For example, the GDPR requires that all European users give specific consent before a business can use their information to serve personalized advertising. If an EU user visits your online store, then your website uses their browsing data to serve them personalized ads without their prior consent, you may have a big problem with EU supervisory authorities.
Privacy Law and Consent
Throughout the world, privacy regulations are becoming more rigorous and specific about what does or does not constitute valid consent. The most notable of these is the European Union's GDPR, which specifically states that in order for consumer data to be collected or processed, their consent must be obtained in a manner that is:
- Freely given
- Verified using a clear, affirmative action
- To overturn claims from users they did not understand how your company was using their personal information
No matter where your business is located or who your customers are, it is clear that there is a legal advantage to requesting explicit consent from any user that submits personal information to your company.
It is important to note that there are right and wrong ways to request consent.
Make sure the consent checkbox is unticked when the user accesses the page, so that they must make a clear, affirmative action to agree to the policy.
Hyopthesis provides us with a simple example of a consent checkbox that is unticked when the webform loads:
These are a few consent practices to avoid:
1. Do not pre-tick a consent checkbox. If the user does not actually click to accept the policy, consent will not be considered freely-given or unambiguous. Apple keeps checkboxes pre-ticked for marketing communications in this form, which would not be considered valid consent under the GDPR:
Here is an example of this type of consent form from Mailchimp:
To recap: You should use checkboxes to get consent, and use separate boxes for each thing you wish to get consent for. Make sure the boxes are clearly labeled, with links to any agreements included, and are left unchecked so your users can check them themselves.
The contact form is usually the first point of contact between a company and a prospective customer. Just remember that if the visitor submits so much as an email address, you will need to obtain consent if you intend to store that information and use it for analysis or marketing purposes.
This is an opportune moment to obtain consent for data processing, as the European Tour Operators Association has done here:
You can see how when a user checks that box, they're explicitly agreeing to let ETOA use the personal information in order to contact the user. This may seem unnecessary or obvious since the user clearly wants to be contacted, hence filling out the contact form, but consent is a serious thing and you can never be too safe or assume you have it. It's best to just be very clear and make sure everyone is on the same page with how personal information will be used.
Marketing Sign-up Forms
Here's an example from Yelp:
Even mobile apps should incorporate this feature into registration forms, as shown in the PayPal application's registration interface below:
Even on mobile apps you can have your users tap a checkbox to provide consent. Note that PayPal takes things a step deeper by having a user check a box that they "read, consent and agree to" instead of just agreeing to. By using the actual word "consent" it makes it even more clear that consent is obtained here.
You can see a great example of this type of form here, from Bloomer Armada. Note the use of double checkboxes directly above the "Place Order" button. This helps ensure a user cannot miss these boxes as they'd be the final step in the process before formalizing the order: