How-to: Gaining consent under GDPR (Part III)
Best practices for consent formsSifting through the mass of materials and example best practices to help you bring your consent forms into compliance with these new regulations, this is what we've come up with in working for clients.
Be up-front: your consent forms should open with a statement on 'how we use your personal information.' That is, what you collect, where it goes, how it is used, updated, if it is shared, how and with whom.
No doubt or ambiguity: users need to easily understand what they are consenting to, using the simplest language possible. The old fashioned opt-out "do not contact me by email" is no longer valid.
Be granular - that is, specific by listing all the channels through which you will be contacting people. For example:
I agree to be contacted:
[ ] by email
[ ] by phone
[ ] by SMS text
[ ] by direct mail
Ideally, this should also apply to frequency of communication; daily, weekly, fortnightly, monthly, but in practical terms this turns a simple consent form into a marketing grid the size of Alaska. While the ICO would like consent to be gained at each level, the frequency of communication may be so variable for some organisations (say, those promoting events or notifying breaking news), it doesn't appear to be a hard rule. This could change, however.
Do not pre-tick any boxes on the forms - users should actively opt in.
Equal prominence should be given to all option boxes, with no bias to opt-in - either in size, colour, font, borders, backgrounds, decoration - and no bais against opt out.
Do not tie consent to other agreements, nor use incentives; 'sign here to receive a free bottle of snake oil' may seem obvious, but this includes free extensions of subscriptions, entries to prize draws and discount vouchers.
Explain how users can withdraw consent at any time and link to the process to to this
'All our communications contain an unsubscribe link.'
'If you wish to stop receiving communications from us, please update your preferences by following the preference link in our emails and website footer.'
Channel-specific consent forms: remember that entry into a subscription list can come from a range of different channels and media - online from registration pages, a quick sign-up form, exit pop-ups and checkout pages, to social media channels and mobile apps; don't forget paper registration forms at events and classes. You will need a process to merge and consolidate the preferences of any individual whose data you hold across ALL channels!
Remember to get your new subscriptions process approved by your legal advisors before going live. RC