How the GDPR Affects you: Consent

Published by

GDPR - Consent

Starting May 2018, the GDPR will affect how you can collect email addresses in a big way. Don’t wait until then – act now, otherwise everyone you are currently sending emails to will need to opt-in again!

What is going to change?

A desire to collect as much data as possible has led to businesses and marketers making use of tactics such as pre-ticked checkboxes to assume consent. This is known as ‘implied consent’, and will no longer be justifiable. Up until now, it was acceptable to pre-tick a checkbox when asking for permission to send regular newsletter or marketing emails, but as of May 2018, there must be a positive action made in order to sign up.

What about my data?

If your existing processes and records meet the standards required by the GDPR, then there is no need to acquire any further consent for your data. It is important that you don’t store unnecessary data, so the data you have may need to be reviewed.

If your records don’t meet the standards required, then you are not alone. Unfortunately, as of May 2018, you will need to have standards compliant consent from every individual on your list. You may want to start emailing your list to request consent, in a GDPR compliant manner. Providing an incentive to opt-in can go a long way here.

Our Maxservices team can help with this – contact them for assistance.


Accountability

Why is this happening?

These new regulations are designed to reduce the risk to consumers in the event of a data breach by only collecting the data that is required, and only keeping it for as long as is necessary. When asked, you will be required to prove that you have consent to email an address. In the event that you cannot prove it, there may be legal action – including fines.

This further complicates the opt-in process, because it is still debatable whether a “single” opt-in can be proven.

What do I need to include?

A data collection page must include:

  • Your company name, and any third parties who will be using the data
  • A clear explanation of why you are asking for the visitor’s data
  • What you are asking the visitor to sign up for
  • What content the visitor will be sent
  • Assurance that the visitor has the right to withdraw their consent at any time, and how they can go about doing this

  • The consent should be unbundled, meaning that it should be separate from other terms and conditions. It should not be a requirement of signing up for a service unless it is necessary in order to use the service.

    Ideally, you should also unbundle the consent for each method of communication, eg. for email, post, SMS, and telephone.

    The opt-in must be ‘active’ rather than ‘implied’. Use unticked opt-in boxes so that an action is required to give consent.

    GDPR Form

    What is the difference between a single and double opt-in?

    A single opt-in process is completed when a visitor enters their email address on a page and clicks submit. At this stage, they are added to a newsletter or marketing list. However they could have made a mistake in their address, or intentionally entered an incorrect address.

    A double opt-in process resolves this by adding an additional step. After entering and submitting their address, they must respond to an email in order to opt-in. Sounds lengthy, but this gives us proof that they did sign up, and we are able to store this along with a timestamp for reporting and auditing purposes.


    Data Protection

    Will we see a reduction in signups due to this process?

    Unfortunately, there is no doubt that this will slow the growth of your email lists. However, there is a quality over quantity benefit here – these double opt-ins are far more likely to engage in future.

    To counter the slower list growth, there are a few options to try and improve your signup rates. Some examples are:

  • Popup forms
  • Offering the visitor a chance to opt-in before being provided with an article or download
  • Using inbound channels such as social media to send visitors to forms
  • What else do I need to be aware of?

    The rules apply to email addresses that you have been given in real life, too. The correct way to collect email addresses requires that people have given you the same positive affirmation required for collecting addresses online. You must be able to prove it if necessary. One possible solution for in-store or exhibition data collection is to use a tablet with a correctly designed sign-up form.

    It is worth noting that you can still email addresses with no personally identifiable data – such as info@oxfordstones.com.

    Emailcenter_HEX