In an increasingly privacy-conscious world, compliance with regulations like the General Data Protection Regulation or GDPR is not just legally binding but has a direct impact on how consumers perceive your business.
Your consumers are looking for transparency, hence it is imperative that your marketing efforts are aligned to ensure legal compliance and build consumer trust. Before we look at the steps to ensure your compliance, have a look at the basics of what GDPR is and why consent is key for marketing.
The GDPR basics
GDPR is a comprehensive data privacy regulation adopted by the European Union (EU) that came into force on May 25, 2018. GDPR introduced major changes in how organizations handle personal data and gives EU residents rights over their data. Essentially, here are the most important points you should know about GDPR:
- Organizations should have a clear purpose to collect, use and share personal data and should implement security measures to protect personal data.
- Individuals will have rights on their personal data including the ability to review, amend or challenge data processing practices.
How does GDPR impact marketing?
GDPR regulates personal data that is collected and used by businesses. Personal data as per the GDPR includes any information relating to an identified or identifiable individual. This means any information that could be used directly or indirectly to identify an individual is considered personal data. This broad definition information such as names, email addresses, physical addresses, credit card information, social security numbers and also data such as IP addresses, data from cookies, location and much more.
GDPR lays out certain rules on how businesses can process personal data from their consumers or users. These are the six conditions under which organisations can process personal data: Legitimate interests, consent, contractual requirements, legal obligations, vital interests and public interest.
What is GDPR consent?
Consent is when the individual gives permission to an organization to process their personal data for a specific purpose. GDPR defines consent as:
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” (Art 4.11)
When you’re relying on consent for processing personal data, you need to ensure that it is valid under the GDPR.
- Freely given: The user must have a real choice and consent cannot be obtained if it’s conditional and users cannot be penalised for refusing consent.
- Specific: Collect consent for each purpose individually. For instance, accepting the terms & conditions does not mean consent to marketing purposes.
- Informed: Ensure that the user has full knowledge of the facts when giving permission to process their personal data and that information is available in plain, understandable language.
- Affirmative and unambiguous: Consent should involve affirmative actions, such as clicking on an opt-in box. It should be unambiguous meaning passive acceptance is invalid and that your opt-in boxes cannot be pre-ticked.
- Withdrawable: Allow the user to withdraw consent at any time. It should be just as easy to withdraw consent as to give it. For instance, your email subscribers should have an easily accessible unsubscribe link or button
- Proof of consent: You should be able to demonstrate that the user has given consent for proof of consent. For instance, you should have a record of how you obtained an email address for marketing.
How to obtain GDPR consent for marketing
Limit data collected on your website
- Categorize all the personal data you collect on your website such as email addresses, names, credit card details, IP addresses, data from cookies, location data etc.
- If you collect personal data for marketing and lead generation, ensure that you are not asking for information that is sensitive personal data.
- Collect only information you actually need for processing and are relevant to your business purpose. For example, if a user is subscribing to your newsletter, you may only collect their email address.
- The lesser the data you collect, it will be easier for you to ensure prompt responses to Data Subject Access Requests (DSAR) required under GDPR.
- Ensure that the cookies set by your website are accounted for, especially third-party cookies set by advertisers.
Use active opt-in forms
- Your website forms should reflect transparency on why you collect and use the information for.
- Ensure that subscription forms or contact forms have a checkbox to give opt-in consent to how users agree to be contacted.
- Use active opt-in mechanisms include such as ticking an opt-in box, clicking an opt-in button or link online or selecting from equally prominent yes/no options.
- Ensure that agreement to the website’s terms & conditions is clearly separated out from giving consent to receive marketing communications.
( A GDPR compliant opt-in subscription form )
Keep your mailing lists clean
- Ensure that the contacts in your mailing lists have given consent to be included, especially relevant if you have purchased mailing lists from third parties.
- Unsubscribe users or clear contacts who have not given consent from your mailing list.
- Give subscribers the ability to manage their preferences, as well as to opt-out of emails with an ‘Unsubscribe’ button.
Obtain cookie consent
- Display a cookie consent banner on your website.
- Include information about categories of cookies used and their purposes.
- Provide the option to give granular consent for cookie categories.
- Auto-block third-party cookies from setting on a user’s device until they give consent.
- Collect consent for all Google Analytics cookies before they are set.
- Record user consents for proof of compliance.
( A GDPR-compliant cookie banner, powered by CookieYes )
- Describe the users’ GDPR rights in your policy and users can exercise their rights.
Additional steps to comply with GDPR
- Review technical measures to ensure the personal data you collect and process is secure and protected.
- Conduct Data Protection Impact Assessments to identify and minimize any risks from your data processing.
- Implement a Data Subject Access Request (DSAR) form on your website to ensure that users can submit their requests.
- Update your contracts with third-party vendors to ensure they are GDPR compliant.
- Build data protection awareness and create internal policies and practices.
- Provide data breach notification to users, subscribers in the event of a data breach within 72 hours.
The GDPR significantly raises the bar in terms of how it seeks accountability from marketers. Before using consent, ensure that you carefully review whether consent is the appropriate legal ground before deciding to ask for it. If you use consent, then remember that:
- You should act with complete transparency about data collection and how you intend to use the information.
- You should avoid intrusive marketing practices and never use data without explicit opt-in consent.
- Always respect consumer expectations and maintain accountability.