GDPR requires that organizations have a lawful basis for processing data. One such basis is consent, which according to the GDPR has to be explicit and freely given. This means that the mechanism for acquiring consent must be unambiguous and involve a clear affirmative action.
While you shouldn’t ask for consent if you’re carrying out a core service or process personal data by law, you should ask for it when you’re offering a non-essential service, like sending marketing emails and newsletters.
Let’s see how you can make sure you’re earning consent in the right way with these actionable tips and form examples.
Avoid complex phrasing when explaining reasons for consent: specify why you want the data and what you’re going to do with it in “plain English”. Also, don’t forget to clearly name your organization and any third parties relying on the user’s consent.
Ask users to positively opt-in, because pre-ticked checkboxes or any other type of consent by default are not allowed.
Speaking of opt-in: the safest way to handle a mailing list is the double opt-in, a process that includes two steps. In step 1 potential subscribers fill out and submit your form. In step 2 they’ll receive a confirmation email and click a link to verify their email, which is added to your mailing list. This method of registration is considered best practice in many countries, especially Germany and in the EU.
Agreeing to terms and conditions and giving consent to various activities are not the same thing: make them easily distinguishable from each other and provide individual opt-ins for consent.
Allow customers to consent to independent processing operations. Help the user to have full control of their consents and permissions by creating an overview of each activity you need.
Users have the right to withdraw their consent at any time and you should clearly tell them where and how to do it without detriment. As a consequence, consent doesn’t have to be a precondition of a service.
Checkboxes are necessary when you are trying to get consent for separate things, but they’re not required where the purpose of the sign-up mechanism is unequivocal. So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
GDPR not only sets the rules for how to collect consent but also requires companies to keep a record of these consents. It means that you must be able to provide proof of when and how you got consent and what they were told at the time.
Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users.
Compliance solutions for websites, apps and organizations: collect GDPR consent, document opt-ins and CCPA opt-outs via your web forms.