GMASS Legal Compliance

Updated 30 April 2018

Welcome to the GMASS Legal Compliance page.  As data protection and privacy laws are continuing to evolve, we want to share with our GMASS subscribers how we are meeting the legal requirements, while continuing to provide valuable data to schools and our strategic partners, enabling them to connect with graduate management candidates.  In addition, schools are also evolving in the way they connect with candidates, so we want the GMASS tool to provide schools with the opportunity to connect with candidates in new ways.  At GMAC, we view privacy legislation as a reflection of the candidates’ desires and, as GMASS is intended to serve them – as well as schools and others in the graduate management education field -  it is important that we not only meet the letter of the law, but that we also meet the spirit of the law.

GDPR Compliance

GMAC has had a strong data protection program in place for over a decade following the model and principles embodied in the EU Data Protection Directive of 1995.  Respecting a candidate’s desire for data privacy has been a GMAC corporate value since 2005. 

In 2016, we made several updates to our privacy program to comply with Canada’s Anti-Spam Law (CASL) to be implemented in the summer of 2017.  Our CASL updates included several changes to our GMASS tool, including:

  • Clarifying the GMASS candidate consent language
  • Updating our GMASS Terms of Use
  • Adding a “More Details” page on letting candidates know who is receiving their data and what data they are receiving
  • Adding street addresses to our already existing list of GMASS data recipients.

On May 25, 2018, the EU General Data Protection Regulation (GDPR) is replacing the Data Protection Directive from 1995. Although GDPR imposes additional requirements on protecting the personal data and privacy of EU residents, GMAC’s longtime focus on data privacy and our updates in preparation for CASL put us in a good position to address GDPR’s requirements.  We began working on our GDPR updates in 2016, and we will continue to actively monitor GDPR compliance and requirements after the 25th of May, as more guidance becomes available.  We also will continue to monitor and update our privacy program and products as the data protection laws of other countries and regions evolve.

GDPR requires a legal basis for processing personal data.  “Consent” is the legal basis through which GMAC collects and shares Candidate data with GMASS data recipients, and through which those recipients can process the Candidate data to contact the Candidates about their programs, financial aid, career opportunities, test prep offerings, and participation in research studies. Valid consent must be freely given, specific, informed and an unambiguous. (Art. 4(11))

“Freely Given” Consent

Candidates freely give their consent to be included in the GMASS database.  There is no detriment if they refuse. No GMAC activity, service, or information is conditioned on a candidate giving GMASS consent.  For example, they can access our free GMAT prep tools and register for the GMAT exam without giving GMASS consent.  Candidates join GMASS because they recognize the value in being connected with business schools and receiving information about financial aid, and other organizations and opportunities related to graduate management education.

“Specific and Informed” Consent

Our previous GMASS consent took a layered approach, with an initial statement of consent supplemented with a link to a “More Details” page describing, in easy-to-read detail, the categories of data shared with GMASS participants and including a link to a list of the GMASS subscribers who rely on this consent.  This layered approach enables a candidate to be informed, in a very detailed and specific way, about the implications of giving consent to be included in the GMASS database, without being fatigued by combining every detail in a single, long paragraph.  For GDPR, we are retaining the layered approach, and decided to expand the initial statement of consent to include a list of topics on which a candidate may receive information from GMASS participants.  We also made a few edits to the More Details page.  See our updated More Details page.

Our previous GMASS consent:

Our current GMASS consent:

I want to connect with participating graduate business schools, scholarship-granting organizations and strategic partners of GMAC by joining the Graduate Management Admission Search Service (GMASS). Click here for more details about the GMASS service and participating programs.

You can contact GMAC, adjust or opt out of your preferences at any time.

I want to connect with graduate business schools, scholarship organizations, and strategic partners of GMAC who participate in the GMASS service. I consent to GMAC sharing my email address, and other account profile data, with the GMASS participants to communicate with me about educational programs, financial aid, career opportunities, test prep, and participation in research studies. For more details about the GMASS service, a list of participants, and instructions on how to unsubscribe, visit


“Unambiguous” Consent

Consent given by EU residents has been, and will continue to be, “unambiguous” – meaning the candidate must take an affirmative action, such as checking a box, to indicate consent.  We do not pre-check consent boxes for EU candidates and candidates from several other countries and regions.  We do pre-check the consent box for US residents, allowing them to opt-out.  To see a complete list of the countries where we have pre-checked consent boxes, click here.

Because the consents we previously obtained from candidates were “freely given, specific, informed, and unambiguous,” we have determined that it is not necessary for us to obtain an additional consent from those candidates who gave consent under our previous language and links.  However, we continue to closely monitor regulatory guidance on this issue. 

Sending Texts Using Automatic Dialing Systems – US Residents

We anticipate that schools and other GMASS recipients will increasingly use text messaging to connect with potential candidates, and will wish to use technology to efficiently leverage texting capabilities.  While our previous consents required separate, affirmative consent for telephone and texting communications (no pre-checked boxes), we have updated this consent to cover telephone calls made, and texts sent, to US residents using an automatic telephone dialing system, as defined by US Federal Law and required by the US’s Telephone Consumer Protection Act (TCPA).  The GMASS download file will be updated in May to identify which candidates have given consent under the new language (including consent to be contacted using an automatic telephone dialing system).  The new column will be titled “Auto” and will be located to the right of the SMS/Text column.  If the Auto field reads “Yes,” the candidate has given consent to receive phone calls and texts via an automatic telephone dialing system.  A comparison of our previous consent and current consent is below.

Our previous phone/text consent:

Our current phone/text consent:

In addition to email or postal mail, I’d like to be contacted by:




In addition to the communications described above, I would also like to receive these communications from GMASS participants at the numbers provided in my profile, including by automated telephone dialing system. I understand that I do not need to provide this consent as a condition to receive any GMAC goods or services.




GMAC’s Data Protection and Privacy Program

This page summarizes compliance with respect to consents we have obtained from GMASS candidates.  See our Privacy Statement to learn about other aspects of our Data Protection and Privacy Program.  If you have additional questions, please email us at