With the General Data Protection Regulation (GDPR) due to come into force in May 2018, there are already lots of resources out there to help guide you towards compliance.
However, there are fewer articles that point to companies who are already exhibiting best practice. So, I’m going to attempt to round up examples that already seem to comply with aspects of the GDPR.
In this instance, I’m concentrating on user consent, chiefly during online registration or checkout, but it should be noted that there are many other user experiences to consider. I was particularly impressed by some prototypes created by Projects by IF. One example is the UI below, an example of allowing users the ‘right to erasure’.
The agency that created this prototype points out that the right to erasure isn’t always an all or nothing decision, and that granular erasure of information may be desired, such as removing addresses from your recent trip history (“‘Your trip to Brighton’ makes more sense than ‘Your trips to 7 Kensington Gardens, 52 Ship Street, and 11 Queens Road'”.)
What are we looking for in this article?
I’m going to be examining company websites, looking for the following five aspects of consent in the GDPR which the ICO highlights as key changes, and which are pertinent to marketers.
- Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
- Granular: Give granular options to consent separately for different types of processing wherever appropriate.
- Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
N.B. There is another important change that should be on the marketer’s agenda and that’s the need for brands to maintain records of the consents they have – i.e. what users were told and how they gave consent. Obviously this is more difficult for me to investigate, but it is an area that companies no doubt need to focus on.
Update (Dec 2017):
It’s worth reading the DMA’s blog post about how the GDPR and the PECR (soon to be e-Privacy directive) work together in relation to email marketing. If you’re going to use personalisation, segmentation or targeting (i.e. some form of data processing), the GDPR applies, though it should be said that the basis for processing could be either consent or legitimate interests (that’s for the marketer to evaluate).
If you’re just sending offers, dynamic content (nothing personalied on browsing behaviour) and you’re not collecting, storing and processing ancillary data, then you simply need marketing consent, as is currently the case. Below is a simple diagram that explains this distinction.
In light of this distinction, some of the examples used in this blog post arguably fall only under PECR, and others under both PECR and GDPR. Have a think about how you undertake email marketing, what you tell your customers on sign-up, and whether you can rely on legitimate interests for the processing side (personalisation) after getting consent to send comms, OR whether you want to gain consent for processing as well as sending comms.
Unbundled consent – Who is doing it right?
Unbundled consent – Sainsbury’s
Here’s a great example from Sainsbury’s, below, flagged up in an Econsultancy article about supermarket account registration from Andy Favell.
Look how the white content blocks separate the clearly-headlined ‘Terms and conditions’ and ‘Contact permission’ sections. The contact permission section requires that users select a radio, either ‘yes please’ or ‘no thanks’. This is clear as day, and what the consumer likes to see when registering for an ecommerce account.
Not everything is hunky dory here, as permission for email, post, SMS and telephone is all lumped together into the same checkbox, but as far as unbundled consent is concerned (separate from T&Cs), Sainsbury’s hits the mark.
Unbundled consent – Data Protection Network
One would expect the Data Protection Network to be on top of this sort of thing.
I recently registered so I could download guidance on GDPR and ‘legitimate interests’ – whilst joining I noted the unbundled consent and the very nifty red-to-green sliders. A great opt-in UX.
Granular consent – Who is doing it right?
Remember, granular consent means consenting to each contact method separately, which if personalised through data processing falls under the GDPR.
Granular consent – Woolworth’s Australia
Here’s a lovely example from Woolworth’s Australia (hat-tip again to Andy Favell), taken from account registration. It uses three different checkboxes – SMS, email and post (samples). This means users can get comms where they want them, rather than an all-or-nothing approach.
Although Woolworth’s Australia doesn’t sell to the EC, there are lots of international companies that do, and will therefore have to comply with the GDPR. Remember that many marketers may still rely on the legitimate interests basis for processing when sending direct mail.
Granular consent – Age UK
Age UK splits marketing consent (when filling in an online form to make a donation) into checkboxes for email, telephone, text message and post. What’s also good is that each channel (apart from post) requires an active opt-in.
Though arguably consent for direct mail should be opt-in, too, some other charities are less transparent, requiring a user consents to post and then asking them to get in touch to change this (e.g. Oxfam).
There are also other charities which use an opt-out (instead of opt-in) for contact by telephone or simply take the user’s input of a telephone number to imply consent. Age UK is doing a clearer job.
Note that marketing via post may be considered a legitimate interest for charities. The GDPR states ‘the processing of Personal Data for direct marketing purposes may be regarded as carried out for a legitimate interest’. However, as the Data Protection Network points out, ‘organisations will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications’.
That means post every week could be hard to justify, but quarterly mail to let users know about charity work may seem to be more balanced.
Named organisations – Who is doing it right?
Which companies are clearly naming the organisations that will have access to user data, where that user consents?
Named organisations – Waitrose
Here’s a clear example from Waitrose, part of the John Lewis Partnership, when registering for an account. The user can consent to receiving updates from Waitrose, John Lewis or John Lewis Financial Services. Each organisation gets its own checkbox.
However it’s still technically an opt-out as the user has to click the buttons if they don’t want to recieve further comms. A bit sneaky.
Named organisations – Age UK
Here’s a second example which I think is very much in line with the clarity that the GDPR is seeking to provide for users. Age UK sets out clearly in what circumstances users (making a donation) may be contacted, that their data will never be sold, and that users can change their mind about consent.
Crucially, there’s also a line that states clearly which organisations “we” refers to.
Active opt-in – Who is doing it right?
Active opt-in – Walmart Canada
Walmart Canada – where regulations are tight, including the CASL (Canadian anti-spam legislation) – is not only using an active opt-in, specifically for emails, but also has the word ‘optional’ in brackets, to let users know for certain they do not have to check this box.
Additionally, it’s good to see clear description of what content such emails may contain.
Easy to withdraw – Who is doing it right?
Easy to withdraw – The Guardian
This sort of functionality is pretty standard in many sectors (e.g. in the media and ecommerce) but is still something that isn’t offered by everyone yet as self-serve.
The Guardian shows how those that have registered for an account can withdraw permission for marketing in their account settings, as well as withdraw permission for profiling that may impact things such as the adverts a user sees.
One functionality the Guardian affords (below) which many do not is the ability to fully delete your account (right to erasure). When you do this from within your account settings, there’s lots of clear information about how it will affect everything from the comments you have made to any paid subscriptions you have in place.
The pages also states: “Deleting your account removes personal information from our database. Your email address becomes permanently reserved and the same email address cannot be re-used to register a new account.”
Other best practice
Clarity from Channel 4
I wanted to include the Channel 4 example, featuring a video campaign from back in 2012, when the broadcaster sought to prepare users for compulsory registration.
When registering for a Channel 4 account on the All 4 website, you can see Alan Carr featured on the right hand side and a link to the video (‘Our viewers promise’). There’s a clear heading – ‘how we use your information’ – and the text mentions tailored advertising, and sits underneath copy detailing ‘reasons to register’.
There’s a fairly unique bit of UX further down the form with users able to click to see an example newsletter (see the linked text in the screenshot below). This is an innovative way of helping the user decide whether they want to opt-in to communications.
The only gripe I have with this checkbox is that the accompanying explanation could be made clearer. Not everyone will know what FOMO means, for example.
These examples are not rocket science, I know. It’s the back-of-house stuff that represents the real challenge – how to keep records of all processing, all consent granted by users, how to enable users to take their data to another provider, and so on.
But, as companies should be looking to move towards compliance with the GDPR by 2018, the most visible part of this compliance – the UX of obtaining consent and letting the user know what they’re in for – should be a priority soon.
Note that this article represents the views of the author solely, and are not intended to constitute legal advice.