With the General Data Protection Regulation (GDPR) due to come into force in May 2018, there are already lots of resources out there to help guide you towards compliance.

However, there are fewer articles that point to companies who are already exhibiting best practice. So, I'm going to attempt to round up examples that already seem to comply with aspects of the GDPR.

In this instance, I'm concentrating on user consent, chiefly during online registration or checkout, but it should be noted that there are many other user experiences to consider. I was particularly impressed by some prototypes created by Projects by IF. One example is the UI below, an example of allowing users the 'right to erasure'.

prototype gdpr

The agency that created this prototype points out that the right to erasure isn't always an all or nothing decision, and that granular erasure of information may be desired, such as removing addresses from your recent trip history ("'Your trip to Brighton' makes more sense than 'Your trips to 7 Kensington Gardens, 52 Ship Street, and 11 Queens Road'".)

What are we looking for in this article?

I'm going to be examining company websites, looking for the following five aspects of consent in the GDPR which the ICO highlights as key changes, and which are pertinent to marketers. 

  • Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
  • Granular: Give granular options to consent separately for different types of processing wherever appropriate.
  • Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
  • Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.

N.B. There is another important change that should be on the marketer's agenda and that's the need for brands to maintain records of the consents they have – i.e. what users were told and how they gave consent. Obviously this is more difficult for me to investigate, but it is an area that companies no doubt need to focus on.

Unbundled consent - Who is doing it right?

Unbundled consent - Sainsbury's

Here's a great example from Sainsbury's, below, flagged up in an Econsultancy article about supermarket account registration from Andy Favell.

Look how the white content blocks separate the clearly-headlined 'Terms and conditions' and 'Contact permission' sections. The contact permission section requires that users select a radio, either 'yes please' or 'no thanks'. This is clear as day, and what the consumer likes to see when registering for an ecommerce account.

Not everything is hunky dory here, as permission for email, post, SMS and telephone is all lumped together into the same checkbox, but as far as unbundled consent is concerned (separate from T&Cs), Sainsbury's hits the mark.

sainsbury's consent

Unbundled consent - Data Protection Network

One would expect the Data Protection Network to be on top of this sort of thing.

I recently registered so I could download guidance on GDPR and 'legitimate interests' – whilst joining I noted the unbundled consent and the very nifty red-to-green sliders. A great opt-in UX.

data protection network

Granular consent - Who is doing it right?

Remember, granular consent means consenting to each contact method separately. 

Granular consent - Woolworth's Australia

Here's a lovely example from Woolworth's Australia (hat-tip again to Andy Favell), taken from account registration. It uses three different checkboxes – SMS, email and post (samples). This means users can get comms where they want them, rather than an all-or-nothing approach.

Although Woolworth's Australia doesn't sell to the EC, there are lots of international companies that do, and will therefore have to comply with the GDPR.

woolworth au contact preferences

Granular consent - Age UK

Age UK splits marketing consent (when filling in an online form to make a donation) into checkboxes for email, telephone, text message and post. What's also good is that each channel (apart from post) requires an active opt-in.

age uk

Though arguably consent for direct mail should be opt-in, too, some other charities are less transparent, requiring a user consents to post and then asking them to get in touch to change this (e.g. Oxfam). There are also other charities which use an opt-out (instead of opt-in) for contact by telephone or simply take the user's input of a telephone number to imply consent. Age UK is doing a better job.

Note that marketing via post may be considered a legitimate interest for charities. The GDPR states ‘the processing of Personal Data for direct marketing purposes may be regarded as carried out for a legitimate interest'. However, as the Data Protection Network points out, 'organisations will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications'.

That means post every week could be hard to justify, but quarterly mail to let users know about charity work may seem to be more balanced.

Named organisations - Who is doing it right? 

Which companies are clearly naming the organisations that will have access to user data, where that user consents?

Named organisations - Waitrose

Here's a clear example from Waitrose, part of the John Lewis Partnership, when registering for an account. The user can consent to receiving updates from Waitrose, John Lewis or John Lewis Financial Services. Each organisation gets its own checkbox.

However it's still technically an opt-out as the user has to click the buttons if they don't want to recieve further comms. A bit sneaky.

waitrose consent

Named organisations - Age UK

Here's a second example which I think is very much in line with the clarity that the GDPR is seeking to provide for users. Age UK sets out clearly in what circumstances users (making a donation) may be contacted, that their data will never be sold, and that users can change their mind about consent.

Crucially, there's also a line that states clearly which organisations "we" refers to.

age uk consent 

Active opt-in - Who is doing it right? 

Active opt-in - Walmart Canada

Walmart Canada – where regulations are tight, including the CASL (Canadian anti-spam legislation) – is not only using an active opt-in, specifically for emails, but also has the word 'optional' in brackets, to let users know for certain they do not have to check this box.

Additionally, it's good to see clear description of what content such emails may contain.

walmart canada registration

Easy to withdraw - Who is doing it right?

Easy to withdraw - The Guardian 

This sort of functionality is pretty standard in many sectors (e.g. in the media and ecommerce) but is still something that isn't offered by everyone yet as self-serve.

The Guardian shows how those that have registered for an account can withdraw permission for marketing in their account settings, as well as withdraw permission for profiling that may impact things such as the adverts a user sees.

guardian preferences

One functionality the Guardian affords (below) which many do not is the ability to fully delete your account (right to erasure). When you do this from within your account settings, there's lots of clear information about how it will affect everything from the comments you have made to any paid subscriptions you have in place.

The pages also states: "Deleting your account removes personal information from our database. Your email address becomes permanently reserved and the same email address cannot be re-used to register a new account."

guardian delete account

Other best practice

Clarity from Channel 4

I wanted to include the Channel 4 example, featuring a video campaign from back in 2012, when the broadcaster sought to prepare users for compulsory registration.

When registering for a Channel 4 account on the All 4 website, you can see Alan Carr featured on the right hand side and a link to the video ('Our viewers promise'). There's a clear heading – 'how we use your information' – and the text mentions tailored advertising, and sits underneath copy detailing 'reasons to register'.

all 4 how we use your information

There's a fairly unique bit of UX further down the form with users able to click to see an example newsletter (see the linked text in the screenshot below). This is an innovative way of helping the user decide whether they want to opt-in to communications.

The only gripe I have with this checkbox is that the accompanying explanation could be made clearer. Not everyone will know what FOMO means, for example.

all 4 registration

These examples are not rocket science, I know. It's the back-of-house stuff that represents the real challenge – how to keep records of all processing, all consent granted by users, how to enable users to take their data to another provider, and so on.

But, as companies should be looking to move towards compliance with the GDPR by 2018, the most visible part of this compliance – the UX of obtaining consent and letting the user know what they're in for – should be a priority soon.

To learn more on this topic, book a place on our GDPR and Data-Driven Marketing training course.

Note that this article represents the views of the author solely, and are not intended to constitute legal advice.

Ben Davis

Published 18 July, 2017 by Ben Davis @ Econsultancy

Ben Davis is Deputy Editor at Econsultancy. He lives in Manchester, England. You can contact him at ben.davis@econsultancy.com, follow at @herrhuld or connect via LinkedIn.

1085 more posts from this author

Comments (12)

Comment
No-profile-pic
Save or Cancel
Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

Great stuff Ben. I like The Guardian's cunning pyschological trick reminding people that if they delete their account then they can't register again except with a new email address. Might make people think twice ;)

Have you got any examples of the right to download your data in a portable format and/or make your data available to another organisation (including a competitor)? So in Facebook you can click to 'port all my personal data to Google+'?!

2 months ago

Ben Davis

Ben Davis, Deputy Editor at EconsultancyStaff

@Ashley

Haven't researched portability yet, but purely from a UX point of view, some of the supermarkets use a service called mysupermarket, which allows users to port their shopping lists over to a new retailer. See this image - https://assets.econsultancy.com/images/0008/7598/supermarket_import_favourites.jpg

I rather think the portability thing will remain limited to sectors with lots of information such as insurance, but even then there are intermediaries (comparison engines) that are already solving that problem.

Will see what I can dig up,..

2 months ago

Avatar-blank-50x50

Laurent Christoph, Experience Strategist at Lloyds Banking Group

Portability is a difficult one because the legislation is unclear on what the data format should be. For banks Open Banking will probably help in that regard.

Re consent, it has to be fully informed and explicit. This means explaining to customers what you will do (or not) with their data in a simple way: no more complex privacy policies but a more contextual and transparent explanation is what I anticipate.

Finally companies that will do this well will also demonstrate the value that customers will get from opting in to marketing as well as provide more granular choices (brand, channel, frequency etc...(

2 months ago

Avatar-blank-50x50

Dennis van Lith, UX Designer at iWelcome

The Guardian is doing it wrong.Since they openly state that you can no longer create an account on the used email address. They also say they keep your email address in their server database, which is again totally against the GDPR regulations. The GDPR has a clear regulation on the "right to be forgotten" (right to erasure). Meaning everything should be removed from the servers and databases. And yes this also means logfiles etc...

Source: https://gdpr-info.eu/art-17-gdpr/

Dennis van Lith - UX Designer @ iWelcome

2 months ago

Ben Davis

Ben Davis, Deputy Editor at EconsultancyStaff

@Dennis

Interesting point. I'm no lawyer, but might the Guardian refer to paragraph 3 in that link, namely: "for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89"

I wonder if the email address needs to be on file, tied to comments that users have made, and possibly to previous transactions/subscriptions (legal obligation?).

As I say, I'm not a lawyer, but the fact that Guardian allows users to delete all information bar email address is pretty good. You can even remove your name from comments.

Thanks for commenting.

2 months ago

Avatar-blank-50x50

Dennis van Lith, UX Designer at iWelcome

@Ben davis

The regulation states:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

Source: https://gdpr-info.eu/art-17-gdpr/

An email address is such a datasource where the data can be linked to the user, and thus stated as personal information. Under personal information these are formed to erased. (as example:) Name, addresses, phone numbers, ip-addresses, scrambled GPS locations, mac-addresses etc...

2 months ago

Ben Davis

Ben Davis, Deputy Editor at EconsultancyStaff

@Dennis

Yes, I read the link. But point 3 says: 'Paragraphs 1 and 2 shall *not* apply to the extent that processing is necessary etc etc.'

I'm just not sure to what extent companies will rely on this point 3, which discusses archiving and also for compliance with any legal obligation.

2 months ago

Avatar-blank-50x50

Dennis van Lith, UX Designer at iWelcome

Legal obligation could means that (for instance) a certain webshop still has payments open from the user. Than the data should be stored in a so called "grace state", meaning, when all payments are due. The data should still be removed from the servers.

2 months ago

Avatar-blank-50x50

Ann Kely, Digital Communications Manager at PTA UK

I assume the reason the Guardian blocks the email account is to stop vexatious posters registering, trolling, demanding to be forgotten, then reregistering, trolling, etc. I think that would count as legitimate interest.

2 months ago

Pete Austin

Pete Austin, CINO at Fresh Relevance

Re: "The Guardian is doing it wrong". @Dennis @Ben.

NOPE. At least not necessarily. What the Guardian says is, "Your email address becomes permanently reserved and the same email address cannot be re-used to register a new account."

This is NOT quite the same as Dennis states, "They also say they keep your email address in their server database, which is again totally against the GDPR regulations".

The Guardian could achieve the above, and also do archiving, by using a one-way hash of the email address to identify each account. Using a hash instead of the email address would comply with the GDPR, because the data would no longer be "personally identifiable" - unless it contained other information that allowed the person to be identified in a different way.
https://en.wikipedia.org/wiki/Cryptographic_hash_function

2 months ago

Avatar-blank-50x50

Tony Edey, .

Having to explain what you're doing with a users data can seem scary at first, and companies may feel reluctant to change their ways by being transparent. However a user case I can give had a web site with a standard boring line of text ("tick here if you want to receive our newsletter" or similar) and a pre-selected tick box to go with it (so it was an opt OUT mechanic). Opt in rates were around 30%, so 70% of people actively unchecked the box (and I'm reckoning it impacted their brand sentiment).

Then it got changed to the same thing only the tick box was not pre-selected (opt-IN mechanic). Opt-ins dropped to about 25%. Not a huge drop, but it all helps (or hurts!).

Then the opt-in was completely revamped to be a big colourful graphic which explained what sort of content you were opting in for, how often it was sent, how easy it was to opt out, and that (in this case) the data is not shared with anyone. Opt-ins went to 60% overnight.

Transparency engenders trust, and marketing opt-ins can benefit from this, with a little courage to change and preferably some AB testing ;)

2 months ago

Ben Davis

Ben Davis, Deputy Editor at EconsultancyStaff

@Tony A fantastic example, thanks for sharing.

I wanted to also share the privacy notice users see when booking tickets at Manchester's Home cinema & theatre. I liked the granularity and the clear information about the benefits of opting-in. View it here > https://assets.econsultancy.com/images/resized/0008/7983/home_privacy-blog-flyer.png

about 1 month ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.