New rules under the GDPR mean that permission for marketing MUST be from the customer and be a positive response.
The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.
As a Data Controller you must be able to show exactly when in the process the customer agreed to their data being used for marketing purposes. This applies to data manipulation, analysis and definitely selling data on.
This means that databases may need new flags to show when and where the positive response was obtained. Many companies may want to take the step of scanning response form to prove that the customer supplied a positive response and attaching those to the record.
It will no longer be acceptable for organisations to pre-check permission boxes nor will they be able to implicitly define permission until the customer does something to alter that.
Revocation of permission
Your customer may at any time rescind their permission and again this will need to be recorded. (They cannot complain about you using their data before they asked you to stop)
It will also need to be as easy for someone to revoke their permission as it was to give it in the first place. So, for instance, it will no longer be acceptable for an organisation to require a customer to write to their data protection department – if the original permission was given solely by ticking a box on a web form.
There will also be special requirements for people who deal with children. Parental consent will be required for the processing of personal data of children under age 16. However it is thought that EU Member States may lower the age requiring parental consent to 13.