GDPR readiness: collecting and recording consent for email marketing

Collecting and recording consent for your email marketing audience

Whatever your plans are for GDPR collecting consent is going to be a big part of your plans.

I wrote a rant a few weeks back on the lack of guidance on the rules around collecting consent and I’m sad to say it’s mid February, less than 100 days to the GDPR implementation date and we still await the final guidance on consent.

It’s looking like a quite a few marketers will be in a blind panic as May approaches.

We don’t want you to panic, and we want to help you plan not panic.

This post is to explain the steps we’ve taken so far in relation to consent, and how we are helping email marketers using Websand to get ready for GDPR.

The GDPR rules

So let’s focus on what we do know …

Collecting consent

Collecting consent is one of the six legal grounds for data processing.  In this case, we are going to focus on the collection of consent for email marketing purposes.

Here are some relevant bulletpoints from what the ICO are currently recommending.

  • Consent should offer the individual real choice and control.
  • Consent requires a positive opt-in – no pre-ticked boxes or other method of consent by default.
  • Explicit consent requires a very clear and specific statement of consent and that statement of consent needs to be separate from other terms and conditions.
  • Keep consent under review, and update if anything changes.
  • Do not make consent a precondition of a service.

So from an email marketing side, it’s pretty simple.

  • Make sure you capture positive opt-in of consent from your audience.
  • Make sure you are clear about what that consent means.  Namely, how the data they’ve provided will be used and also how the user can withdraw their consent.

If you are currently collecting ‘soft opt-in’ data with a pre-ticked box.  A quick GDPR win would be to change that process NOW.

You’ll note we are not getting into the area (minefield) of legitimate interest for consent.  That is unique to each business and the circumstances surrounding the product or service they offer.

Recording consent

When looking at article 7 of the GDPR text, things are much clearer.  If you need to collect consent, you’ll need to accurately record the consent you’ve collected. 

That includes what type of communications and by which marketing channels people have consented to receive direct marketing.

You’ll need to keep a record of that consent so you can demonstrate it.  You need to record:

  • The person’s name
  • The date of consent
  • A copy what they have agreed to (be that a privacy policy, a data collection notice or a call centre script)

Since this references are likely to change, you’ll need to keep different versions on file so you have a definitive record of what people agreed to, at the time of consent.

It’s the same process used by software providers when you agree to the revised terms and conditions when you update software on your phone.  Only this time applied to recording consent for marketing.

Recording consent from your audience

You are going to need to record consent.  How it was collected.  When it was collected, what is was collected against and where it was collected.

That part of GDPR has been widely understood for some time.  It’s also a key reason why we structure the mandatory fields for subscribers in Websand.

Unlike other email platforms, just providing an email isn’t enough.  We need you to provide the date the information was collected and where it was collected.

See our WordPress widget in action below

When transferred into Websand, that gives you a record of consent for that person within Websand.

recording consent in Websand

This being GDPR, this is only part of the story.  You should still keep a record of the wording used at the point of signup (privacy policies, or otherwise).  So you know exactly what people signed up against at the time of signup.

Importing data using CSV

If you are used to using other email marketing platforms, you’ll be used to simply uploading email addresses.  With Websand you need to be a little more sophisticated than that, but it’s for your own good.  This sophistication makes sure you are collecting and recording the consent you have from your audience to be GDPR compliant.

So if you are importing data into Websand using a CSV.  You’ll need to collect the following information as a minimum

  • email address
  • date of signup
  • source of signup

You can also add any other subscriber data you collect as part of the signup process.

That will look something like this when in a spreadsheet.

Of course, make sure you collect the minimum amount of information (only the info you really need for your marketing).  That policy will save you a lot of potential issues in the future.

Recording consent to Websand via API

If you are connecting your system to Websand using our REST API.  The same process applies you’ll need to collect the following information as a minimum

  • email address
  • date of signup
  • source of signup

You can also add any other subscriber data you collect as part of the signup process.

Access the full API documentation for subscribers here.

Recording consent to Websand via existing integrations

We are connecting to more and more systems through integration partnerships, or widgets we create.  The same principles apply as explained earlier, we collect the following information as a minimum.

  • email address
  • date of signup
  • source of signup

If you are using WordPress, our WordPress subscription widget will help you to quickly collect consent in a GDPR compliant way.

The same is true if you decide to connect via Zapier

recording consent via zapier subscriber mapping
Recording consent to Websand using Zapier subscriber mapping

P.S.  Zapier also has an awesome example of a GDPR compliant Privacy Policy. Check that out here.

Getting your email marketing ready for GDPR

Hope that helps lift some of the fog around consent and our plan to help you collecting and recording consent for your email marketing audience.  A key part of getting ready for GDPR, and something you can take action on now  

So if you want to get your email marketing GDPR compliant, complete this form or click here to schedule a chat.

And, if you want to find out more about GDPR then take a look at “really useful”our Introduction to GDPR webinar.


Also published on Medium.