1. Best practice
The GDPR defines consent as: “Freely given, specific, informed and unambiguous consent; which informs subscribers about the brand that’s collecting the consent and provide information about the purposes of collecting personal data,” via the ICO, May 2017.
We have suggested a list of best practices to help you bring your consent forms in compliance with these new regulations:
Use easy, clear language
Consent must be unambiguous. This means customers need to easily understand what they are signing up for. Avoid double negatives, and use the simplest language possible. If there is any room for doubt, it is not valid consent.
“I would like to receive emails from Kai Ai”
“Sign me up for email communications”
“I understand and agree to the email marketing terms & conditions”
Customers should actively opt-in
If you choose to use a checkbox, avoid having it pre-ticked. Customers should take an action to subscribe to any communications.
Pre-ticked boxes, opt-out boxes or default settings should be avoided. Options need to have equal prominence.
Let customers freely choose content, channel and frequency and gain consent for each
Sales emails, product launch communications and behaviour-based targeting are all different methods of marketing. Try to provide granular consent options for each marketing type, as blanketing will not provide your customers with an outstanding experience. This should also apply to frequency and channel. Customers should be provided with frequency and channel preference options as well. As always, consent must be gained at each level.
Do not tie consent to other agreements, nor use incentives
Be sure to keep email marketing consent requests separate from other bundled terms and conditions. This especially applies at checkout stage. Consent should also not be a precondition of signing up to a service, unless it is necessary for that service.
“Click here to view our mailing terms and conditions”
Explain clearly how customers can withdraw consent
Tell your customers they have the right to withdraw their consent at any time, and clearly detail how to do this. It should be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place, such as a preference centre for example.
“All our communications contain an unsubscribe link.”
“If you wish to stop receiving communications from us, you will be able to do so by following the preference centre link in our emails and website footer.”
2. Asking for consent
The following is a summary checklist for ensuring compliance when asking for consent:
- We have checked that consent is the most appropriate lawful basis for processing.
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We don’t use pre-ticked boxes or any other type of default consent.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give individual (‘granular’) options to consent separately to different purposes and types of processing.
- We name our organisation and any third-party controllers who will be relying on the consent.
- We tell individuals they can withdraw their consent.
- We ensure that individuals can refuse to consent without detriment.
- We avoid making consent a precondition of a service.
- If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
3. Recording consent
The following is a summary checklist for ensuring compliance when recording consent:
- We keep a record of when and how we got consent from the individual.
- We keep a record of exactly what they were told at the time.
4. Managing consent
The following is a summary checklist for ensuring compliance when managing consent:
- We regularly review consents to check that the relationship, the processing and the purposes have not changed.
- We have processes in place to refresh consent at appropriate intervals, including any parental consents.
- We consider using privacy dashboards or other preference-management tools as a matter of good practice.
- We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- We act on withdrawals of consent as soon as we can.
- We don’t penalise individuals who wish to withdraw consent.
5. Examples for Kai Ai
The following examples have been created for Kai Ai:
Tick box 1 – “I would like to receive emails from Kai Ai.”
Tick box 2 – “I also understand and agree to the terms & conditions.”
Tick box 1 –
“I agree to Kai Ai processing my personal data in this form to create my account and set up my service.”
Tick box 2 –
“Contact me occasionally about special offers and exciting news (never more than a couple of times a month) by:
Email – Yes please!
Phone – Yes please!
SMS – Yes please!
Post – Yes please!
I don’t want any offers.”
Tick box 3 –