The Ultimate Guide to GDPR Consent – With Examples
Gaining consent under the GDPR is a minefield. Here we cover everything you need to know to optimize your sign up process and comply with the GDPR consent requirements.
Amazingly, according to the UN, 66% of countries now have privacy regulations in place. So it’s fair to say that privacy regulation is sweeping the world.
Importantly, it’s now critical to do things correctly, particularly when it comes to gaining consent. The alternative can be disastrous for your business.
Penalties for not getting it right can be devastating for even the largest companies.
For all businesses, it’s the damage to your reputation that can be the hardest to recover from.
On the other hand, recent research confirms that if you respect the privacy of your customers your business will benefit from increased trust and loyalty.
Who wouldn’t want that!
Before You Start, Do You Need GDPR Consent?
The first thing you need to know is that you don’t need to rely on gaining consent for everything you plan to do with personal data.
For data processing to be lawful under the GDPR, you need to identify and document your lawful basis of processing.
There are six lawful bases to choose from, and ‘consent’ is just one of them.
The lawful basis you select is important and must justifiable.
Other than Consent, your options are:
- Legal Obligation
- Vital Interests
- Public Tasks
- Legitimate Interests
If you can avoid having to gain consent then you should. There is a good summary of your alternative options on the ICO website here.
The most common alternatives to Consent are Contract and Legitimate Interests. Each has a clear definition and demands its own treatment.
However, if you are going to contact people or send them marketing materials you will likely need to gain consent to do so and record the details.
Marketing includes promotions, white papers, emails, newsletters etc. Essentially anything promoting something that the person hasn’t yet bought or signed up for.
How to gain GDPR consent – What you need to know
The Principles of Valid GDPR Consent
The GDPR has five essential aspects of consent.
For GDPR consent to be valid it must be gained under these principles:
- Freely given
- Clear affirmative action
The Do’s and Don’ts of Gaining GDPR Consent
There are two objectives in achieving a good consent process.
Firstly, making the process of as simple as possible for the user to consent.
Secondly, to comply with the regulations.
Each of these is simple by itself but to achieve a successful combination is not easy.
1. Don’t use pre-ticked checkboxes
Consent must be given by taking a clear affirmative action. By presenting users with a pre-ticked box you are only offering an opt-out, not an opt-in.
2. Give Separate Granular Consent Options
Where you are asking for consent for multiple purposes, wherever possible, give separate options to consent to different purposes and different types of processing.
3. Make it Easy For Users to Withdraw Consent
Make it easy for people to withdraw consent.
A typical use case for this is to include an email ‘unsubscribe’ option in emails.
Most email service providers make it simple to include an unsubscribe link or a link to a communications preferences center.
Above is an example of an email footer with a link to a communications preferences center. This is an effective way to give the recipient the ability to easily unsubscribe from communications.
Below is a typical communications preferences center user experience. The aim should be to make it as simple for the person to unsubscribe from your marketing as it was for them to subscribe.
A communications preferences center like this gives granular control to the user. This is compliant with the regulations as it gives the user control over how their data is used.
Checklist For Gaining GDPR Consent Compliantly
If you are creating a website, app or just updating your signup process, here’s a handy checklist to help you gain consent correctly.
- Check that consent is the most appropriate lawful basis
- Make the request for consent prominent and separate from other terms and conditions
- Ask people to positively opt-in
- Don’t use pre-ticked boxes or other types of default consent
- Use clear, plain language that is easy to understand
- Specify why you want the data and what you are going to do with it
- Give separate granular options to consent separately to different purposes and types of processing
- Name your organisation and any third party controllers who will be relying on the consent
- Tell individuals they can withdraw consent
- Ensure that individuals can refuse consent without detriment
- Avoid making consent a precondition of service
- If offering online services to children, only seek consent if you have age-verification measures in place
Now see how successful organisations put that into practice.
GDPR Consent Examples
Here are some examples of good and bad UX consent designs that will help guide you.
Here is a great example of what not to do by an organization that should know better.
How Does Mailchimp Stack Up?
Mailchimp does well in their request for consent but they mess up on their opt-in.
What they get wrong is that their marketing consent is opted in by default.
This isn’t good. It’s what’s known as a reverse opt-in. i.e. it looks as if you are opted out, but in fact, you are opted in unless you opt-out.
Importantly, it’s deliberately confusing and something to be avoided at all cost.
How Does Asana Stack Up?
A link to the Terms & Privacy is also available in the footer at the bottom of the page.
The ‘affirmative action’ is the action of signing up to try the service. There is no specific or granular opt-in.
How Does Canva Stack Up?
Canva does well. It is clear, easy to understand and makes the essentials available.
Simple, well presented UX.
The ‘affirmative action’ that is required for GDPR consent is clearly stated as being ‘By signing up…’
Strictly according to the GDPR consent guidelines consent for two different elements should be separated to enable granular acceptance.
Although this is not representative of best practice it is understandable why Canva and many others have chosen this route to gain consent.
How Does HubSpot Stack Up?
Hubspot does well and is typical of the way that leading businesses are gaining GDPR consent.
As with other SaaS businesses the affirmative action required for GDPR consent is the action of ‘continuing’. The alternative would be to offer a checkbox but this adds an extra undesirable action for the user.
How Does SAP Concur Stack Up?
Concur does very well. It’s clear to see that they value the trust of their users highly.
In addition, they identify their legal entity by including the registered company name. They even go as far as presenting the address of the business.
Although offering all this information and detail creates more text and a potential hurdle to signup, it also demonstrates a commitment to doing privacy correctly. In other words it engenders trust in their users.
There is nothing to say here. Concur are exemplary in their interpretation of GDPR consent and set a good example.
How Does Shopify Stack Up?
Shopify are innovative.
Like other services, their first objective is to capture the users’ email address and consent to enable them to market to them. This is simply good marketing practice. The affirmative action that triggers the marketing consent is ‘By entering your email’.
This split consent process is a highly effective way of reducing the initial signup hurdle and gaining compliant GDPR consent to use the personal information.
To make matters worse, there is no ability to manage cookies.
How Does Slack Stack Up?
As we all know, Slack is great for team collaboration because it is simple and clear. They have taken this principle all the way through their signup process and it’s good. They very effectively combine a simple and attractive signup process with diligent compliance.
Like Shopify, the Slack signup process is slick. They collect the email address in advance of gaining consent. They gain consent later in the account creation process when the user is creating their Slack workspace.
This progressive gaining of consents optimises the success of the onboarding while also complying with the demands of GDPR consent.
It enables Slack to market to the people who drop out of the process early. It also enables them to seek full consent at a compelling stage of account creation.
The collection of the initial email address does not have a statement of consent or a defined affirmative action that would constitute best practice GDPR consent.
It also lacks a description of what of what the user is consenting to by entering their email address.
How Does SurveyMoney Stack Up?
SurveyMonkey does well.
SurveyMonkey then goes on to add a further consent to receive ‘information and offers relevant to our services’. This is seeking consent to send marketing via email.
In addition, they then confirm that the user will be able to opt-out of the marketing emails. They also inform them where this can be done. In the My Account page.
The amount of information given appears to be transparent but the way the consent is gained is not aligned with GDPR consent best practice principles.
To then add consent to receive marketing materials into the single affirmative action (clicking the Create Account button) is distinctly questionable.
There is no offer of granular consent.
How Does WordPress Stack Up?
WordPress signup is simple but inadequate for GDPR levels of consent.
It’s clear and simple. The affirmative action is to ‘Create your account’. But that’s it.
The link to the Terms of Service goes only to that. It’s then up to the user to find their Privacy link in the footer of the site.
WordPress claims that “Your privacy is critically important to us” but their signup process would suggest the opposite.
The experience inspires no trust in their service as far as privacy is concerned and does not align with neither the principles nor the requirements of GDPR consent.