Curate By

  • Theme
  • Sector
  • Channel
  • Show All
X

Connect to

X

GDPR in practice – tick box consent forms

Tickboxes are our consent comfort blanket. In our roles as consumers, technology providers and marketers the tickbox lets us easily say yes or no with a simple, unambiguous click of your mouse or a tap on your screen.

Or at it should be simple. Some people still don't do this very well at all and the GDPR brings a few more rules and guidelines, so I've pulled together a quick guide telling you what you need to do to get it right.

Ticked or un-ticked boxes (Recital 25)

Under the GDPR a person gives consent

by a statement or by a clear affirmative action

“a clear affirmative action” is explained as:

This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data

Silence, pre-ticked boxes or inactivity should therefore not constitute consent”

Wording ((Recital 39, 58))

Information relating to consent and data use needs to be

Concise, transparent, intelligible ... using clear and plain language”

 

Proof of consent (Article 7(1))

Recording the wording and the act of ticking a box should be recorded because of the requirement for marketers to be able to prove consent:

Where processing is based on consent, the controller shall be able to demonstrate that consent was given by the individual to the processing of their personal data

 

Wording or processes which are ambiguous or confusing will not satisfy GDPR consent requirements.

Data without recent consent to these standards may need to be re-permissioned or deleted.

 

Here are some examples of good and bad tick box consent forms

 

 

Example

 

Why is it good or bad?

 

 

 

 

Source:https://skyid.sky.com/signup/

Date: 21 Oct 2016

The first tickbox uses a positive action to signify agreement , while the second tickbox reverses this logic; using a positive action to signify refusal.

The wording here is confusing, going against expected practice. Asking someone to click to opt-out, especially after asking someone to click to agree, is going to mean that Sky customers who want marketing will not be on their mailing list; and those who don’t want marketing will be added to the list and will probably complain at a later date.

The ambiguity in this process will make it easy for someone to argue that they hadn’t intended to give marketing consent. 

Source: http://info.lr.org/emailpreferences

Date: 21 Oct 2016

The wording here is again going against expected practice by asking someone to click to opt-out. While not confusing like the Sky process, it's still not what is expected. While choice is good, the number of choices for seemingly similar items (all unticked; meaning they are all "selected" by default means it's just annoying when you just want one thing. And if something is annoying it's easier to just hit that nice convenient "opt-out from all" option. 

Instead, keep things simple: make it easy for people to do what they want to do; not just what you want them to do.

And if inactivity can't constitute consent, failing to opt-out does not mean consent.

Source: https://www.royalmail.com 

Date: 21 Oct 2016

When creating a personal account on RoyalMail.com the marketing consent process is again asking those registering to opt-out. Because inactivity can't constitute consent, all firms collecting data and consent in this way will be in a difficult position with the GDPR. Without consent to GDPR standards firms, like Royal Mail, will have to re-permission their marketing lists or risk losing large chunks of their marketing lists.

Source: https://tnew.theatreroyal.co.uk

Date: 21 Oct 2016

Newcastle Theatre Royal almost get it right. Yes, the layout could be better and there's a lot of choices but there's no trap: The person ticks what they want to recieve and the Theatre Royal has the "affirmative action" recorded.

Unfortunately in there postitive opt-in boxes are a couple of unsubscribe boxes. Faced with this process, where you can simultaneously tick to opt-in, tick to opt-out AND have both opt-in and unsubscribe boxes ticked at the same time, it's really not clear what's going to happen!

Source: https://www.theguardian.com

Date: 21 Oct 2016

I said I would show you how to use tick boxes properly. This is how: Just get rid of them completely.

What you need for consent is a clear affirmative action and a process which is concise, transparent, intelligible ... using clear and plain language.

Instead of tickboxes and trying to decide how to word something, all that is needed is a neat piece of design, wording which explains exactly what's happening and a a simple process, where you only add the email address if you want to sign up.

Hear more from the DMA

Please login to comment.

Comments