Under the General Data Protection Regulation (GDPR), an organization must be able to justify each type of data processing activity it conducts using one of six lawful bases of processing.
In email marketing, which involves processing contacts' personal data (such as email address and name), consent often makes sense as the lawful basis used to justify the data processing.
Organizations using consent as a lawful basis for data processing need to prove consent was freely given and be prepared to share a record of consent with regulators if asked.
Additionally, data subjects must be able to withdraw consent at any time.
In this guide, we'll explain consent and show you some examples of how you can update the forms on your website to require GDPR-friendly consent. We'll also show you examples of how to prepare to provide proof of consent.
Legal Disclaimer: The information in this guide does not constitute legal advice. This is for informational purposes only, and we strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR.
GDPR-Friendly Consent
Lawful consent under the GDPR needs to be both informed and explicit.
Organizations have an obligation to present information about their data processing "in a concise, transparent, intelligible, and easily accessible form, using clear and plain language."
This means:
- An individual must be able to make an actual choice to provide consent. For example, a pre-checked checkbox on a form does not qualify as consent under the GDPR because it removes the affirmative action of giving consent. Individuals must check the box themselves to provide proper consent or click on the confirmation link in an email to confirm that they are opting in to receive your marketing emails.
- The choice to consent must be clearly distinguishable and separate from other initiatives. This means individuals can't be required to consent as a condition for receiving a resource, product, or service.
You can obtain GDPR-friendly consent from contacts by:
- Using checkbox custom fields in a form that contacts must check in order to provide consent, or
- Creating a form that requires confirmation opt-in.
Let's take a look at both ways to set up a form that collects GDPR-friendly consent from your contacts.
Consent Forms Using Checkboxes
You can use checkboxes in a lead capture form on your website to get consent from new leads.
Your GDPR-friendly lead capture form should:
- Provide a clear explanation of what information a contact can expect to receive by submitting your form.
- Include a (not pre-checked) checkbox the contact must check to submit the form, agreeing to your terms of service and privacy policy.
- Provide a checkbox to get consent for each business activity you employ that involves processing personal data. (Remember that each activity must be clearly distinguishable and requires separate consent.)
- Include links to your terms of service and privacy policy.
You can use this example as a starting point for your own consent form, but you should consult with your legal team regarding the exact language it uses.
Checkbox Custom Fields
A custom field represents checkboxes on a form. You must create a new checkbox custom field before you can add it to your form.
To do this, navigate to "Lists" in the main menu on the left, and click "Manage Fields." Click on the New Custom Contact Field button and select "checkboxes" as the type of custom field you would like to create. Click "Next" to continue.
Consent Forms Using Confirmation Opt-In
You can use an opt-in confirmation form instead of or in addition to a lead capture form that uses checkboxes, depending on your needs. Confirmation opt-in forms are useful when you would like to allow new contacts to opt into your email marketing list.
Confirmation opt-in (also known as double opt-in) allows a contact to subscribe to your email list by providing their email address, then sending a confirmation email to that contact. The contact must click the link in the email to confirm their opt-in before being added to your list.
The easiest way to get consent from your contacts is by always having confirmation opt-in turned on for all of your forms. If a contact hasn't clicked on your confirmation link, they'll exist on your email list as an Unconfirmed contact. When you email a list, your emails only go to the active contacts, so you can't email any Unconfirmed contacts in eduCRM.
By default, confirmation opt-in is turned on for all forms.
You can filter your email list by contact status to see how many Unconfirmed contacts are on your list.
Collect GDPR-Friendly Consent from Existing Contacts
Now that you've updated all of your existing forms, you're ready to collect GDPR-friendly consent from any new contacts who visit your website and submit a form.
But the work's not over yet! You should also take steps to get consent from your existing contacts. If the consent you've been collecting did not qualify as lawful consent under the GDPR, you may have to ask for consent again using your updated forms in order to achieve GDPR compliance.
If you're using a consent form that uses checkboxes, you can add the contacts you need consent from to an automation that employs a Goal: Provided Consent. The idea here is that to achieve this Goal, contacts must submit the form with the necessary checkbox(es) checked.
If the contact does not meet the goal of "Provided Consent" after three days, the automation sends an email reminder.
If the contact does not meet the goal after another three days, the automation applies another tag to the contact, "GDPR – Mark for Deletion."
From here, you might unsubscribe contacts with the "GDPR – Mark for Deletion" tag after a certain period or create a segment group you don't contact.
"EU Contact" Tagging Process
After you create your automation and turn it to Active, you can add your European Union-based contacts to your automation and begin collecting consent.
To do this, perform an advanced search to segment your contacts based on their country. Then, apply an "EU Contact" tag to the contacts in your search results.
Once the "EU Contact" tag is applied, contacts will begin to enter your automation.
Note: As a precaution, consider collecting consent from ALL of your existing contacts.
Record Proof of Consent
Now that you're set up to collect GDPR-friendly consent from all new and existing contacts, you can prepare to collect proof of consent so that you're able to provide it if requested.
Proof of consent requires a record of who gave consent when they gave it, and what specifically they consented to.
In eduCRM, you can be prepared to provide all of this information by configuring your form to send you a record of each contact's form submission.
Receive a Copy of Consent Form Submission
To receive a copy of all consent form submissions, simply add an "Email Results" action to your consent form, and add your email address to the Options field.
Now every time a contact submits your form, you will receive an email containing a record of the form submission results, allowing you to see the date consent was given, who filled out the form, and what specifically they consented to:
Confirmation Opt-In Forms
If your form uses confirmation opt-in, the contact must click on the link in the confirmation email they receive before you receive your own copy of their form submission. If a contact submits your form but never clicks on that confirmation link, you will not receive a copy of their form submission.
Additionally, because the proof of consent is in the confirmation email sent to the contact, you'll need to take an additional step for forms that use confirmation opt-in: You will need a screenshot of the confirmation email message sent to contacts.
To grab a screenshot, navigate to the Forms section of the platform and click the Edit button next to your form. Open the Options tab in the menu on the right, and click the gear icon:
In the "Edit Form Action" module, click the Preview button to preview the confirmation email sent to contacts who fill out the form. If you ever need to provide a record of the double opt-in messaging you use to collect consent, you can take a screenshot of this preview email.
Note: If you ever make changes to the confirmation email, remember to take a new screenshot of the updated preview so your records remain up-to-date.
Record Date of Consent
In addition to keeping copies of consent form submissions, create an automation that timestamps the date of consent for each form submission. This is useful data to have in your eduCRM account because it will help you collect consent again in the future, and help you prove that you collected proper consent before you started processing personal data.
You can record date of consent by creating an automation that populates a custom date field when a contact either:
- Checks a checkbox on your consent form (if your form uses checkbox custom fields), or
- Clicks the confirmation link in your confirmation email (if your form has double opt-in turned on)
This way, you'll have an in-platform record of the date that all of your contacts gave consent and will be able to segment contacts by this data.