The EU's General Data Protection Regulation (GDPR) has many companies scrambling to understand the fine points of consent and how it applies the requirements of the regulation. Organizations know that consent collection is important, but most of their focus is on the science of it. They look at the procedures and processes required to get this information from consumers, but it's a very technical point of view. Essentially, they just check a box to hit the basic requirements for compliance.
The art of GDPR consent collection is equally important. You need more than a way for consumers to check the right boxes so you can collect, store, and use their data. You should learn how to make people WANT to opt-in. By adding preferences to consent collection, customers can be more specific in what they're willing to consent to. There is a perceived added value to the content and communications that they're consenting to receive. You get to build your relationship from a place of trust with the customer.
The GDPR has a range of requirements for a person's consent to be considered valid and applicable to the given situation. Since GDPR compliance is relatively new for many companies (it only went into effect last year), there's a lot of confusion and ambiguity that surrounds the question of consent. Here's the exact definition of consent given in the regulation:
"‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
These consent requirements form the foundation of the GDPR, but you have other factors to consider as well. When someone gives consent, it should be voluntary. The person using the website or service should have an actual choice in whether they can grant consent, and there shouldn't be either pressure or influence pushing them into this decision. Imbalances between the data controller and the data subject can call consent into question, since saying "no" to consent could have far-reaching negative consequences for the person on the lower end of the power imbalance. For example - when providing consent is the only way to view a website, the data subject is “agreeing” to view it, but didn’t really have a choice.
Consent is expressly given, so failing to respond to a request to consent, having pre-ticked boxes or remaining inactive on the matter does not construe legal consent under the GDPR. You either need to get a statement of consent or the individual must take a clear action to indicate it. Implied consent is not permitted.
Another part of understanding GDPR consent is that it must be informed and specific. You need to let the data subject know the identity of your company, the type of data that you're collecting, the way that you intend on using it and the purpose of your processing activities. If part of these activities include automated decision-making, then that's another area that you need to be explicit about with the individual. It's also important to cover the safeguards that you have in place to protect the data and the potential data transfer risks.
Under GDPR, you must offer the right to withdraw consent at any time. You can't make it difficult to remove consent.
The exact form of affirmative consent varies depending on many factors, and there's no uniform process required. As long as you're following the GDPR guidelines for consent, then you are covered.
Now that you know the conditions for consent under GDPR, it's time to convince individuals that they are getting added value out of providing their consent to your organization. In most cases, people encounter long forms filled with endless bits of legalese that are hard to understand and read through. Usually you find these processes focus on the science side of GDPR consent. They come from lawyers and compliance departments that are solely focused on meeting all of the legal requirements. These teams don't typically deal with the customer experience, so making it accessible and approachable hasn't crossed their minds.
By embracing the art of consent collection, you're starting a conversation with individuals and gaining new customer insights. You have more chances to identify opportunities to engage with your audience and learn more about the way they think about data collection/handling and your brand. You look beyond the letter of the law and find ways to encompass the spirit as well.
Consumers are tired of companies that do whatever they want with their data and put their personal identities and privacy at risk because of it. Advertising and marketing efforts that are "too" personalized can lead to uncomfortable consumers who feel tracked across the Internet. They want to see brands that respect their online privacy and data, and are willing to offer value in exchange for content. The incentive has to be there to get consumers on board with offering consent, especially when they have the power to say "no" without drastically changing the user experience.
Enhance your consent collection by offering customer preferences in the process. Your customers get to customize the way that your company engages with them, whether it's only collecting certain types of data, offering one email per week, or sending content from the categories they’ve specified. You give them full power over the process, which makes the experience a lot different than it is at many brands. You stand out with this added value, which can lead to a competitive advantage through these trusting relationships.
Many companies try to collect consent all in one go. The result is that an individual has to read through giant walls of texts or have to check multiple boxes when they first get to a website. It's overwhelming and can lead to people going elsewhere instead. There's no rule that says you have to present every consent check the first time they come to your website or encounter your brand.
Collect consent on the spot when it makes the most sense. You add context to the situation and make it clear what they're consenting to.
Depending on the complexity of the terms that they agree to, people may not understand what they agree to at first. If a customer wants to withdraw their consent due to a lack of understanding later on, you can put a process in place that allows them to adjust their consent preferences rather than withdrawing it all together. They get to choose the areas that they're still comfortable with, and you help the customer feel heard and valued.
Proactively evaluate whether your customers are engaging with the communications that they consent to. They may not want to receive emails, for example, but they're not motivated enough to hit unsubscribe. You can present different channel options to better meet their preferences rather than losing the ability to contact them at all. Reaching out in this manner also puts your brand back on the customer's radar, in a good way.
Your consent needs are much different than a company in a completely different industry. If you try to rely on a universal process for acquiring GDPR consent, you're going to miss out on opportunities and fail to provide a high-quality customer experience. One of the best ways to customize consent collection to your organization is to identify use cases that commonly occur. You can build your processes around what's actually happening, rather than theoretical situations that never apply to your customers.
The customer experience is everything in today's business world, and consent in data collection plays an important role in the way that you engage with your audience. By looking past the science of consent requirements and understanding the art of it, you can meet customers in a mutually beneficial way.