Bundling Under GDPR

computer floppy disk tied with rope to a mail envelope

What is “bundling” under GDPR? 

“Bundling” refers to the practice of requiring an End User to consent to the use of their Personal Data for a purpose unrelated to what they are signing up for, typically for marketing purposes.  So, for example, let’s say you’re a SaaS company offering free trials of your service on your public webpage.  If you included some text near the Submit Button that required the end user to agree to a Privacy Policy that itself included a consent to receive marketing emails, that consent is “bundled” with the free trial of the service (e.g., “By clicking the Submit Button you agree to our Terms of Service and Privacy Policy.”). 

Can I “bundle” consent to receive marketing materials within a signup form for a software or SaaS subscription? 

Not without incurring enforcement risk, no.  This question was answered in different ways by courts in the early days of GDPR, such as when the High Court of Frankfurt issued an opinion blessing the practice of bundling in 2019, but the European regulator, the European Data Protection Board or EDPB, eventually weighed in the next year with a 33-page set of Guidelines more or less prohibiting the practice of bundling.  The UK’s analogous regulator, the ICO, issued similar guidance.  The rationale of both regulators is that (1) consent isn’t “freely given” if it’s tied to something else, (2) consent isn’t “granular” enough if the end user is agreeing broadly to receive marketing materials or to have their Personal Data sent to third parties for marketing purposes. 

Well, what if I used an unticked checkbox disclosing the marketing emails that are coming? 

This likely works, and the more specific the text the better, however, it’s imperative that the backend logic on the signup form web page is configured such that an End User can proceed without checking the box first.  Otherwise you’re still tying two unrelated things inextricably together, you’re “bundling.” 

Can I “bundle” consent to receive marketing materials within a signup form for an industry event? 

Probably, yes, but this isn’t “bundling” because industry events, such as Dreamforce, are held for the purpose of marketing (and networking) in the first place, so going back to the definition above, sending future marketing communications is not use of Personal Data for a purpose that’s “unrelated” to the original purpose for which they provided their Personal Data to you, viz. to receiving communications about marketing in the form of a live event. 

bundled newspapers

Does Bundling also come into play if I share End User’s Personal Data with Third-Party Advertisers? 

It does.  In fact, we have a real-life example of this.  In 2021 the Norwegian Data Protection Authority fined Grindr LLC $6.5mm for doing so.  Here’s what their signup process looked like: 

“Grindr’s consent mechanism in use at the time of the NCC’s inquiry (hereinafter “previous CMP”) displayed the full privacy policy, asking the data subject to click on “Proceed”. If the data subject clicked on “Proceed”, a pop-up appeared with the phrase “I accept the Privacy Policy”, where Grindr gave the data subject the option to press “Cancel” or “Accept”. If the data subject pressed “Cancel”, further registration was not possible, and the data subject would be unable to use the app.” 

The regulator was not impressed with that signup process.  “Accordingly, the consents to sharing personal data with its advertising partners that Grindr collected through the previous CMP were bundled [emphasis mine] with acceptance of the privacy policy as a whole.” 

TL;DR: merely stuffing a Privacy Policy full of hugely broad consents and then requiring an End User to click “I agree” to the Privacy Policy can get you in hot water if you’re intent on using the End User’s contact information for future marketing purposes (e.g., sending emails about things unrelated to what the End User clicked “I agree” to in the first place). Some are speculating U.S. states might start taking a similar stance. 

Relevant Excerpts from the EDPB’s Guidelines: 

“26. Article 7(4) GDPR indicates that, inter alia, the situation of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable. If consent is given in this situation, it is presumed to be not freely given (recital 43). Article 7(4) seeks to ensure that the purpose of personal data processing is not disguised nor bundled with the provision of a contract of a service for which these personal data are not necessary. In doing so, the GDPR ensures that the processing of personal data for which consent is sought cannot become directly or indirectly the counter-performance of a contract. The two lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged and blurred.” 

 “42. A service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes. In a given case, several consents may be warranted to start offering a service, pursuant to the GDPR.” 

 “13. The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.13 If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment.14 The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.” 

Relevant Excerpt from the ICO’s Guidelines: 

 “The UK GDPR is clear that consent should not be bundled up as a condition of service unless it is necessary for that service…” 

Call Us

Free Initial Consultation