The GDPR is in full swing for the European Union (EU), and that means more work for brands processing the data of EU citizens. But it doesn’t always mean more work regarding obtaining consent for such data processing — if you’ve already done so in a GDPR-compliant manner.
Obtaining consent is one of six lawful ways you can legitimately process personal data, according to the GDPR. And while many are still suffering the after-effects of GDPR consent spam, it remains a viable method of ensuring your brand stays on the right side of the regulation. If your organization chooses to use this option, it needs to be a thorough, targeted effort that leaves people clear on where their data is heading.
The others ways to legally process data include:
- Contractual necessity.
- Compliance with legal obligations.
- Vital interests of a natural person that may not be the data subject.
- Public interest.
- Legitimate interests, i.e., as in the case of preventing fraud.
We caught up with some experts to hear their tips on how to obtain consent without annoying your customers.
Related Article: All That GDPR Consent Spam? In Many Cases It's Unnecessary
Consent Must Be ‘Properly Targeted’
Jack Carvel, general counsel at Qubit, told CMSWire if your brand is relying on consent, make sure it's clear, concise and properly targeted. “Genuine consent,” he said, “should put individuals in charge, build trust and promote engagement. In an online context, this can be difficult to achieve, but it is not impossible.”
True consent, done properly, enhances a company’s reputation and builds a greater degree of trust with end users, he added. Consider adjusting your consent mechanism according to the specific audience you are targeting. This will require sophisticated segmentation tools.
Related Article: GDPR Is Here. So What Comes Next?
Consent Communication Needs to Be Crystal Clear
As a baseline, institutions seeking consent need to communicate to users the controller’s identity, the purpose for data collection, the data being collected, their right to withdraw consent, and whether their data will be used for purposes beyond that of the requesting organization, said Chaitanya Chandrasekar, co-founder and CEO of QuanticMind.
“Depending on how the organization in question processes data, though, it’s entirely possible there is more that needs to be communicated to those from whom consent is being requested,” Chandrasekar cautioned. “So, even if you’re communicating the bare necessities, the reality is it may not be enough.” Understand that the extent of your processing activities will inform whatever else it is you may need to communicate to ensure legitimate consent.
Also, organizations should be fully aware of their processing activities and have clear documentation as to what those activities are in order to meet GDPR Article 30 requirements.
Related Article: Why the Privacy Shield Won't Make You GDPR Compliant
Deploy a Verifiable Consent Method
Chandrasekar cited three situations where consent alone will not suffice and “explicit consent” must be given by a data subject:
- Processing special categories of data.
- Automated individual decision making.
- International data transfers.
Methods for gaining “explicit consent” include electronic forms, emails or the upload of scanned documents with the data subject’s signature/electronic signature. “In general,” Chandrasekar said, “the medium used to gain consent should provide verifiable proof of ‘explicit consent.’ The best way to get explicit consent from a data subject is a two-step verification process, precisely because it is trackable and can provide proof of consent.” The written request for consent, he added, should be separated from other terms and conditions, clearly visible to the data subject, user-friendly and written in plain language free from jargon. In other words, it should be informed, affirmative and distinguishable, Chandrasekar said.
Related Article: GDPR Isn't a Crisis for Email Marketers. It's an Opportunity
Make Things Easy for Your Data Subjects
Chandrasekar offered some practical ways to obtain consent that won’t leave your customers, prospects and visitors scratching their heads:
- Don’t bury important consent information in the Terms & Conditions. Consent requests must be distinguishable so data subjects understand they are giving consent.
- Stop using pre-checked opt-in boxes that consumers can overlook. They must take “affirmative” action to opt in.
- Enable data subjects to quickly and easily revoke their consent at any time.
Define Where You Have Legitimate Interest
Give clear notice to the individual why you are asking for the data. Explain how it will be used, where it will be stored and only keep it only for as long as it’s needed. These are sure ways to guarantee that your audience is well-suited and that your communications and data is relevant, according to Peter Yeung, vice president, general counsel and global data protection officer at Episerver. “While it’s critical to have affirmative consent, legitimate interest or contractual obligations from consumers as a basis for processing their personal data,” Yeung said, “brands must also realize that consumers unsubscribing from an email doesn’t automatically mean they’re opting out of processing of their data completely.”
Consumers, he added, appear on different databases for different reasons. “Just because they don’t want a brand’s newsletter doesn’t mean they don’t want to receive special offers or other types of messages from brands,” Yeung said. “At the end of the day, what’s most important is that each set of records is GDPR-compliant, regardless of the basis in which you’re controlling or processing their data.”
Be clear when requesting affirmative consent, defining where you have legitimate interest or clarifying where you have a contractual obligation to them, Yeung added. Clarify which types of messages they want to receive, how long you can interact with them, and how they can opt out of such communication and/or processing.
Related Article: An Introduction to the GDPR
Conduct an Opt-In Confirmation Campaign
An opt-in confirmation campaign is a brand’s best approach to secure affirmative consent from consumers, Charles-Augustus Nas-Omogiafo, senior director of client services for Yes Lifecycle Marketing's UK clients. “These types of campaigns,” he said, “give individuals already in a brand’s database, and not opted out of marketing messages, the ability to affirm consent and clarify their preferences for marketing communications.”
Make sure the campaigns are multi-touch and multi-channel and include affirmative re-consent messaging across a range of relevant touch points, including emails, push notifications and social ads. “Brands should give consumers multiple opportunities to provide their opt-in confirmation, with at least two touches at a minimum,” Nas-Omogiafo said. “Providing details and examples of the messaging and content consumers can expect from your brand will reinforce to them the value of re-opting in.”
Brands can also use opt-in confirmation campaigns, he said, to remind subscribers of the terms of their consent. Having this reminder along with the benefits of consent can help reduce attrition rates.