GDPR friendly subscription forms – what mistakes to avoid

In the last post we covered general information about GDPR (General Data Protection Regulation) and how to make sure your existing subscribers list is legal. But there is another thing that GDPR is going to *change forever* (insert dramatic music) – the way you collect your subscribers through subscription forms.  The subscription forms  and pop-ups will now need to change to reflect the new regulations. Here are some practical tips (with examples!) on how to create GDPR friendly subscription forms (Disclaimer: remember, this is *not* legal advice on how to adapt your business to GDPR and we do not assume liability for accuracy of the information below – even though we do our best! Ask a legal professional if you have any specific questions).

There are a few main things that you need to remember regarding the new GDPR-compliant subscription forms:

1. Collect consent through affirmative action, not through tricking your customers/ readers into subscribing to your newsletters because they forgot to opt out of something:
DON’T: pre-ticked boxes or OPT-OUT forms:

Example of a PRE-TICKED BOX (car-rental company): 

Pre-checked boxes are a no-no according to GDPR

Sneaky! In order to rent a car for my holidays, I needed to give my email address to fulfil the order. At the bottom of the order page, there is a little pre-ticked box with a fine-print signing me up for the car rental’s newsletter – something I probably wouldn’t be interested in, but there is a chance that I will overlook the little pre-ticked box and land on the subscribers’ list anyway…

 

Example of an OPT-OUT: 

Sneaky sneaky! An airline I was recently buying tickets from was trying to use my email that I gave them to fulfil my order (send me the e-tickets) to send me their newsletter without my explicit consent.

Both examples above are an illegal practice according to GDPR (even if the companies weren’t based in the EU – I am an EU resident and they need to comply with GDPR if they want to process my data).

WHY?

I did not *give* them my consent through an *affirmative action* – both companies *assumed* I want to receive the newsletter from them and made it default. So in order not to receive these communications, I would have to opt out. 

 

RULE NO 1: the subscribers need to give you a clear consent to receive emails by affirmative action, e.g. ticking the boxes themselves.

As pointed out by Tim Watson,  Article 4(11) of GDPR defines consent as: 

 

freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed’ 

 

Now, this clear affirmative action’ if further specified in Recital 25:

 

‘Silence, pre-ticked boxes or inactivity should therefore not constitute consent.’ 

 

2. One purpose, one consent – create separate consent forms for each *type* of consent you are planning to send in your newsletter:

 

You need to state very clearly *each* purpose you will be sending the newsletter for – so, say – if you have a subscription form for ‘top marketing tips’, you also need to include a separate consent tick-box if you want to send offers for paid courses to the subscriber.

Also, you will need to add separate consent tick-boxes to send emails from your company subsidiaries:

 

GDPR requires separate consent for each email purpose.

Source: https://secure.tesco.com/account/en-GB/register?newReg=true&from=https%3A%2F%2Fwww.tesco.com%2Fgroceries%2F&_ga=2.70113298.367025957.1525764305-77532811.1525764305

 

3. Make it clear how to unsubscribe

 

In the same Tesco example, you can see clear instructions how to unsubscribe even before you give up your email:

Include a 'how to unsubscribe' note in your email to make it legal according to GDPR

 

4. Include a link to terms and conditions of the subscription

 

Yes, you need to have a separate privacy policy for the newsletter; hiding your subscription’s terms and conditions in some 50-page long general terms and conditions does not cut it anymore.

How about quick sign-up boxes and pop-up forms?

GDPR friendly pop up example

Source: http://www.gf4b.co.uk/wp-content/uploads/2017/10/GDPR-Whitepaper-Forms.pdf

So, what conditions need to be met for short sign-up boxes/ pop-ups?

  • they need to clearly state the purpose of the newsletter
  • they need to have a sign-up button that will allow the subscriber to express their consent through a clear affirmative action (pressing the button!)
  • they need to be written in a clear, understandable language
  • they need to have a link to terms and conditions specifically for the newsletter (not buried somewhere in 20-page long general terms of use!)
  • they shouldn’t include incentives – e.g. if you want to give someone a freebie, you can, but you need to include a separate consent box if you want to send people a newsletter afterwards

Conclusion:

DO:

  1. include a way to express clear affirmative action (by ticking a box or clicking a button)
  2. write your subscription forms in a clear language
  3. include a separate consent form for each purpose…and each sender (e.g. subsidiary company)
  4. include a link to terms and conditions of the subscription
  5. include information about how to unsubscribe

DON’T:

  1. fool subscribers into subscribing for your newsletters by pre-ticking consent boxes or including an opt-out rather than opt-in
  2. hide the real purpose of the subscription in the subscription form (e.g. by providing an incentive to sign-up)
  3. hide the terms and conditions of the subscription in some general terms and conditions

 

Hope this clears things up a bit! If you have any questions, let me know in the comments!

 

Emilia

Leave a reply