At first I said no, but… maybe. The GDPR requires a lawful basis for processing PII. The lawful bases are all fairly narrow, except for “the user said I could,” which is the “consent” lawful basis and can be applied to just about anything.
Consent must be opt-in, non-compensated or coerced, and (this is the important one) provided for each type of use. Which this does seem to violate.
It’s been a long time since I read the GDPR, and IANAL, but I think you might be right.
Isn't this in direct violation of the GDPR?
Consent must be opt-in, non-compensated or coerced, and (this is the important one) provided for each type of use. Which this does seem to violate.
It’s been a long time since I read the GDPR, and IANAL, but I think you might be right.