This guide is for email marketers using consent as a lawful basis for processing personal data under the General Data Protection Regulation (GDPR).
Learn about consent requirements, find suggestions for using eduConverse to collect consent from new contacts, ask existing contacts to re-consent, and record and track proof of consent.
Under the General Data Protection Regulation (GDPR), an organization must justify each type of data processing activity it conducts using one of six lawful bases.
In email marketing, which involves processing contacts' data (such as email address and name), consent often makes sense as the lawful basis used to justify the data processing.
Organizations using consent as a lawful basis for data processing need to prove consent was freely given and be prepared to share a record of consent with regulators if asked.
Additionally, data subjects must be able to withdraw consent at any time.
In this guide, we'll explain the concept of consent and show you some examples of how you can update the forms on your website to require GDPR-friendly "consent."
We'll also show you examples of how you can prepare to provide proof of consent.
Legal Disclaimer: The information in this guide does not constitute legal advice and is for informational purposes only. We strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR.
What is GDPR-Friendly Consent?
Lawful consent under the GDPR needs to be both informed and explicit.
Organizations must present information about their data processing "in a concise, transparent, intelligible and easily accessible form, using clear and plain language."
- An individual must have the opportunity to make an actual choice to provide consent. For example, a pre-checked checkbox on a form does not qualify as consent under the GDPR because it removes the affirmative action of giving consent. Individuals must check the box themselves to provide proper permission or click on the confirmation link in an email to confirm that they are opting in to receive your marketing emails.
- The choice to provide consent must be distinguishable and separate from other initiatives. Therefore, individuals can't be required to give their express consent to be contacted as a condition for receiving a resource, product, or service.
You can obtain GDPR-friendly consent from contacts by:
- Using checkbox custom fields in a form that individuals must check to provide their express permission, or
- Creating an entry form that requires confirmation opt-in.
Let's take a look at both ways to set up a form that collects GDPR-friendly consent from your contacts.
Consent Forms Using Checkboxes
You can use checkboxes in a lead capture form on your website to get consent from new leads.
Your GDPR-friendly lead capture form should:
- Provide a clear explanation of what types of information a contact subscriber can expect to receive by submitting your form.
- Provide a checkbox to get consent for each business activity you employ that involves processing personal data. (Remember that each "activity" must be distinguishable and require separate "consent.")
Checkbox Custom Fields
In eduConverse, checkboxes on a form are represented by a custom field. You will have to create a new checkbox custom field before you can add it to your form.
To do this, navigate to “Lists” in the main menu on the left, and click “Manage Fields.” Click on the New Custom Contact Field button and select checkboxes as the type of custom field you would like to create. Click “Next” to continue.
Give your custom field a name and type in the text you’ll use for each checkbox option:
Click “Add” to finish.
Consent Forms Using Confirmation Opt-In
You can use a confirmation opt-in form instead of or in addition to a lead capture form that uses checkboxes, depending on your needs. Confirmation opt-in forms are useful when you would like to allow new contacts to opt into your email marketing list.
Confirmation opt-in (also known as double opt-in) is the process of allowing a contact to subscribe to your email list by providing their email address, then sending a confirmation email to that contact. The contact must click on the link provided in the email to confirm their opt-in before being added to your list.
The easiest way to get consent from your contacts is by always having confirmation opt-in turned on for all of your forms. If a contact hasn’t clicked on your confirmation link, they’ll exist on your email list as an Unconfirmed contact. When you email a list, your emails only go to the contacts who are Active (confirmed).
Collect GDPR-Friendly Consent from Existing Contacts
Now that you've updated all of your existing forms, you're ready to collect GDPR-friendly consent from any new contacts who visit your website and submit a form.
But the work's not over yet! You should also take steps to get consent from your existing contacts. If the "consent" you've been collecting did not qualify as lawful consent under the GDPR, you might have to ask for explicit consent again using your updated forms to achieve GDPR compliance.
If you're using a consent form that uses checkboxes, you can do this by adding the contacts you need consent from to automation that employs a Goal: Provided Consent action. The idea here is that to achieve this Goal; contacts must submit the form with the necessary checkbox(es) checked.
For instance, returning to the example form we showed you above, a Goal action is configured when a contact has checked this checkbox.
…would look like this:
And the rest of the automation might look something like this:
In this example, the automation sends an email containing a link to the form once the “EU Contact” tag is applied to a contact (more on this tagging process below).
If the contact does not meet the goal of “Provided Consent” after three days, the automation sends an email reminder.
If the contact still does not meet the goal after another three days, the automation applies another tag to the contact, “GDPR – Mark for Deletion.”
From here, you might choose to unsubscribe contacts who have the “GDPR – Mark for Deletion” tag after a certain period of time, or create a segment group that you don’t contact.
Record Proof of Consent
Now that you’re set up to collect GDPR-friendly consent from all new and existing contacts, you can prepare to collect proof of consent so that you’re able to provide it if requested.
Proof of consent requires a record of who gave consent, when they gave it, and what specifically they consented to.
In eduConverse, you can be prepared to provide all of this information by configuring your form to send you a record of each contact’s form submission.
Receive a Copy of Consent Form Submission
To receive a copy of all consent form submissions, simply add an “Email Results” action to your consent form, and add your email address to the Options field:
Now every time a contact submits your form, you will receive an email containing a record of the form submission results, allowing you to see the date consent was given, who filled out the form, and what specifically they consented to:
Confirmation Opt-In Forms
If your form uses confirmation opt-in, the contact will have to click on the link in the confirmation email they receive before you receive your own copy of their form submission. If a contact submits your form but never clicks on that confirmation link, you will not receive a copy of their form submission.
Additionally, because the proof of consent is in the confirmation email that is sent to the contact, you’ll need to take an additional step for forms that use confirmation opt-in: You will need a screenshot of the confirmation email message that is sent to contacts.
To grab a screenshot, navigate to the Forms section of the platform and click the Edit button next to your form.
Open the Options tab in the menu on the right, and click the gear icon:
In the “Edit Form Action” module, click the Preview button to view a preview of the confirmation email that is sent to contacts who fill out the form. If you ever need to provide a record of the double opt-in messaging you use to collect consent, you can take a screenshot of this preview email.
Note: If you ever make changes to the confirmation email, remember to take a new screenshot of the updated preview, so your records remain up-to-date.
Record Date of Consent
In addition to keeping copies of consent form submissions, you may want to create an automation that timestamps the date of consent for each form submission. This is useful data to have in your account because it will help you collect consent again in the future, and help you prove that you collected proper consent before you started processing personal data.
You can record date of consent by creating an automation that populates a custom date field when a contact either:
- Checks a checkbox on your consent form (if your form uses checkbox custom fields), or
- Clicks the confirmation link in your confirmation email (if your form has double opt-in turned on)
This way, you’ll have an in-platform record of the date that all of your contacts gave consent, and will be able to segment contacts by this data.
Here’s an example of what that automation might look like for a consent form that uses checkboxes:
In this example, we’ve again used our checkbox form:
When a contact submits this form, the automation first checks to see if the contact has checked this box:
If the contact has not, it sends them down a path that ends the automation.
If the contact has, it sends them down a different path that applies the current date to a custom contact field called “Trial Consent Date.”
This provides a record of the date the contact confirmed they have read and agreed to the Terms of Service. You’ll be able to view this information under the custom contact field in the contact’s profile page:
The automation then checks to see if the contact has checked the second box:
If the contact has not, it sends them down a path that ends the automation.
If the contact has, it sends them down a path that first applies the current date to a custom contact field called “Email Consent Date.” This provides a record of the date that the contact provided consent to receive marketing emails.
The automation then sends an internal notification email to a team member, alerting them that the date consent was given has been recorded.
Here’s an automation example of how you can record the date of consent for a form that uses confirmation opt-in:
In this example, once a contact opens their confirmation email and clicks the link to confirm, the automation updates that contact’s “Email Consent Date” field to the current date.