How-to: Gaining consent under GDPR (Part III)

Best practices for consent forms

Sifting through the mass of materials and example best practices to help you bring your consent forms into compliance with these new regulations, this is what we've come up with in working for clients.

Be up-front: your consent forms should open with a statement on 'how we use your personal information.' That is, what you collect, where it goes, how it is used, updated, if it is shared, how and with whom.

No doubt or ambiguity: users  need to easily understand what they are consenting to, using the simplest language possible. The old fashioned opt-out "do not contact me by email" is no longer valid.

Be granular - that is, specific by listing all the channels through which you will be contacting people.  For example:
I agree to be contacted:
[ ] by email
[ ] by phone
[ ] by SMS text
[ ] by direct mail

Ideally, this should also apply to frequency of communication; daily, weekly, fortnightly, monthly, but in practical terms this turns a simple consent form into a marketing grid the size of Alaska. While the ICO would like consent to be gained at each level, the frequency of communication may be so variable for some organisations (say, those promoting events or notifying breaking news), it doesn't appear to be a hard rule. This could change, however.

Name your organisation collecting the information and the organisations with whom you may share information. We have set-up a 'Trusted Partners' list to name third parties and explain the nature of the information share; this should be explicitly referenced and linked from the Privacy Policy and/or service terms and conditions.

Include confirmation boxes for service terms and conditions (terms of access, sales terms, identify verifications et. al.) and an updated privacy policy. Link to the full text of each of those documents, of course.

Do not pre-tick any boxes on the forms - users should actively opt in.

Equal prominence should be given to all option boxes, with no bias to opt-in - either in size, colour, font, borders, backgrounds, decoration  - and no bais against opt out.

Do not tie consent to other agreements, nor use incentives; 'sign here to receive a free bottle of snake oil' may seem obvious, but this includes free extensions of subscriptions, entries to prize draws and discount vouchers.

Explain how users can withdraw consent at any time and link to the process to to this

For example:
'All our communications contain an unsubscribe link.'

'If you wish to stop receiving communications from us, please update your preferences by following the preference link in our emails and website footer.'

Channel-specific consent forms: remember that entry into a subscription list can come from a range of different channels and media - online from registration pages, a quick sign-up form, exit pop-ups and checkout pages, to social media channels and mobile apps; don't forget paper registration forms at events and classes. You will need a process to merge and consolidate the preferences of any individual whose data you hold across ALL channels!

Remember to get your new subscriptions process approved by your legal advisors before going live. RC