This blog and checklist are part of our GDPR health check “Road to the GDPR.” In part two of the test, we cover the registration text. If you have not completed the test yet, you should do so first and then come back to read the background information in this blog.
What is the registration text and where should you show it?
The registration text is the text that people consent to when they submit their personal information. You will then process this text based on permission. You show this text and your permission request on the page where people enter their personal information: this is part of your information requirement and an important aspect of valid permission. It is important to note that, under the GDPR, permission must be a “freely given, specific, informed and unequivocal expression of will” that requires an active action. Among other things, that means that you must draw up a clear, easy-to-understand text in simple terms that any subscriber can understand. Furthermore, subscribers must be free to decide whether or not to give you their permission and they must know exactly what they are giving permission for and, therefore, which information you will be using for what purpose. Finally, you must inform them where they can find more information and their giving you permission must be active action.
Linking the burden of proof to your registration text
When you process personal information based on permission, you must be able to prove that you received this permission. We recommend linking the burden of proof under the GDPR to your registration text via the confirmation e-mail (in other words, using a confirmed/double opt-in process). The GDPR does not require you to use a double opt-in process to meet your burden of proof, although it does make your work as a marketer easier because it gives you the proof you need and allows you to verify the email address your subscriber entered. Via your email platform – such as Webpower – you can then use the GDPR Version Manager to show when someone gave you their permission and what they gave permission for. Finally, legal experts recommend playing it safe to eliminate any doubt, for example about whether you have received the right email address.
Things to keep in mind
Storing your registration text and the permission you receive
In light of your burden of proof, you should store your registration text and the permission you receive from subscribers. To do so, you should first make sure that you have drawn up a GDPR-proof registration text. Go over the checklist below and make sure that every element is included in your registration text and permission request.
Clarification checklist GDPR-proof registration text
Did you go through the checklist or do you need some more help? Below, we will go over each point again with an example:
- You explain who will be sending the messages (you, a third party, a different company/holding);
For example, “Webpower”
- You explain what information you will use and what the messages will be about and whether you will e.g. personalise the content based on subscribers’ behaviour;;
For example, “We will only use your name and email address to send you our newsletter on the latest Webpower products, services and offers. We personalize our communication to make it as relevant as possible for you.”
- You explain the channel you will use to send your messages;
For example, “via email”.
- You explain how often you will send your messages;
For example, “Once a week.”
- You ask for separate permission for each specific purpose for which you plan to use the personal information;
If you want to send your subscribers commercial messages in addition to informative mailings, you must ask for separate permission for this purpose.
- You make sure to have proof of the permission that subscribers give you. You should also save the registration text that people consented to;
One way to do this is with our GDPR version manager and our GDPR easy consent manager.
- You make sure that it is just as easy for subscribers to revoke their permission as it was to give it. You therefore include an opt-out option in every message you send;
Include an opt-out link (hyperlink) at the end of every message, e.g. “Unsubscribe (direct link) from our newsletter.”
- Note: if your audience consists of people under the age of 16 or if you process special personal information, there are additional requirements you have to meet!
For example, you need “explicit” permission to process special personal information. This means that the person in question must explicitly express their will to give you permission. It must be unequivocally clear that someone gave you permission with a certain action. For minors, you will need permission from a parent instead of the minor themselves. It is your responsibility to verify one way or another that the person giving you permission was actually a parent, not the minor posing as one of their parents.
Nice to have:
We recommend linking the burden of proof under the GDPR to your registration text via the confirmation mail (in other words, using a confirmed/double opt-in process). The GDPR does not require you to use a double opt-in process to meet your burden of proof, although it does make your work as a marketer easier because it gives you the proof you need and allows you to verify the email address your subscriber entered.
What about your clients?
Your clients will still have to consent to receiving your newsletters. Otherwise, you will not have valid permission to send these people your messages. At the moment, you can still use a pre-checked checkbox at the end of an order process (when someone is about to become your client). Note that this will no longer be allowed under the GDPR.
Historical registration text
The aforementioned also applies to the database that you created in the past. If you received permission that also meets the stricter requirements of the GDPR (and if you can prove that you received this permission), you do not have to ask for permission a second time. You should therefore determine the extent to which your organisation processes personal information based on permission and find out whether you can prove that you received this permission and that your permission request meets the requirements of the GDPR. If that is not the case (or if you cannot prove that it is), you will have to acquire valid permission somehow, e.g. via a reactivation campaign. To make this easier, Webpower developed the GDPR Easy Consent Manager. You can read more about it here.
GDPR compliant with Webpower
Under the GDPR (which will enter into effect on May 25th, 2018), you will have to be able to demonstrate how permission was obtained and exactly what that permission pertains to. This applies to new registrants, but also applies retroactively to your existing database. Thankfully, Webpower has developed the GDPR Version Manager and the GDPR Easy Consent Manager, which will ensure that all of your email marketing from now on is fully GDPR-compliant.
It is important to us to handle the new privacy legislation correctly. The contents of this blog have therefore been verified by ICTRecht. We provide this information to you so you can gain a better understanding of what the GDPR can mean to marketers. The purpose of this blog article is to share knowledge and it should not be viewed as official legal advice. In reading this article, you safeguard Webpower, ICTRecht and the author against any legal implications. We recommend always consulting a legal adviser before implementing any GDPR-related measures in your organisation.