We have been suffering for weeks now from a barrage of messages inviting us to renew subscriptions to newsletters and advertising by email. Mobile apps insistently remind us that we must accept new privacy policies if we want to keep them working. What is behind this campaign that links big companies like Google with an e-commerce store or the garage where we changed the tires on our car years ago?

The European Data Protection Regulation will start to be applied today. It is a rules and regulations of obligatory compliance in all the countries of the European Union, which unifies the different existing national legislations. Among other new features, it includes several measures to provide greater transparency to the information received by Username at the time of giving consent to be sent offers of new products or services in the future.

The most important change is that, from now on, this consent must be collected through an affirmative action by Username. In other words, it will no longer be sufficient to fill in a form with a checkbox on the last line next to the well-known text: "Check here if you do not wish to receive any more messages". Instead, for the consent to be valid, it will be necessary to check a box to indicate that you do want to receive messages, or to perform some other action that shows the interested party's willingness to continue receiving advertising. Pre-ticked boxes are also no longer valid. If the Username wants to receive information, he/she must check them himself/herself and clearly request it.

On the other hand, the marketing company will have the obligation to prove that consent was taken under the above conditions. The most common way of doing this is what is known in the jargon as "double opt-in": the data subject expresses his willingness to subscribe to the service, and has to reaffirm it by marking a personalized code that he receives by email or SMS.

Moreover, the Regulation prohibits the use of data that have not been collected under these consent conditions. This is why all companies are rushing to renew their old instructions data by means of "re-opt-in" campaigns in which they once again apply for the permission of their subscribers, this time with positive consent and double opt-in. It is worth the risk of losing customers who do not reply or reply negatively if you get a fully legalized database .

The new rules and regulations also requires transparent information, at the time of collecting consent, of what is going to be done with our data, especially in the event that the company to which we are giving them is going to transfer them to another, as well as the time it will be using them. The Regulation has added to the already known ARCO rights (access, rectification, cancellation or deletion and civil service examination to the performance of data processing) the new right to data portability between companies, and has created two new types of sensitive or specially protected data, genetic data and biometric data, which are added to the existing ones: religious beliefs, political ideologies, sexual life or orientation, membership union, health data, etc.

Finally, what has the European Union done to encourage the implementation of the new measures? Firstly, it has created the figure of the Data Protection Officer. We should get used to its acronym, DPO, because we are going to find it at the bottom of many e-mails. This is an independent expert, a sort of "ombudsman for Username" who must advise the company or institution for which he or she works (public administrations are also subject to the Regulation and must have their DPO) on compliance with data protection legislation, becoming an intermediary between the data protection authorities, companies and affected individuals, who can exercise their rights through the DPO. And, in addition, it has added an important motivation to encourage such compliance: fines of up to twenty million euros or 4% of the company's annual turnover, amounts capable of making even the Internet giants pale in comparison.