How to Create GDPR Compliant Consent in Web Forms
The EU’s General Data Protection Regulation (GDPR) introduces a number of new rules and regulations related to 1) capturing, 2) using, and 3) managing prospect and customer data. This blog focuses on recommending best practices as relevant to 1) capturing prospect information through web forms in order to be GDPR-compliant.
The single most important requirement to make any web form GDPR compliant is obtaining from your web site visitors their explicit, positive consent to have their data stored and used by you, the web site owner and data controller.
Who does the GDPR apply to?
The scope of the GDPR encompasses all organizations that control the personal data of EU residents or monitors individuals’ behaviors conducted within the EU, regardless of the entity’s location. The terms data controller and personal data are defined broadly: Data controllers are companies that collect and hold consumer data and personal data means “any information related to an identified or identifiable natural person.”
Stated simply, if you manage a website where you capture any personal data, and there is a chance that any of your web visitors are EU citizens and/or residents, the GDPR applies to you. Luckily, having your top-of-funnel activities become GDPR compliant boils down to simply obtaining positive consent from the users who submit their information.
Obtaining positive consent
As relevant to capturing information, the GDPR states that controllers must obtain consent from the data subject in order to use their information. The consent needs to be explicitly given by the EU citizen through a manual opt-in. Simply adding a text disclaimer with links such as “Our company values your privacy” or “By submitting this form you agree to our terms” is not sufficient to meet GDPR requirements. Under the GDPR, obtaining consent will most commonly be achieved by adding an acknowledgement checkbox at the end of the form. Alternately, and because the GDPR only applies to EU citizens/residents, some controllers prefer to not front-load their forms with consent checkboxes and with what some may consider off-putting language.
Click here for a full guide on how to ask for positive consent, the types of approaches you can take for asking consent and what to do for incomplete consent scenarios.
Having GDPR compliant forms is only one step in achieving GDPR compliance for your organization. Treasure Data offers a number of resources that cover the areas of GDPR compliance beyond the capturing of web form data, including:
- Top 5 Marketing Considerations for the GDPR
- GDPR blog series
- The Marketer’s Guide to GDPR
- GDPR readiness with Treasure Data
- GDPR guide for Google Analytics
Interpretation of the GDPR is up to your organization. While we’ve done our homework, the GDPR isn’t explicit in defining the principles for compliance. With language that makes it difficult to interpret, we advise you to consult your GDPR experts, legal counsel and the national data protection authorities in the EU.