important during customer registration.

When you implement your policy or terms and conditions you need a check box that isn’t pre-checked. This box must be checked by the user to indicate that they are agreeing. This is the foundation of explicit consent.

For GDPR compliance, you need to provide a checkbox that the user must check themselves, providing exlipict consent..
Explicit consent: The user must check the box themselves to agree.

Deleting Your Customers, The Right To Be Forgotten

The second cornerstone of the GDPR changes is that every one of your customers has the right to be forgotten. When a customer sends a request asking to have their account deleted, you must do it. Pretty simple and you most likely do this right now. However, you might just be deleting the main customer account, but other information like billing, or an mailing address, or old emails in your support system would be left. With the GDPR it all has to go.

If your business has multiple systems that contain customer data it all needs to go. There are a few instances where some customer data will remain, for example electronic invoices that contain customer data can be kept on file for taxes and accounting, but in most cases you’ll need to remove everything and then notify the customer when it’s been completed.

Under GDPR laws, if a customer wants their account deleted, you must delete all the information you have about them.
If a customer wants their account deleted, you have to delete all the data you have on that person.

GDPR Cornerstones

Good luck setting up explicit consent and reviewing how you delete your customers. These two cornerstones for being GDPR ready can seem difficult to implement and understand but hopefully this helps you get started.


Get more information on anti-spam legislation in the countries where you have customers:

United States of America: CAN-SPAM Act

Argentina: Personal Data Protection Act

Australia: Spam Act 2003

Austria: Austrian Telecommunications Act

Belgium: Belgium Law March 11, 2003

Brazil: Movimento Brasileiro de Combate ao Spam

Canada: CASL

Cyprus: Regulation of Electronic Communications and Postal Services Law 2004

Czech Republic: Act No. 480/2004 Coll. on Certain Information Society Services

European Union: Directive on Privacy and Electronic Communications

Finland: Act on Data Protection in Electronic Communication

France: Law of June 21 2004 for Confidence in the Digital Economy

Germany: Federal Data Protection Act

Hong Kong: Unsolicited Electronic Messages Ordinance

Indonesia: Law Concerning Electronic Information and Transactions

Ireland: European Communities Electronic Communications Networks and Services Data Protection and Privacy Regulations of 2003

Israel: 2008 Amendment to the Communication Telecommunications and Broadcasting Law of 1982

Italy: Italian Personal Data Protection Code

Japan: Act on Regulation of the Transmission of Specified Electronic Mail

Malaysia: Communications and Multimedia Act of 1998

Malta: Data Protection Act

Netherlands: Dutch Telecommunications Act

New Zealand: Unsolicited Electronic Messages Act 2007

Singapore: Spam Control Act 2007

South Africa: Electronic Communications and Transactions Act 2002

South Korea: Act on Promotion of Information and Communication Network Utilization and Information Protection

Spain: Information Society Services and Electronic Commerce Act

Sweden: Swedish Marketing Act

United Kingdom: Privacy and Electronic Communications (EC Directive) Regulations 2003

Annabel Youens

About Annabel Youens

I'm a co-founder and CMO at AE. I believe that truly successful internet businesses have to connect people. {wave} When I'm not online I'm exploring beautiful Vancouver Island. Things I love: everything scifi, literary fiction, coffee, Google Music, my workhorse sewing machine and board games.