However, consent is only one of the 6 lawful basis for data processing under GDPR’s Article 6. That means we may not have to get consent if the data processing has some other lawful basis.
The interpretation of what is acceptable is dependent on your business. Typically, it takes into consideration the following aspects:
Residency status of the Data Subjects: Remember that Data Privacy laws have a cross border enforcement. i.e. It does NOT depend on where your business is based, as much as it does on whose Personal Data your organization is actively processing.
Legal and DPO’s perspective: Compliance efforts are an exercise in risk management and have to find a pragmatic balance between investing in robust Data Privacy Management and managing risks.
Customer Trust: Forward-thinking companies understand that Personal Data Privacy is about doing what is right for their customers, and other stakeholders.
It makes good business sense to do this and can bring immense dividends in terms of customer loyalty and trust.