Skip to content

GDPR readiness: collecting and recording consent for email marketing

collecting and recording consent

Collecting and recording consent for your email marketing audience

Updated:  January 2019 (on Data Protection Day).

GDPR is still causing marketers confusion.  We know what the rules should be, but we also know that some of these rules could be open to some ‘interpretation’.

I wrote a rant waay back, in February 2018 back on the lack of guidance on the rules around collecting consent and it feels like people are still confused as to what they can and can’t do.  The evidence points to the fact that the ICO is only just announcing rulings from events in early 2018, so they haven’t reached the ‘new frontier’ of GDPR as yet.  My feeling is that we are only going to get full clarity when the first rulings appear.

So our opinion remains the same as it was back in February 2018 when this post was originally written.

We don’t want you to panic, and we want to help you plan not panic.

This post is to explain the steps we’ve taken so far in relation to consent, and how we are helping email marketers using Websand to manage their approach for GDPR.

The GDPR rules

So let’s focus on what we do know …

Collecting consent

Collecting consent is one of the six legal grounds for data processing.  In this case, we are going to focus on the collection of consent for email marketing purposes.

Here are some relevant bulletpoints from what the ICO are currently recommending.

  • Consent should offer the individual real choice and control.
  • Consent requires a positive opt-in – no pre-ticked boxes or other method of consent by default.
  • Explicit consent requires a very clear and specific statement of consent and that statement of consent needs to be separate from other terms and conditions.
  • Keep consent under review, and update if anything changes.
  • Do not make consent a precondition of a service.

So from an email marketing side, it’s pretty simple.

  • Make sure you capture positive opt-in of consent from your audience.
  • Make sure you are clear about what that consent means.  Namely, how the data they’ve provided will be used and also how the user can withdraw their consent.

If you are currently collecting ‘soft opt-in’ data with a pre-ticked box.  A quick GDPR win would be to change that process NOW.

You’ll note we are not getting into the area (minefield) of legitimate interest for consent.  That is unique to each business and the circumstances surrounding the product or service they offer.

Recording consent

When looking at article 7 of the GDPR text, things are much clearer.  If you need to collect consent, you’ll need to accurately record the consent you’ve collected. 

That includes what type of communications and by which marketing channels people have consented to receive direct marketing.

You’ll need to keep a record of that consent so you can demonstrate it.  You need to record:

  • The person’s name
  • The date of consent
  • A copy what they have agreed to (be that a privacy policy, a data collection notice or a call centre script)

Since this references are likely to change, you’ll need to keep different versions on file so you have a definitive record of what people agreed to, at the time of consent.

It’s the same process used by software providers when you agree to the revised terms and conditions when you update software on your phone.  Only this time applied to recording consent for marketing.

Recording consent from your audience

You are going to need to record consent.  How it was collected.  When it was collected, what is was collected against and where it was collected.

That part of GDPR has been widely understood for some time.  It’s also a key reason why we structure the mandatory fields for subscribers in Websand.

Unlike other email platforms, just providing an email isn’t enough.  We need you to provide the date the information was collected and where it was collected.

See our WordPress widget

When transferred into Websand, that gives you a record of consent for that person within Websand.

recording consent in Websand

This being GDPR, this is only part of the story.  You should still keep a record of the wording used at the point of signup (privacy policies, or otherwise).  So you know exactly what people signed up against at the time of signup.

Importing data using CSV

If you are used to using other email marketing platforms, you’ll be used to simply uploading email addresses.  With Websand you need to be a little more sophisticated than that, but it’s for your own good.  This sophistication makes sure you are collecting and recording the consent you have from your audience to be GDPR compliant.

So if you are importing data into Websand using a CSV.  You’ll need to collect the following information as a minimum

  • email address
  • date of signup
  • source of signup

You can also add any other subscriber data you collect as part of the signup process.

That will look something like this when in a spreadsheet.

Websand Audience Import Data Template Google Sheet Screenshot

Of course, make sure you collect the minimum amount of information (only the info you really need for your marketing).  That policy will save you a lot of potential issues in the future.

Recording consent to Websand via API

If you are connecting your system to Websand using our REST API.  The same process applies you’ll need to collect the following information as a minimum

  • email address
  • date of signup
  • source of signup

You can also add any other subscriber data you collect as part of the signup process.

Access the full API documentation for subscribers here.


Recording consent to Websand via existing integrations

We are connecting to more and more systems through integration partnerships, or widgets we create.  The same principles apply as explained earlier, we collect the following information as a minimum.

  • email address
  • date of signup
  • source of signup

If you are using WordPress, our WordPress subscription widget will help you to quickly collect consent in a GDPR compliant way.

The same is true if you decide to connect via Zapier

P.S.  Zapier also has an awesome example of a GDPR compliant Privacy Policy. Check that out here.

Getting your email marketing ready for GDPR

Hope that helps lift some of the fog around consent and our plan to help you collecting and recording consent for your email marketing audience.  A key part of getting ready for GDPR, and something you can take action on now  

So if you want to get your email marketing GDPR compliant book a call below

1 thought on “GDPR readiness: collecting and recording consent for email marketing”

  1. I absolutely love your ᴡebsite.. Great colors & theme.

    Diⅾ you build this web site yourself? Please reply back as I’m hߋping
    to create my оѡn personal webѕite and would lіke to find out where you ɡot this from or just what thе theme is named.


Leave a Reply

Your email address will not be published. Required fields are marked *