Examples of GDPR compliant privacy notices and email opt-in forms
We've now been covering the implications of the GDPR for marketers and their audiences since 2015 on Smart Insights with many articles contributed by guest experts specialising in privacy law for marketing.
Initially, there was a lot of speculation and it was difficult to provide practical examples since ultimately what businesses need to know is to how to update their forms for collecting email addresses and the copy explaining consent for communications in their privacy statement. As the Information Commissioners Office provided more guidance there were some simple sample examples provided in templates, but these didn't cover the range of situations where businesses in different sectors needed to implement them.
Today, as we fast approach the deadline, we can learn from the examples of larger companies who have implemented new forms and privacy notices. We don't know they are GDPR compliant in that they haven't been independtly assessed, but the examples we give here are large businesses who will have taken advice from specialist lawyers.
In this article, we don't explain the concepts of personal data, consent and legitimate interests, those are covered in our members guide and likely you are familiar with them already, so we'll concentrate on the examples. We will start with privacy statements and then look at forms and copy asking for consent.
Here are our examples of good practice
AA Privacy notice
This example follows the structure of the GDPR and references features like 'legitimate interests'. We like it since it is clearly written for the end user, transparent about the data sources and use and clearly structured. However, it is long due to the importance of different types of data processing in insurance products.
Structure of AA privacy statement:
- 1. Background
- 2. What kinds of personal information about you do we process?
- 3. What is the source of your personal information?
- 4. What do we use your personal data for?
- 5. What are the legal grounds for our processing of your personal information (including when we share it with others)?
- 6. When do we share your personal information with other organisations?
- 7. How and when can you withdraw your consent?
- 8. Is your personal information transferred outside the UK or the EEA?
- 9. How do we share your information with credit reference agencies?
- 10. How do we share your information with Fraud Prevention Agencies?
- 11. What should you do if your personal information changes?
- 12. Do you have to provide your personal information to us?
- 13. Do we do any monitoring involving processing of your personal information?
- 14. What about other automated decision making?
- 15. For how long is your personal information retained by us?
- 16. What are your rights under data protection laws?
- 17. Your right to object
- 18. What are your marketing preferences and what do they mean?
Under legitimate interests, it covers marketing communications specifically:
i) For direct marketing communications and related profiling to help us to offer you relevant products and services, including deciding whether or not to offer you certain products and service. We will send marketing to you by SMS, email, phone, post and social media and digital channels (for example, using Facebook Custom Audiences and Google Custom Match.
It's interesting that it specifically mentions the options available from Facebook and Google to enable uploading of customer lists to find lookalike audiences and for retargeting based on email address.
Facebook Data Policy
You will know that Facebook has a strong need to be transparent about its privacy. We have chosen this example for the structure, similar to the A, which explains privacy in an easy to understand way. It's very different from previous Data Protection Act notices from Facebook and others which were more legal in tone and near unintelligible.
Profiling form examples seeking consent
Example A. Lead generation / lead magnet example form
This example follows the requirements of the law closely since it doesn't require you to opt-in to future communications in order to receive the offer. It shows you don't have to use a tickbox instead using a radio button. Tests referenced by Tim Watson in his well-worth-a-read post giving example GDPR consent forms shows that radio buttons can perform better than the more traditional opt-in tick-box.
Example B. B2B Email newsletter sign-up
While this example illustrates compliance well, it is arguable whether it is needed if you bundle additional resources or explain the range of communications will receive. The discussion on Tim's blog gives the example of his own opt-in at the foot of articles.
Example C. Retail.
This example also includes an affirmative action based on selecting a radio button. It also follows good practice since it has a compelling description of what's available. Not simply 'Receive marketing communications', but detailing the types of offers and coupons available. Retailers are in a strong position since they can offer these incentives.
Note that it can be argued under the Privacy and Electronic Communications Regulations that opt-in is achieved 'during course or negotiations for sale' and this an additional tick-box is unnecessary. For example, at the time of writing Amazon UK doesn't give a choice. It would be interesting if the Information Commissioner went after Amazon for failing to give this guidance.
Example D. Retail, part of a larger group
Since Tesco Grocery may want to share customer data with other parts of the group which are not for 'similar products and services' in the words of the PECR, Tesco asks for sign-in to the Tesco Group. It has pre-ticked the box, presumably on the basis that is during the course of negotiations for sale.
Example E. Publisher
Economist Free Email newsletter sign-up
This example is complex since the Economist wants to distinguish from signing up for the enewslettter and other communications. Both use a different implicit format to gain consent which isn't straightforward to understand since you have to opt-out in a different way. However, they are transparent about types of communications.
And that's our final example. I hope these have proved interesting and useful to benchmark against your approach. For further discussion do let us know on social media, especially our Facebook members' group.