GDPR and Consent: How to Make Sign-Up Forms GDPR Compliant Published April 30, 2018 With General Data Protection Regulation (GDPR) enforcement looming, companies up and down the country are busy making sure they’re compliant. But what does GDPR’s new standard of consent mean for customer acquisition and email marketing? In this blog post, we take a deep dive into GDPR consent and explain how to make sure your email sign-up forms are compliant. What does consent mean under GDPR? The purpose of GDPR is to protect consumers’ data and ensure companies use it in a way that offers them value. A key part of this is marketing consent. When a consumer hands over their email address for one purpose, this does not mean they can be contacted for any reason under the sun. GDPR lays out clear rules about how consent is requested and given to protect this principle. This is how GDPR marketing consent is defined: Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. This new definition aims to protect consumers from annoying or unethical tactics. For example, soft-opt methods like asking a customer for an email address for a receipt and then sending them a tonne of marketing emails they did not consent to. The new standard of consent is not intended to penalise marketers. It actually benefits everyone. Because what is the point of sending marketing to people who aren’t expecting it and are unlikely to engage with it? While complying to the new regulation may mean list sizes shrink, it should mean results improve. If everyone on the list wants to receive your marketing, engagement will go up. The seven features GDPR-compliant consent To make the new standard of consent easy to understand and action, we’ve broken down its key features. Under GDPR, consent must be: Unbundled: When you ask for consent, this needs to be separate from other terms and conditions. You can’t make consent a precondition for signing up for a service, unless you would be otherwise unable to provide that service. Active: You must use blank opt-in boxes (or a similar binary method, where each choice is equally prominent) so that customers can actively choose to give consent. Under GDPR opt-in rules, pre-ticket opt-in boxes are no longer valid. Clear: You must phrase your request for consent explicitly, in a way that’s easy to understand. Confusing double negatives or vague phrasing is not valid. Granular: You must give granular options when possible. This allows customers to consent to each way you intend to use their data separately. Named: You must give the name of your company and name any third party you are requesting consent on behalf of. This ensures customers are fully informed about who they are giving consent to. Easy to withdraw: Consent must be easy to withdraw. You need to make your customers aware of how to do this. Never hide your unsubscribe button. Documented: You must keep a record of what each person has consented to, what they were told, and when and how they consented. If you’re still not sure what that means in practice, don’t worry. Keep reading as we’ve included examples of each below. GDPR Sign-Up Form Best Practice Examples Here are some best practice examples from brands that have GDPR compliant sign-up forms nailed. Unbundled consent First up, here’s an example of how to do unbundled consent well from the Data Protection Network. Notice how the form asks the consumer to agree to terms and conditions separately to requesting marketing consent. It uses clear sliders instead of tick boxes. This is an equally valid, clear, binary way of obtaining active consent. Clear and active opt-in Jimmy Choo is winning at active opt-in, as the example below shows. The opt-in box is not pre-ticked so the consumer has to actively choose to give consent. This is also a good example of how to ask for consent in a clear, unambiguous way. Notice that the consent request is explicit and easy to understand. The consumer will know what they are consenting to. Granular Here’s an example of how to ask for consent in a way that is granular to comply with GDPR. Age UK lists out a number of granular options so the consumer is crystal clear about each of the ways they are (or are not) consenting to be contacted. Named All parties that a consumer is consenting to be contacted by must be named for consent to be valid. Age UK has this aspect of consent nailed too! Here’s an example that makes it clear who “we” refers to, explicitly naming all subsidiaries. Easy to withdraw Consent under GDPR must be easy to withdraw. You can flag that it is on your sign-up form to reassure consumers. Here’s a good example of this tactic in action from Walmart. It is important to note that mentioning the unsubscribe option on a sign-up form is only one part of complying to this aspect of GDPR. You must follow through and include a clear unsubscribe link on your emails themselves too. Further reading: How GDPR Will Impact Email Marketing Takeaway We hope our best practice examples have given you a head-start on making your email sign-up forms GDPR compliant. We recently conducted analysis of the performance of subscribe forms in the retail industry. Learn how leading retailers are preparing and how you can ensure your sign-up forms are GDPR compliant.