The day of reckoning for GDPR (General Data Protection Regulation – a new EU privacy regulation designed to more rigorously protect users’ data), 25th May, is now less than a month away.

You may well already be aware of this fact thanks to the steadily increasing hysteria among the marketing, data-collecting and online-business-owning communities as they frantically scramble to bring their privacy policies in line with the new regulation.

GDPR requires that organisations have a “lawful basis” for processing data, which can be demonstrated in a number of different ways. It’s up to them to decide which basis is the most appropriate for their situation and business model.

One such basis is consent, which in the words of the Information Commissioner’s Office (ICO), “requires a positive opt-in. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”

As you might imagine, persuading users to actively consent to having their data used for marketing purposes is much easier said than done, and digital marketing has historically relied on a lot of methods that only have a very vague, passing relationship with the idea of consent.

Still, under GDPR, companies now need to at least give users the chance to consent to their details being used for marketing and other purposes, put them in charge of how those details are used and allow them the option to withdraw if they so choose.

Let’s look at six strong examples of this, from companies who’ve created great opt-in forms for obtaining their users’ consent under GDPR.

The Guardian

The Guardian is one of the first companies that I became aware was updating its regulations to comply with GDPR. The UK publisher has been proactive in reaching out to its users, via a banner while they’re logged in to the site and through emails, to encourage them to resubscribe to the communications they want to continue receiving.

A screencap of the GDPR opt-in form from The Guardian, which has sections for communications about Guardian products and services, SMS updates, and other methods of getting in touch. Each type of communication that can be opted into (or out of) is accompanied by an individual checkbox. At the very top is a box labelled Select All.

The Guardian’s opt-in form clearly ticks a number of boxes (har har) on the positive consent front. Consent to marketing communications is separated out from consent to the site’s overall Terms and Conditions, and users are required to proactively opt in to different types of product communications they want to receive, by email and/or SMS.

The form also links to a clear explanatory page, with an informational video and an FAQ, to educate users about the context for these changes.

The Guardian’s GDPR opt-in form scores high on what’s known as “granular consent”, which as the ICO explains, requires obtaining separate consent for separate things, not “vague or blanket consent.”

It falls down, however, on the last two boxes, which require users to actively opt out of receiving communications by phone and post. As previously mentioned, consent under GDPR requires a positive opt-in from users, without using “pre-ticked boxes or any other method of default consent” (per the ICO). You were doing so well, Guardian!

Royal Society for the Protection of Birds (RSPB)

Our very own Christopher Ratcliff’s recent interview with Friends of the Earth about UX testing for GDPR highlighted how tricky GDPR can be for charities. Unlike ecommerce websites and other for-profit businesses, charities lack incentives (like discounts) that they can use to lure people into giving consent, but still have just as much need to grow their contact database.

Charities are in various states of preparation for GDPR, but one of the organisations setting a strong example is the RSPB. The charity has been reaching out to its existing supporters to encourage them to opt in to communications from the RSPB, and published a blog post in December which explained its reasons for doing so.

A screencap of the RSPB GDPR opt-in form, which is headed by the words 'Let's keep in touch - on your terms'. The form prominently displays four methods of communication: post, phone, email and text, with a tick and a cross for opting into or out of each one. A link to the charity's privacy policy appears at the end of two paragraphs of fine print

The RSPB’s opt-in form separates out the different modes of marketing communication, with an unambiguous tick or a cross for opting into and out of each one. At the same time, users are able to view and edit the contact details that the RSPB currently holds on them.

The RSPB also features a link to its privacy policy (albeit not prominently) and lets members know how they can update their details in future if they change their mind.

Future Content

This example from Future Content is a GDPR opt-in form in the most literal sense – a form that opts the user in to receiving a whitepaper on GDPR.

It stands to reason that the form would be GDPR compliant (or people would rightfully be sceptical of the whitepaper), but it still serves as a good example of how to make a simple sign-up form compliant with GDPR.

A vibrantly-coloured opt-in form for downloading a whitepaper entitled 'GDPR Guide: Email Marketing Consent for B2B Businesses'. The main section is blue, while the bottom section is purple, and contains fine print in black text that is a little hard to read against the background

The form is clear and up-front about how users’ information will be used, with a prominently-featured link to Future Content’s privacy policy.

The fine print also satisfies two other important conditions of consent under GDPR, by informing users that they can unsubscribe from communications (which is key to being able to withdraw consent) and giving details of any third parties who might access the data (in this case, none).

The colours are also fun, although the colour contrast leaves something to be desired on the accessibility front…

Sainsbury’s

Sainsbury’s has been featured in multiple places as a strong example of GDPR best practices: by Zettasphere’s Tim Watson in an article focusing on GDPR consent and opt-in, and by Econsultancy’s Ben Davis as an example of best practice UX for obtaining marketing consent.

This is well-deserved. Sainsbury’s sign-up form experience is straightforward and clear; in places where the form asks for extra personal details, such as their phone number and Nectar Card number, explanations are provided as to why the company needs them (though the Nectar Card one is admittedly a bit of a given).

A partial screencap of the Sainsbury's account sign-up form with input fields for a phone number and Nectar card number. Each is accompanied by an explanation of why Sainsbury's needs to collect that piece of data

Sainsbury’s also clearly separates out consent to its Terms & Conditions from consent to receiving marketing communications.

These communications are strictly opt-in, with no boxes checked by default, though as Ben Davis points out in his piece, the fact that all of the different communication channels (email, post, SMS, phone and “other electronic means”) are lumped in together is less than ideal, losing Sainsbury’s some points on the granular consent front.

A partial screencap of the Sainsbury's account sign-up form which has a check-box for agreeing to the supermarket's terms and conditions, and two radio buttons for opting into or out of marketing communications. A red box highlights the fact that the marketing communications opt-in encompasses 'email, post, SMS, phone and other electronic means' all at once

Clas Ohlson

Swedish hardware retailer Clas Ohlson is another good example of how to proactively obtain your customers’ consent under GDPR.

In addition to emailing its customers about the new regulation, the company makes its consent form easy to access at any time within users’ profile settings, under a clearly-marked ‘My Consent’ tab.

A screencap of the GDPR consent form from Clas Ohlson. One section, labelled 'Select communication channels', has three checkboxes for SMS, email and postal communications. Email and postal are pre-ticked. The next section, labelled 'Approve and save', has a link to the retailer's full terms and privacy policy, with a checkbox underneath it. Below that is the statement of consent to personalised marketing communications, followed by another checkbox, followed by a statement of agreement to the retailer's updated terms and conditions for registered online customers

There are separate checkboxes for opting into or out of email, SMS and postal communication, though email and postal communication are initially opted in by default – plus points for granular consent, and minus points for not obtaining positive consent for all channels.

Agreement to the website’s Terms of Service is clearly separated out from giving consent to receive marketing communications based on your purchasing habits, and Clas Ohlson makes sure this statement of consent is as fully-worded as possible, complete with information on how to withdraw.

However, the layout of the form is potentially misleading, with a link to the Terms of Service and Privacy Policy appearing above the marketing communications checkbox – which could lead to some users opting in to marketing communications when they meant to consent to the ToS.

Information Commissioner’s Office (ICO)

I’ve quoted the ICO’s guidelines on GDPR a number of times in this article, and given the amount of guidance and best practices the ICO has published on GDPR, you would expect it to be compliant with the regulation.

However, it never hurts to check that privacy organisations are indeed practicing what they preach.

The ICO’s e-newsletter sign-up form is plain and functional, with no frills attached. Aside from the most basic information required for an electronic newsletter, the form has two additional fields, ‘Organisation’ and ‘Region’, neither of which are compulsory.

A functional, grey web form with a set of input fields for personal data, and an anti-spam CAPTCHA field. Between the input fields and the CAPTCHA is a statement detailing the ICO's use of a third-party provider, Adestra, to deliver its monthly e-newsletter. It also details the use of clear gifs to gather statistics around email opening and clicks in order to monitor and improve the e-newsletter

Like Future Content, the ICO also explains clearly to what extent third parties are involved in handling the information, the data it collects and tracks, and why. It also links to the company’s Privacy Notice, which contains accessible explanations of GDPR and the data that the ICO collects under various circumstances.

To understand the current state of UX research in 2018, download our brand new State of UX in the Enterprise 2018 survey report. 

Main image by Julian Lozano