With the General Data Protection Regulation (GDPR) due to come into force in May 2018, there are already lots of resources out there to help guide you towards compliance.

However, there are fewer articles that point to companies who are already exhibiting best practice. So, I'm going to attempt to round up examples that already seem to comply with aspects of the GDPR.

In this instance, I'm concentrating on user consent, chiefly during online registration or checkout, but it should be noted that there are many other user experiences to consider. I was particularly impressed by some prototypes created by Projects by IF. One example is the UI below, an example of allowing users the 'right to erasure'.

prototype gdpr

The agency that created this prototype points out that the right to erasure isn't always an all or nothing decision, and that granular erasure of information may be desired, such as removing addresses from your recent trip history ("'Your trip to Brighton' makes more sense than 'Your trips to 7 Kensington Gardens, 52 Ship Street, and 11 Queens Road'".)

gdpr report banner

What are we looking for in this article?

I'm going to be examining company websites, looking for the following five aspects of consent in the GDPR which the ICO highlights as key changes, and which are pertinent to marketers. 

  • Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
  • Granular: Give granular options to consent separately for different types of processing wherever appropriate.
  • Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
  • Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.

N.B. There is another important change that should be on the marketer's agenda and that's the need for brands to maintain records of the consents they have – i.e. what users were told and how they gave consent. Obviously this is more difficult for me to investigate, but it is an area that companies no doubt need to focus on.

Update (Dec 2017):

It's worth reading the DMA's blog post about how the GDPR and the PECR (soon to be e-Privacy directive) work together in relation to email marketing. If you're going to use personalisation, segmentation or targeting (i.e. some form of data processing), the GDPR applies, though it should be said that the basis for processing could be either consent or legitimate interests (that's for the marketer to evaluate).

If you're just sending offers, dynamic content (nothing personalied on browsing behaviour) and you're not collecting, storing and processing ancillary data, then you simply need marketing consent, as is currently the case. Below is a simple diagram that explains this distinction.

dma chart

In light of this distinction, some of the examples used in this blog post arguably fall only under PECR, and others under both PECR and GDPR. Have a think about how you undertake email marketing, what you tell your customers on sign-up, and whether you can rely on legitimate interests for the processing side (personalisation) after getting consent to send comms, OR whether you want to gain consent for processing as well as sending comms.

Unbundled consent - Who is doing it right?

Unbundled consent - Sainsbury's

Here's a great example from Sainsbury's, below, flagged up in an Econsultancy article about supermarket account registration from Andy Favell.

Look how the white content blocks separate the clearly-headlined 'Terms and conditions' and 'Contact permission' sections. The contact permission section requires that users select a radio, either 'yes please' or 'no thanks'. This is clear as day, and what the consumer likes to see when registering for an ecommerce account.

Not everything is hunky dory here, as permission for email, post, SMS and telephone is all lumped together into the same checkbox, but as far as unbundled consent is concerned (separate from T&Cs), Sainsbury's hits the mark.

sainsbury's consent

Unbundled consent - Data Protection Network

One would expect the Data Protection Network to be on top of this sort of thing.

I recently registered so I could download guidance on GDPR and 'legitimate interests' – whilst joining I noted the unbundled consent and the very nifty red-to-green sliders. A great opt-in UX.

data protection network

Granular consent - Who is doing it right?

Remember, granular consent means consenting to each contact method separately, which if personalised through data processing falls under the GDPR. 

Granular consent - Woolworth's Australia

Here's a lovely example from Woolworth's Australia (hat-tip again to Andy Favell), taken from account registration. It uses three different checkboxes – SMS, email and post (samples). This means users can get comms where they want them, rather than an all-or-nothing approach.

Although Woolworth's Australia doesn't sell to the EC, there are lots of international companies that do, and will therefore have to comply with the GDPR. Remember that many marketers may still rely on the legitimate interests basis for processing when sending direct mail.

woolworth au contact preferences

Granular consent - Age UK

Age UK splits marketing consent (when filling in an online form to make a donation) into checkboxes for email, telephone, text message and post. What's also good is that each channel (apart from post) requires an active opt-in.

age uk

Though arguably consent for direct mail should be opt-in, too, some other charities are less transparent, requiring a user consents to post and then asking them to get in touch to change this (e.g. Oxfam).

There are also other charities which use an opt-out (instead of opt-in) for contact by telephone or simply take the user's input of a telephone number to imply consent. Age UK is doing a clearer job.

Note that marketing via post may be considered a legitimate interest for charities. The GDPR states ‘the processing of Personal Data for direct marketing purposes may be regarded as carried out for a legitimate interest'. However, as the Data Protection Network points out, 'organisations will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications'.

That means post every week could be hard to justify, but quarterly mail to let users know about charity work may seem to be more balanced.

Named organisations - Who is doing it right? 

Which companies are clearly naming the organisations that will have access to user data, where that user consents?

Named organisations - Waitrose

Here's a clear example from Waitrose, part of the John Lewis Partnership, when registering for an account. The user can consent to receiving updates from Waitrose, John Lewis or John Lewis Financial Services. Each organisation gets its own checkbox.

However it's still technically an opt-out as the user has to click the buttons if they don't want to recieve further comms. A bit sneaky.

waitrose consent

Named organisations - Age UK

Here's a second example which I think is very much in line with the clarity that the GDPR is seeking to provide for users. Age UK sets out clearly in what circumstances users (making a donation) may be contacted, that their data will never be sold, and that users can change their mind about consent.

Crucially, there's also a line that states clearly which organisations "we" refers to.

age uk consent 

Active opt-in - Who is doing it right? 

Active opt-in - Walmart Canada

Walmart Canada – where regulations are tight, including the CASL (Canadian anti-spam legislation) – is not only using an active opt-in, specifically for emails, but also has the word 'optional' in brackets, to let users know for certain they do not have to check this box.

Additionally, it's good to see clear description of what content such emails may contain.

walmart canada registration

Easy to withdraw - Who is doing it right?

Easy to withdraw - The Guardian 

This sort of functionality is pretty standard in many sectors (e.g. in the media and ecommerce) but is still something that isn't offered by everyone yet as self-serve.

The Guardian shows how those that have registered for an account can withdraw permission for marketing in their account settings, as well as withdraw permission for profiling that may impact things such as the adverts a user sees.

guardian preferences

One functionality the Guardian affords (below) which many do not is the ability to fully delete your account (right to erasure). When you do this from within your account settings, there's lots of clear information about how it will affect everything from the comments you have made to any paid subscriptions you have in place.

The pages also states: "Deleting your account removes personal information from our database. Your email address becomes permanently reserved and the same email address cannot be re-used to register a new account."

guardian delete account

Other best practice

Clarity from Channel 4

I wanted to include the Channel 4 example, featuring a video campaign from back in 2012, when the broadcaster sought to prepare users for compulsory registration.

When registering for a Channel 4 account on the All 4 website, you can see Alan Carr featured on the right hand side and a link to the video ('Our viewers promise'). There's a clear heading – 'how we use your information' – and the text mentions tailored advertising, and sits underneath copy detailing 'reasons to register'.

all 4 how we use your information

There's a fairly unique bit of UX further down the form with users able to click to see an example newsletter (see the linked text in the screenshot below). This is an innovative way of helping the user decide whether they want to opt-in to communications.

The only gripe I have with this checkbox is that the accompanying explanation could be made clearer. Not everyone will know what FOMO means, for example.

all 4 registration

These examples are not rocket science, I know. It's the back-of-house stuff that represents the real challenge – how to keep records of all processing, all consent granted by users, how to enable users to take their data to another provider, and so on.

But, as companies should be looking to move towards compliance with the GDPR by 2018, the most visible part of this compliance – the UX of obtaining consent and letting the user know what they're in for – should be a priority soon.

To learn more on this topic, book a place on our GDPR and Data-Driven Marketing training course.

Note that this article represents the views of the author solely, and are not intended to constitute legal advice.

gdpr course

Ben Davis

Published 18 July, 2017 by Ben Davis @ Econsultancy

Ben Davis is Editor at Econsultancy. He lives in Manchester, England. You can contact him at ben.davis@econsultancy.com, follow at @herrhuld or connect via LinkedIn.

1222 more posts from this author

You might be interested in

Comments (31)

Comment
No-profile-pic
Save or Cancel
Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at EconsultancyStaff

Great stuff Ben. I like The Guardian's cunning pyschological trick reminding people that if they delete their account then they can't register again except with a new email address. Might make people think twice ;)

Have you got any examples of the right to download your data in a portable format and/or make your data available to another organisation (including a competitor)? So in Facebook you can click to 'port all my personal data to Google+'?!

11 months ago

Ben Davis

Ben Davis, Editor at EconsultancyStaff

@Ashley

Haven't researched portability yet, but purely from a UX point of view, some of the supermarkets use a service called mysupermarket, which allows users to port their shopping lists over to a new retailer. See this image - https://assets.econsultancy.com/images/0008/7598/supermarket_import_favourites.jpg

I rather think the portability thing will remain limited to sectors with lots of information such as insurance, but even then there are intermediaries (comparison engines) that are already solving that problem.

Will see what I can dig up,..

11 months ago

Avatar-blank-50x50

Laurent Christoph, Experience Strategist at Lloyds Banking Group

Portability is a difficult one because the legislation is unclear on what the data format should be. For banks Open Banking will probably help in that regard.

Re consent, it has to be fully informed and explicit. This means explaining to customers what you will do (or not) with their data in a simple way: no more complex privacy policies but a more contextual and transparent explanation is what I anticipate.

Finally companies that will do this well will also demonstrate the value that customers will get from opting in to marketing as well as provide more granular choices (brand, channel, frequency etc...(

11 months ago

Avatar-blank-50x50

Dennis van Lith, UX Designer at iWelcome

The Guardian is doing it wrong.Since they openly state that you can no longer create an account on the used email address. They also say they keep your email address in their server database, which is again totally against the GDPR regulations. The GDPR has a clear regulation on the "right to be forgotten" (right to erasure). Meaning everything should be removed from the servers and databases. And yes this also means logfiles etc...

Source: https://gdpr-info.eu/art-17-gdpr/

Dennis van Lith - UX Designer @ iWelcome

11 months ago

Ben Davis

Ben Davis, Editor at EconsultancyStaff

@Dennis

Interesting point. I'm no lawyer, but might the Guardian refer to paragraph 3 in that link, namely: "for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89"

I wonder if the email address needs to be on file, tied to comments that users have made, and possibly to previous transactions/subscriptions (legal obligation?).

As I say, I'm not a lawyer, but the fact that Guardian allows users to delete all information bar email address is pretty good. You can even remove your name from comments.

Thanks for commenting.

11 months ago

Avatar-blank-50x50

Dennis van Lith, UX Designer at iWelcome

@Ben davis

The regulation states:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

Source: https://gdpr-info.eu/art-17-gdpr/

An email address is such a datasource where the data can be linked to the user, and thus stated as personal information. Under personal information these are formed to erased. (as example:) Name, addresses, phone numbers, ip-addresses, scrambled GPS locations, mac-addresses etc...

11 months ago

Ben Davis

Ben Davis, Editor at EconsultancyStaff

@Dennis

Yes, I read the link. But point 3 says: 'Paragraphs 1 and 2 shall *not* apply to the extent that processing is necessary etc etc.'

I'm just not sure to what extent companies will rely on this point 3, which discusses archiving and also for compliance with any legal obligation.

11 months ago

Avatar-blank-50x50

Dennis van Lith, UX Designer at iWelcome

Legal obligation could means that (for instance) a certain webshop still has payments open from the user. Than the data should be stored in a so called "grace state", meaning, when all payments are due. The data should still be removed from the servers.

11 months ago

Avatar-blank-50x50

Ann Kely, Digital Communications Manager at PTA UK

I assume the reason the Guardian blocks the email account is to stop vexatious posters registering, trolling, demanding to be forgotten, then reregistering, trolling, etc. I think that would count as legitimate interest.

11 months ago

Pete Austin

Pete Austin, Founder and Author at Fresh Relevance

Re: "The Guardian is doing it wrong". @Dennis @Ben.

NOPE. At least not necessarily. What the Guardian says is, "Your email address becomes permanently reserved and the same email address cannot be re-used to register a new account."

This is NOT quite the same as Dennis states, "They also say they keep your email address in their server database, which is again totally against the GDPR regulations".

The Guardian could achieve the above, and also do archiving, by using a one-way hash of the email address to identify each account. Using a hash instead of the email address would comply with the GDPR, because the data would no longer be "personally identifiable" - unless it contained other information that allowed the person to be identified in a different way.
https://en.wikipedia.org/wiki/Cryptographic_hash_function

11 months ago

Avatar-blank-50x50

Tony Edey, . at RCL Cruises Ltd

Having to explain what you're doing with a users data can seem scary at first, and companies may feel reluctant to change their ways by being transparent. However a user case I can give had a web site with a standard boring line of text ("tick here if you want to receive our newsletter" or similar) and a pre-selected tick box to go with it (so it was an opt OUT mechanic). Opt in rates were around 30%, so 70% of people actively unchecked the box (and I'm reckoning it impacted their brand sentiment).

Then it got changed to the same thing only the tick box was not pre-selected (opt-IN mechanic). Opt-ins dropped to about 25%. Not a huge drop, but it all helps (or hurts!).

Then the opt-in was completely revamped to be a big colourful graphic which explained what sort of content you were opting in for, how often it was sent, how easy it was to opt out, and that (in this case) the data is not shared with anyone. Opt-ins went to 60% overnight.

Transparency engenders trust, and marketing opt-ins can benefit from this, with a little courage to change and preferably some AB testing ;)

11 months ago

Ben Davis

Ben Davis, Editor at EconsultancyStaff

@Tony A fantastic example, thanks for sharing.

I wanted to also share the privacy notice users see when booking tickets at Manchester's Home cinema & theatre. I liked the granularity and the clear information about the benefits of opting-in. View it here > https://assets.econsultancy.com/images/resized/0008/7983/home_privacy-blog-flyer.png

11 months ago

Tim Watson

Tim Watson, Email Marketing Consultant at Econsultancy Guest Access TRAININGSmall Business Multi-user

Interestingly the data shows that Sainsbury's approach is far more effective than Age UK, Walmart and most others.

The data for why Sainsbury's got it right is over here https://www.zettasphere.com/gdpr-consent-opt-in-examples/

9 months ago

Markus Abraham

Markus Abraham, Consultant at Markus Abraham

@Pete - You are correct as far as account creation might be concerned. It would be very easy to check the hash of an email address against a reservation list consisting of hashes. Yet organizations need to ensure that the individual is never again contacted on that email address, not even by accident as this could be very costly.
It is common practice to store email address in suppression lists within the marketing platform. At least at this point in time, virtually all major platforms require suppression lists to be comprised of clear-text email addresses, leaving an organization no other choice.
If said email address is used for the sole purpose of suppression, the organization should be fine. If an individual still insists on having that email address completely removed, the organization needs to point out that it cannot keep its legal obligation of no contact as their might be many avenues how an email address can enter its various databases.

Just my two cents...

8 months ago

Danny Bluestone

Danny Bluestone, Managing Director at Cyber-Duck

Very good article. From a UX perspective more and more organisations will need to think about having controls such 'what data do you have on me'. This would mean that certain businesses will need to be able to query their database and serve the data to the user on demand and through an interface as opposed to doing so by email. This makes sense as it automates processes and saves time. Minimising the amount of personal or sensitive information that are sent through emails or hashing things is another key requirement to keep things as secure as possible and 'out' of emails.

8 months ago

Avatar-blank-50x50

Patrick Gallagher, IT Director at DKNY

This is one of the best articles I've seen on the GDPR and consent. However I have a unique problem that I have been unable to find much information on. I would appreciate anyone's help or advice.

I work for a brick-and-mortar retail company, and we ask customers for information at checkout for loyalty and CRM purposes. This information is relayed verbally by the customer and entered by the cashier. The above examples of 'best practice' consent-gathering are excellent, but how can I obtain consent in a non-electronic environment that is also GDPR-compliant? In other words, if a customer is at the register paying for their purchases, is there a verbal way my cashier can obtain consent? There is nothing electronic that the customer can use to record their consent, such as a clickable radio button or slider bar. Would I need to record customer consent on a paper form?

Thank you again for the excellent article.

6 months ago

Avatar-blank-50x50

Matt Anslow, Data Protection Professional at Citric Data Protection

Patrick Gallagher, it's not mandated by the GDPR but I'd consider 'reinforcing' the record of verbal consent (recorded by cashier via till point?) with a double opt-in email that reminds the customer of the choices they made (verbally) and asks them to confirm them (be granular, be transparent). Doing this would also verify the email address provided meaning that (to an extent) you have verified the users identity - useful when you have to withdraw consent as easily as it was given (as you don't have to build in an extra step to verify customers identify upon receipt of a request to withdraw consent). Worth noting that consent guidance (from the ICO) is expected early 2018 so you might want to wait for that before making any decisions.

6 months ago

Avatar-blank-50x50

Hannah Hodgkinson, Head of Marketing at amicable

We need people's emails to send them the guide they're requesting - what's the best way of being explicit that they obviously need to consent to us using their email? Without adding an unnecessary check box?

5 months ago

Avatar-blank-50x50

Ann Kely, Digital Communications Manager at PTA UK

If they've given their email to request they are sent something, you surely have a legitimate interest in processing it for that purpose, and then destroying that data a short (reasonable) time later.
If you then use it to send them marketing, aggregate their data for analysis purposes etc, then you're in trouble. You'd have to ask for consent for that separately and specifically.
That's my interpretation anyway, be very interested if anyone else has a different take.

5 months ago

Avatar-blank-50x50

Jonathan Oldfield, Director at Optimised IT

We supply IT services & support for small & medium businesses, we dont do any sort of email marketing, just send one e-shot a year to current customers & others who have enquired about our services giving them our Christmas opening hours & saying Happy Christmas. Our website has a contact form on it, so do we need an Opt-In on there as well, or will the fact we get an email from someone asking us to contact them be enough to prove they were happy for communication? We're already thinking that the mailing list for the e-shot will only include current customers, and remove any that were only enquiries.
Thanks

5 months ago

Tim Watson

Tim Watson, Email Marketing Consultant at Econsultancy Guest Access TRAININGSmall Business Multi-user

Jonathan - you're right to consider current customers and prospects as different cases. You may be OK with legitimate interest for current customers but not for prospects.

Remember too that you need marketing permission as sell as GDPR data processing permission.

Your e-shot with opening hours might be OK for current customers as a service message. For example, if someone is paying for 24/7 IT service and you are shut over Christmas, then letting them know this in advance feels like a service message not marketing. You'll still need a legal basis to process their data, could be legitimate interest.

5 months ago

Tim Watson

Tim Watson, Email Marketing Consultant at Econsultancy Guest Access TRAININGSmall Business Multi-user

Hannah/Ann. Regarding someone requesting a guide. If the only purpose of some data entry form is to give their details to get the guide then pressing the submit button is a positive action. I would feel you've got consent. I agree legitimate interest would probably work too.

Regarding sending other marketing besides the guide you would not be able to do that unless the data capture form was transparent that providing the email address was to receive marketing, which happens to include your guide .... consider the guide your first item of marketing you are sending them.

You'll find some more examples of opt-in and data to support the most effective methods here https://www.zettasphere.com/gdpr-consent-opt-in-examples/

5 months ago

Avatar-blank-50x50

Jonathan Oldfield, Director at Optimised IT

Hi Tim, many thanks for the reply.

5 months ago

Avatar-blank-50x50

Brian Kelly, Director at Bold Communications Ltd

Where the consent is on a printed document, for example a training evaluation form, is a printed copy of the privacy policy required, or can a URL to the policy be sufficient?

5 months ago

Avatar-blank-50x50

Carlos Cusi, CEO at Carum UK

Hi Ben,

Useful article, thanks for sharing.

Tim, this one is also for you:

I have a professional forum with a opt-in/consent button in the register form. I wonder how can I prove the new user has consent to receive our newsletter?. Which data I have to store to prove they do so?.

Thanks.

about 1 month ago

Tim Watson

Tim Watson, Email Marketing Consultant at Econsultancy Guest Access TRAININGSmall Business Multi-user

Carlos, take a look at this guidance https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

That includes this information:
We keep a record of when and how we got consent from the individual.
We keep a record of exactly what they were told at the time.

I would suggest as much evidence as you practically can that supports that consent was given. Perhaps:
- Time and date (in UTC/with timezone)
- IP address
- User details captured
- Registration form used

And keep a record, such as screenshots, of your registration form and versions of privacy policy. So that if they change you have the version available that the person saw.

Some brands, but not all, are using double-optin as a further measure to support consent. This is not however a requirement of GDPR. It's a choice.

about 1 month ago

Avatar-blank-50x50

Carlos Cusi, CEO at Carum UK

Thanks Tim.

Correct me if I'm wrong.

You can be fined with 20M pounds and the only prove you can give the judge you have done the rights thinks is a free WIFI dynamic IP, Time and date, a confirmed user email and a fake username.

Don't you think is a little weak?.

I hope my competitors don't start putting me in trouble.

about 1 month ago

Tim Watson

Tim Watson, Email Marketing Consultant at Econsultancy Guest Access TRAININGSmall Business Multi-user

The fines available under GDPR are up-to the higher of 20M or 4% of turnover.

Those are the fines for the most serious breaches. I'm not sure anyone knows what makes a serious breach. Or what level of evidence is needed for sufficient verification of consent.

For example, it's been well publicized that WhatsApp is not allowing users under the age of 16 so they don't need to worry about GDPR for children. The process as far as I can see is a tick box to say you are over 16. Will that stand up in court as sufficient verification of someones age?

We'll know more in some months time...

about 1 month ago

Avatar-blank-50x50

Carlos Cusi, CEO at Carum UK

Here's another:

I have a professional forum and professionals registers for free to be able to see the really interesting parts of the web site. In counterpart get the consent to send them emails with information about our partners, suppliers of the market

Very often this professionals just have interest in one information so they opt-out after satisfying their curiosity. Till here is right, we accept this.

But I have a quite great group of professionals that opt-in and out continuously. I have one case he opted in and out more than 20 times.

Each time a professional opt-out I delete all his data, but when he opt-in I store again his data.

With the GDPR in your hand, what will happen if the user complains about a period of time he was oped-out. I can't keep records of his activity because the right of erase and I can't prove he opted-out.

What I should do?.

about 1 month ago

Tim Watson

Tim Watson, Email Marketing Consultant at Econsultancy Guest Access TRAININGSmall Business Multi-user

Is your opt-out a request to opt-out of marketing or a request for erasure? Those are different. Just because someone says don't send me emails, it doesn't follow that they want to be totally forgotten too. Remember that permission to send emails is regulated by PECR and GDPR is only about storing data.

So an email permission opt-out doesn't mean you must delete. I suggest you consider your opt-out request is for suppression of marketing. Your privacy policy should explain that people can be forgotten too and how they can request this.

But taking the case that someone has requested to be forgotten. I don't believe it to be an absolute right. Someone can request to be forgotten but you can keep some data if you still have a legal basis, such as 'legal obligation'. An newly ex-employee probably can't ask for an employer to forget their tax information and what they were paid as there is a legal obligation to keep records of tax for several years.

So you might consider you need to keep something about the opt-out in order to meet your need to show you have followed the law and indeed opted-out. That might only apply to some data of course. Keeping details of their favourite colour, pages they visited, date of birth etc., might be hard to justify as needed to show you did an opt-out.

about 1 month ago

Avatar-blank-50x50

Carlos Cusi, CEO at Carum UK

Yes, I see the difference but that's the point. In most of the sites I'm registered as an active user I have to "suffer" their ads emails. But this was part of the deal.

What I think in our particular case is:

If the registered user doesn't want to receive mails from us we don't want him to see the private part of the forum.

So, if he opt-out we treat it as a erasure request and we delete everything about him, including his registering details and he can't sign-in again until he registers again.

The private part of our web site costs money to maintain and we sell the option to contact the users by the suppliers without giving them our records.

In this scenario, the GDPR doesn't gives me chances to keep track of a person. There isn't any legal basis to keep personal data.

Do you thing I can do it differntly?

about 1 month ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.