A practical guide, how to get your website GDPR compliant

категория: забавни


2. GDPR implications for Marketing opt-in forms.

There are many advantages to having dedicated 'opt-in' forms to gain consent for sending marketing communications, such as mailing lists, download white-papers etc, including:

The purpose of the form is clear to individuals, as is the lawful basis upon which you are asking for the personal data (consent)
You can use your email marketing software forms (embedded in your website), so that subscribers are automatically added to your (email marketing) or other mailing list
You can segment subscribers according to the form they use to subscribe and their specific interests
You can use the forms liberally across your website using 'call-to-action' graphics and exit intent pop-ups to encourage subscription
You can attract subscribers using lead magnets and 'opt-in' focused dedicated landing pages
You can redirect opt-ins to dedicated 'thank-you' pages that can be used to track conversions and offer up-sell
You can trigger automated email sequences / marketing automation series based upon the opt-in

You will need to decide whether the subscription process requires a single opt-in or double opt-in for subscribers. There is no specific requirement under GDPR to use double opt-in, but it is good practice and it also helps you cleanse your lists of malformed emails.

As with all marketing opt-in forms you should ensure:

That opt-in is given freely and consent fields are not pre-filled or mandatory. Pre-ticked opt-in boxes are invalid.
That you 'unbundle' consent requests by including separate opt-in statements for each permission request. If, for example, subscribing to a newsletter is required in order to download a white-paper, then consent to the newsletter is not freely given as it is conditional on the white-paper. This is not GDPR compliant.
You should provide granular options of consent for different types of processing/communication wherever appropriate eg separate tick boxes enabling individuals to determine their communication preferences such as receiving news by SMS or email or by post. For example:

granular subscriptions
You should store the date and method of opt-in consent (so you have an audit trail) including who gave the consent, what they were told at the time of consenting and whether they have withdrawn consent. Your email marketing software should also enable this. If not, you need to develop a process for handling this.
Preferably the opt-in should also be confirmed by email (double opt-in), although this isn't a specific requirement of GDPR
Consent should be easy to withdraw. For example a promotional email should include a link to unsubscribe or to update communication preferences.

For email marketing please also be aware that the requirements of GDPR are in addition to The Privacy and Electronic Communications (EC Directive) Regulations. Find out more about how these regulations work in conjunction with your permission based email marketing.

Examples of good marketing opt-in forms...

GDPR compliant subscription

Our recommendation:

Use a dedicated form for the purpose of gaining consent for individuals to join your mailing list
Generate subscription forms from within your email marketing software to ensure subscribers are automatically added to your mailing list with an audit-able record of when the subscription occurred
Include a clear compelling description (title) of what the individual is signing up to.
Avoid being boring! Do you really want to say 'Join our Mailing List'? Get creative and give people a reason to subscribe to your mailing list by providing a clear reason / benefit.
Include a tick-box (not pre-ticked!) with a consent statement: eg I consent to COMPANY NAME collecting my name and email address OR I agree to COMPANY NAME privacy policy and terms
Ensure your privacy policy clearly sets out how you will process and store the data along with details about your retention policy
Only keep the data for as long as you need it and regularly review (annually) the data to determine if you still need it
If your retention policy says that you will retain the data until such time as you decide you no longer need it, or until the individual requests unsubscribes or requests erasion, you don't need to annually re-seek permission to keep in contact; provided you have a GDPR compliant opt-in initially
Add social proof / links to your marketing opt-in forms linking to your social media platforms encouraging individuals to connect with you in multiple ways

Here are a couple of good examples:

creative subscription form

What about your existing mailing lists?

If you have existing databases that you use for marketing purposes you need to audit them and determine if consent was provided in a GDPR compliant way. If it was, or if you don't need to get consent, you can continue to send marketing communications. If consent wasn't obtained, or if you are not sure, you will need to seek re-permission to continue to send marketing communications. Take a look at our latest blog article with tips and ideas for auditing your pre GDPR lists and ideas for running re-permission campaigns.