GDPR is very much here, but not everyone is quite ready yet. One of the major points of debate is over gaining consent. The regulations now require that any organisation wishing to collect and process (i.e. use) a person’s information must have sound legal grounds to do so. In many cases, these legal grounds will simply be that the individual has requested a service, and certain elements of information are essential to this. But when this isn’t the case, such as when it comes to marketing, consent must be acquired. Naturally this means that lots of businesses are now having to alter contact forms and similar pages on their websites. Where it used to be the case that a business could simply collect information from a form and use it however they wished, this is no longer the case. In this article, we’re going to go through a few of the main points to bear in mind when you’re thinking about writing consent questions on contact forms, quote forms, or any other kind of page that collects information about an individual.
GDPR is very clear in wanting individuals to have control over their data, which means that you need to reflect this where possible. If there are several different things that you want consent for, then split them down where practical. Bundling options together could well fall foul of regulation, so don’t do this. There does of course need to be some consideration for ease of use - using too many questions could well be off-putting and confusing, so use common sense. In general, it’s best to split things out into consent for your general terms and conditions for carrying out the requested service, and then consent for any additional types of processing that you want to carry out, such as marketing. You may also have different ways to contact the individual, such as through email, text or phone. It’s good practice to allow the individual to choose from these options. If you’re in doubt, then ask the question. This is the safest position to take.
You must be sure that the user has read and understood the question that you’ve asked of them, and decided whether or not to agree. The regulations are clearer than they used to be, and implied opt-in is now on very shaky grounds. You mustn’t use automatically checked boxes - you need definitive proof going forward that the user actively opted into whatever data processing you’ve requested. Make sure that all boxes are unchecked and that the user has read the question in order to have given consent.
Getting consent isn’t purely about staying on the right side of GDPR. It’s also your opportunity to sell the benefits of collecting data. Explain why you’d like consent to send marketing emails or other reasons for processing information. Will you be sending out exclusive offers or discount codes? What does the user get out of this? Will you be able to provide a better service with certain bits of information? You don’t want to go overboard, but it really does help to give users a reason to check that box. It’s also worth noting that you need to ensure that the user doesn't feel like they are obliged to give consent to get a good service.
GDPR training is available for those looking for more information about the regulations. Click here to be taken to the Virtual College course page on the subject.