In the second article of our series about GDPR, we will focus on what is surely the most important part for most companies: collecting e-mails via your website or blog.
This will allow you to know what must comply with the form since May 25, 2018 (the effective date of the regulation) and see what you absolutely must not do!
Before we start: keep this in mind
You’ve probably read dozens of articles about it and the result is that you’re probably more lost after reading it.
Here are some of the things you need to keep in mind for your data collection forms to comply with the GDPR:
- You can ONLY ask for the information you need! In other words, whether for a simple newsletter subscription, downloading a free guide or registering for your tool, you can not ask (obligatory = fields required to register) to users of data that is irrelevant and you do not really need it.
Example: You do not have the right to request the mailing address of the person who wishes to subscribe to your newsletter.
So yes, the more you know about a prospect and the better, but NO, you can not do it anymore.
- The user needs to know exactly what he is doing and how his data will be processed and used. You must therefore collect explicit and not passive consent from the user (more details in the examples that will be given in this article).
- You must add a link on all your forms to your privacy policy or data processing. Which means that in addition to your possible Legal Notices, you must write in black and white where and how are processed, stored and used user data.
- You must inform the user that he can quickly and simply use his right to modify, rectify or delete his data and how to exercise this right.
- You must distinguish between your different types of e-mailing. Also, if you have two types of e-mails (newsletters + commercial and promotional offers for example), you will need, in order to be able to send both types of campaigns to a user, to collect his explicit consent for each type of campaign.
Of course, the GDPR text is much more dense and can not be summarized only in the points above. But if you make sure to respect these points, as well as the examples in the rest of the article, you will have done a big part of the work of compliance with the GDPR (unless, of course, you run a company that deals with astronomical quantities of data).
Now that you have all that in mind, let’s get to the heart of the matter with concrete examples and good practices for your forms.
Classic subscription to newsletter:
Let’s start with the simplest, the classic form of registration to your newsletter.
If you use the email addresses of this form only to send your newsletters (and not your commercial offers or those of your partners), you can keep a classic form, but add legal information.
Be careful with the link to your privacy policy. This link should not simply return the user to the page of your Legal Notice. It must be able, by clicking on the link, to go directly to the section that deals with your data processing and use policy.
Newsletter v.s. marketing offers or sales:
Important: If, in addition to your newsletters, you want to send commercial or promotional emails, you must collect explicit and not passive consent for both types of campaigns.
Are you confused? Do not worry, you will understand everything with the examples below:
Example:
You have two types of email campaigns in your business:
Campaign 1: a newsletter with your latest blog posts that is sent weekly to your subscriber list
Campaign 2: One or more emails per month to offer discounts on your products or services.
What not to do anymore:
What must be done to comply with GDPR:
- Make distinction between these two types of mailing and translate it visually into your form;
- Offer the user the possibility to choose whether or not to receive this second type of campaign.
Attention, who says “explicit consent” says no pre-ticked box! The user must himself perform the action in question. The form below with the box already checked is no longer in conformity with GDPR:
Collection forms (excluding newsletter registration):
In addition to the registration forms for your newsletter, you may also submit other forms on your site, such as:
- Downloading a free guide
- Registration for a webinar (web conference)
- Registration to your tool
- Online booking (restaurant, event, etc.).
Again, you must follow the same rules imposed by GDPR.
Example:
You propose the download of a free guide (e-book) on your site via a simple registration with an e-mail address.
From now on, you will need to retrieve the different consents explicitly with clear and distinct opt-ins (the small checkboxes). The user must himself do the action.
Beware of unchecked BUT deceptive boxes:
The GDPR has also thought of the smart guys who would like to “divert” a little rules with deceptive opt-in.
So here’s what NOT to do:
Double opt-in
Our advice is to not ignore the double opt-in.
Do not panic! The “double opt-in”, you already know what it is!
It is simply a first automatic email (post-registration) that asks you to check your email address.
The double opt-in has existed for many, many years. Although it was originally set up to keep quality email lists and not to reduce the deliverability rates of e-mailing campaigns, it now appears to be one more proof of consent given by users.
We advise you to configure the default double opt-in in your e-mail marketing tool.
To my knowledge, all major email tools on the market offer dual opt-in, including in free versions of these tools.
Make sure your email tool is in compliance with GDPR!
Last point to keep in mind. Remember that it is your responsibility to verify that all of your partners and providers are also in compliance with the GDPR.
Most of the major email marketing tools on the market (Mailchimp, Mailjet, SendinBlue, Aweber, etc.) are already in compliance. If this is not the case for your tool, we advise you to quickly contact them or change the software quickly.
