If you are using forms on your website to gather information from people then there is a clear need to gather their consent to do so. No longer is the fact that the form is filled in by the subject deemed to be consent in and by itself. The GDPR now make it necessary that a clear affirmative action (such as ticking a box) must be taken by the data subject to indicate that they understand that their data is being given for a set purpose.
Countdown To GDPR Compliance
A Separate Consent For Everything
Where you have a standard contact form that collects just basic information such as the subjects name, email address and their query then it is advisable to also include a mandatory tick box. This tick box should indicate that, by filling in the form, the subject understands that their details are being collected for the purpose of answering that query. If you also wish to use the information provided by the subject to add them to your mailing list for example, then a separate tick box is required for that, showing that they agree to this also.
Each and every form that appears on your website must have these consent tick boxes added to them in a clear and unambiguous way, stating clearly what the person is giving their information for. In this way it would be advisable to have separate forms for different purposes, for example having one for general enquiries and a completely separate one for you mailing lists etc.
As mentioned in my post on Cookie Control, Article 4 of the GDPR gives some insight on this:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
While it is still allowed to incentivise the gathering of this information, (such as giving discounts if they agree to be added to your mailing list), it is not permissible to punish them in any way for withholding consent, (like not selling them something because they don’t join your list).
In essence the data subject needs to:
- be informed of every purpose that you intend to use their details
- freely and knowingly give consent for every purpose you wish to use their details for
- What GDPR Means For Website Owners
- GDPR What Are Cookies and Why Do I need a Cookie Notice On My Website
- Cookie Control – The Right to Choose
Disclaimer: GDPR is a serious topic and can have financial & legal ramifications for business owners that do not correctly comply. As I am not a legal professional I make no claim that this article or subsequent articles definitively covers everything that website owners should know, as such I would highly recommend that you do further research on the topic and seek legal advice should you deem it necessary. You should not rely on the contents of this article as legal proof of anything and I accept no responsibility or liability for its accuracy.