Collecting consent – notes on GDPR
Opening notes on Collecting Consent
Collecting consent is a huge challenge as everyone prepares for GDPR. It’s a complex field and different for each business based on product/service they offer, their current practices, how they process data and their existing audience.
GDPR is not a small undertaking. It’s incredibly frustrating and disappointing that 5 months before implementation grey areas remain, timetables of guidance are being missed and as a result misinformation is rampant. This post is based on information published in December 2017, at the time of writing the last ICO guidance on Consent was in March 2017.
We will update this post on collecting consent as more clarity emerges.
Collecting Consent – the art of engagement
Digital marketers are gearing up for the post GDPR world and a big part of this is on collecting consent. This is not a new thing. Frankly that’s been the focus of most digital marketers for a long time.
To explain, here’s a typical marketing approach.
- Use PPC campaigns, social media and/or landing pages to get people to show their interest.
- Interest usually means a positive action from an individual. Providing an email address or other personal data to demonstrate interest. This is a positive action from the audience, proof of interest.
- From that point, your email programmes and campaigns take over the nurture the audience to a sale.
- Once you’ve made the sale, then email programmes can be used to build the relationship and nurture customer loyalty.
Digital marketing is a discipline that demands continuous improvement. If you aren’t getting good results you aren’t going to be in a digital marketing role for very long. And you haven’t got consent from your audience you aren’t going to get the best results.
Since you want great results, it should be no surprise that collecting consent is considered to be part of best practice for email marketing. Transparency helps build trust and that can only be a good thing.
The detail of collecting consent
It’s a fact that it’s impossible to do email marketing without data. So consent is usually captured around the capture of an email.
“‘Opt-in’ to receive special offers”
But other data is also normally collected, tracked and analysed to improve campaign conversions. Analytics from other parts of the funnel, such as your PPC campaigns, social engagement. Also website behaviour from tools such as Google analytics and Hotjar.
Are you collecting consent for this data that is generated from your audience? It’s probably unlikely.
The requirements of consent. What does consent actually mean
Consent is when someone agrees to share their personal data with a company under agreed terms.
Those terms may include ‘processing’ for further categorisation or further analysis. For example Tinder might want to use your behavioural data within their app to improve their ‘algorithm’.
Here is what you need to have in place (based on the ICO Guidance March 2017 – this will be updated as references are updated).
This means consent that is separate from other terms and conditions, and it shouldn’t be a precondition of signing up for a service (unless it’s absolutely necessary for that service – see legal grounds)
These must be unticked opt-in or similar in nature. Pre-ticked are not acceptable.
You need to collect individual consent for each type of processing you apply. For example, marketing opt-in and acceptance for your data to be used for r&d of an application will need separate consent.
You need to name your organisation and whoever else is relying upon the consent you collect. For example if you share data within a group of companies, you would need to specify the name of the other companies, and collect specific and separate consent for that company.
Note that Websand is regarded as a data processor that marketers use to send email marketing on their behalf. Outsourced service providers such as Websand are excluded from the definition of third-parties under GDPR.
You need to keep records to show what the individual has agreed to, what they were told at the time, along with when and how they consented.
Ability to withdraw
Easy in, easy out. You need to make it as easy for people to withdraw consent as it is to provide consent.
No imbalance in the relationship
Just because you currently hold data on someone doesn’t mean you have consent once GDPR comes into action. Consent needs to be freely given by individuals, rather than taken.
Our plans for Websand
With Websand we’ve been following GDPR compliance closely. To make sure that we give the marketers using our platform all the tools they need to be able to manage consent. but as a first stage we’ve built active opt-in into our wordpress widget and made the source and date of consent mandatory fields within our subscriber API and csv import process.
We’ve more work to do as the rules become clearer, and more features on managing consent and other elements of GDPR will follow before May 2018.
The meaning of collecting consent within GDPR
Simply put GDPR puts individuals in control of their own personal data. They can decide what personal data you can use based on the ways you’ve described you are going to use it.
If you are collecting data, it’s not just an opt-in for marketing messages, you also need to collect consent on how you are going to use the data you collect. And how you use the data needs to be clear and explained in plain English.
So you need to be transparent on how you use the data you collect, and then collect active consent on from the individual against each use.
Do I always need to collect consent?
However, consent is only one of the options available to you. You don’t always need consent? In most cases, yes, but you can also process data if the data falls into one of the five legal grounds for processing.
1. Contractual. When it is necessary for the performance of a contract between an individual and a business to request acceptance of ‘processing’ prior to entering a contract.
2. Obligation. The company has a legal obligation to process the data provided as part of the service offered. This will typically be used by public service providers.
3. Individual. Data processing is necessary to protect the vital interest of an individual.
4. Statutory. Where data processing is required as a statutory function of the organisation, or the wider interests of society.
5. Legitimate interests. In some cases, a legitimate interest exists for a company to process data without explicit consent. For example when someone purchases something from you online, it’s perfectly reasonable and expected that you deliver the item that has been purchased. In order to do so, you need to process personal data, and it’s reasonable for you to do so under ‘legitimate interests’.
A lot of companies will consider Legitimate interests as a way of moving around consent. This is potentially a dangerous strategy and it’s a very grey and subjective area. It could well be that legitimate interests exist to allow you to process data without consent, however you need to consider when such occasions would arise.
It’s important to note that all of the above have equal legal footing. So you only need to choose one of the legal grounds to be compliant under GDPR.
What about my collecting consent from my existing data?
This is one of the issues facing digital marketers with an existing audience. Under GDPR you need to have either ‘legal grounds’ for processing or have clear records to demonstrate consent from your audience.
If you already have the data from an individual, that doesn’t mean you have consent. Because someone hasn’t unsubscribed or opted-out from your existing marketing communications, doesn’t mean you have consent.
However, if you already have ‘clear’ opt-in from your audience and you can demonstrate that, then you don’t need to obtain fresh consent for marketing.
IMPORTANT NOTE. You only want to run a ‘consent’ campaign once. So make sure you have your GDPR plan in place before collecting the new consent from your existing audience. Otherwise you are might need to ask them for consent again before you are fully GDPR ready.
What happens after May 2018
As I said earlier, Digital marketing is a discipline that demands continuous improvement. So it should be no surprise that GDPR compliance is not a ‘one off’ thing.
“(GDPR) It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.” Elizabeth Denham, ICO Commissioner. https://iconewsblog.org.uk/2017/12/22/gdpr-is-not-y2k/
So you might be bang on with your GDPR plans in May 2018, but you are going to need to stay in that mindset. Privacy by design will be the new mantra.
For example, if you introduce a new service or new means of processing data then you are going to need to figure out how that fits into your GDPR compliance and consent framework before you can introduce the processing of this data into your activities.
Of course your priority in the meantime is making sure you are ready for GDPR in May 2018.
Need help with your GDPR planning?
We aren’t lawyers but we have been following GDPR since the very early stages (2014). We believe it’s a data driven exercise specific to each business. No silver bullets exist to deal with this, and with this post we are scratching the surface of a potentially very complicated subject.
Also published on Medium.