What is consent according to GDPR?
A consent under the GDPR is an active and voluntary act by a person who, after being informed of the consequences, agrees to have his personal data processed in order to have marketing communication sent to him, or otherwise analyzed. The person in question has given his consent to his personal data being processed in accordance with the GDPR. Once this consent has been gathered, you as a marketer can start using personalization in your communication. Then you can tailor communication to the customer based on what the customer data has to reveal about the customers’ preferences.
How to get consent?
Consent can be obtained in different ways, but most often it’s via a type of form that the customer ticks and approves that thus allows the company to collect and use his personal data in different contexts. It can be useful in, for example, targeted marketing, for statistics, optimization of services and more.
When is a consent valid?
In order for a consent to be valid, the following conditions must be met:
- Consent must have been given voluntarily
- Consent must be given for a specific purpose
- The reasons for the processing of the data must be clearly stated
- Consent must be informed
- Consent must be express and given by a positive action. It can be, for example, a box in an electronic form that the individual must explicitly tick or a signature in a form
- The consent must be visible and well formulated in clear and distinct language
- It must be possible to withdraw the consent and this possibility must also be explained via, for example, a link to stop subscribing at the end of an electronic newsletter.
How long is a GDPR consent valid?
If a time limit has not been specified on how long the consent lasts in connection with the person giving their consent, there is simply no time limit. However, to be on the safe side, it’s recommended to renew the consent from time to time. It may be that someone has given consent, but forgotten that he has done so or changed his mind and thus wants to take it back.
Marketing Act VS GDPR
Do you remember that the GDPR says that you need consent to process a person’s data? That is entirely true, but in Sweden we have another law that interacts with the GDPR: the Marketing Act. What does the Marketing Act mean then? It concerns how companies may market their services and how they may communicate with prospects, customers and leads.
Both laws require their consent, but for different reasons:
- The Marketing Act states that you need a consent to be able to communicate with prospectuses and leads via, for example, e-mail and SMS.
- The GDPR states that you need consent to process the personal data you collect.
But does that mean you have to collect two separate consents? Depending on the situation, you almost always need only consent. If you formulate your offer clearly enough, you can automatically hit two birds with one stone, and get approval for both parts.
Consent must always be active, voluntary and individual. This is not the case when there is a pre-checked box.
Consent GDPR example
Consent for newsletters & communication in E-commerce: GDPR newsletter consent
Below you see a typical “consent GDPR example” of what such a wording might look like. In the example above to the right, you can see that the box “I also want to receive the newsletter” is not pre-checked. By checking this box, you give an active consent to the e-merchant to send you newsletters, completely in accordance with GDPR.
GDPR discount codes - continued communication
Discount codes: Another common situation that many people wonder about is discount codes and what applies to continued communication after someone has left their e-mail address. Above are two examples of a popup that gives away a discount code of 20% for those who make their first purchase. In the example on the left, you must provide your name and email address to receive the discount code. Since the text only focuses on giving away a discount code, there is nothing that gives permission to forward marketing communications. If this were your e-commerce and your popup, you would just give away the discount code but nothing more.
In order for you to be allowed to send marketing communication, it must look like the example on the right. As you can see, it’s a completely different wording, and there is a checkbox with text that explains what the conditions are.
Instead of just saying “Get a 20% discount on your first purchase” it says: “Subscribe to the newsletter and get a 20% discount on your first purchase”
Example of consent for communication in B2B:
In the example below, two examples of a popup are shown again and here we give away an e-book about e-mail marketing. If you use the example on the left and the visitor fills in their information, we have permission to process their information in order to send out the e-book, but we don’t have permission to send newsletters or any other communication.
Examples of consent for communication for publishers:
Many publishers and online magazines use “Paywalls” or “Content locks” to restrict which articles different users are allowed to read. Some want you to be sent to a payment form, and some just want you to pay with your email address.
But if it looks like in the example above on the left, that you only need to leave your e-mail address to unlock the article, then you must not send out any digital communication to the person who leaves their email address.
PS. There are many templates for consent agreements for handling personal data that are free on the internet, that you can use or use as a starting point.
When do I need a checkbox for consent?
Whether you need a check box or not depends entirely on the situation and how your offer is designed. On a checkout page, e.g. a newsletter is not particularly relevant for fulfilling the agreement to deliver a product, and then active consent is required for sending a newsletter or other digital communication.
What your company needs to keep in mind when it comes to consent:
- Document – Document all the consents you collect!
- Voluntary – Ensure that consent is given voluntarily. So no pre-checked boxes!
- The right to be forgotten – Make sure you can delete all data from the people you have in your database.
- Personal data controller – Appoint a personal data controller who is responsible for ensuring that the personal data collection and processing takes place in a correct and legal manner.
Consent GDPR template
It can be difficult to know what a consent should contain, what should be included in a GDPR approval text. Therefore, it’s fortunate that there are many examples of how to write a gdpr consent. With a simple googling on the “consent template”, you get many examples of what a GDPR consent should look like and what must be included in it.
Some of the things that must be included in a consent agreement are:
- who requests consent, who you are
- which type or personal type of personal data you intend to process
- for which purpose or purposes you want to use the personal data, describe each one
- it must be clear that it’s possible to withdraw their consent
Do you have a consent according to GDPR?
It’s important to keep track of the legislation on GDPR and what applies when you have to handle customers ‘and visitors’ personal data. Consent is something that is easy to get, but can cost you a lot as a company if you forget to ask. If you want to ensure that you have everything in place, we have created a GDPR checklist that you can use as a starting point. There is also more to read about GDPR for companies where we have gathered all the info about what you as an entrepreneur should keep in mind when handling data.