Customer data: Best practice for obtaining consent 

24th Mar 2016

Part of the mandate for the General Data Protection Regulation (GDPR) is to encourage a more transparent, value-driven approach to the data exchange between business and consumer. 

However, at present, brands are often left confused about whether their approach complies with current regulations, and crucially, whether they will comply with the impending rules due to be finalised for GDPR. Indeed, some businesses still struggle with the current opt-out and opt-in status for consent across different marketing channels, which has led to the Information Commissioner's Office handing out huge fines in recent times.

Just to recap, here's the current compliance for opting-in or out of non-web channels, as provided by the ICO:

Opt in or out  
The question many businesses are now having to ask is whether solely being compliant is really enough, in  the eyes of the customer.

Beyond regulation?

Although compliance is paramount and a topic that we'll be covering in relation to GDPR in later chapters of this guide, this arguably detracts from the real debate around data consent: what should be considered ‘best practice’, and what degree of control is handed to the customer, especially via the web.    

As previously stated by MyCustomer.com, almost half (48%) of consumers are now suspicious about how companies use their data, with the figure increasing year-on-year as data security breaches become more frequent and of greater interest to the wider public. Many experts, including Zach Thornton, external affairs executive for the Direct Marketing Association (DMA), believe simply adhering to the opt-in or opt-out regulations for data is likely to be deemed the bare minimum in the near future:

“We’ve seen with the charity scandal in the UK – if you’re not upfront with customers or donors and you don’t explain how you’re using data, there’s a backlash eventually. If you can’t explain to people what you’re doing, you’re probably doing something that they don’t like, and eroding trust. 

“If you want to flip this around - consumers have trust when they enter into most transactions and they want to do business. Companies offer products and services they may want. Being transparent is the best way to make a transaction, and transparency requires more communication than just a tick box to opt a customer out of you using their data.” 

And Dene Walsh, operations and compliance director for Verso Group, argues that many brands have often failed to acknowledge how much they value their customer’s data with the customer themselves.   

“Until now consent has been primarily about terms and conditions rather than explaining a wish to have a valued conversation. Many struggle with simply cutting and pasting standard opt-in terms onto web pages or paper forms. Some of the biggest UK brands have been warned by the ICO for getting this wrong. Selling consumers on the value of creating dialogue during the consent process is a rare skill. 

“The reality is that there may be beautifully crafted descriptions of why brands or retailers wish to have dialogue with customers elsewhere in the marketing process, but most are on a steep learning curve when it comes to asking the vitally important consent question." 

A better way? 

So which brands currently do data consent policies well? Thornton states it is those that have already taken data transparency to a new level regardless of GDPR, and, as Walsh earlier explained, have recognised the need to be more communicative with their customers about how they use their data and the value both parties can glean as a result.

"The best brands are those that explain in layman's terms what they're doing from the outset, with the legal stuff embedded behind. The text is legible, and designed for every demographic of customer they have.

"A good example is – if you were an app on a smartphone and your target audience is, say, 16 year olds, well they’d need to be able to understand your data policy. You’d have to write things in very plain English. It’s a tricky thing and a genuine skill – a technical challenge to be able to show that information without bamboozling the customer.

"But beyond that, it's also about choice. Making it clear that a customer can choose to not have their data used for certain practices, and letting them decide what is and isn't OK."

The Guardian

Given the Guardian's editorial stance on data privacy, it was always going to need to have a data policy of its own that pushed beyond the boundaries of simple compliance. 

"What the Guardian is explicitly explaining is that, 'if you do it will make things better for y reasons, but equally you haven’t got to do that', which is clear" says Thornton. "You have complete control over the data you share. If you don’t want to share your email address, go online and click a button and your email address is taken away and advertisers don’t have access.

"That’s the pinnacle of transparency – putting the ball completely in the consumer’s court and saying ‘this is why we need your data’ and it does ‘x and y’ but you’re more than welcome to opt out."

And where The Guardian has excelled is in the method it chooses to communicate its consent policy to its audience (click image):

Guardian video

"The ICO calls this type of messaging a 'blended approach'," says Georgina Graham, an associate and data privacy expert for international legal firm, Osborne Clarke. "It's this type of innovation - including things like just-in-time notifications, icons, symbols, videos and privacy dashboards - that are most likely to resonate with people as they're methods for breaking up the heavyweight privacy text."  


While the Guardian may offer its customers clear messaging, an example of Thornton's last point about 'choice' is perhaps better highlighted by telecoms giant, O2, which offers its customers the ability to pick and choose exactly what is and isn't used via its customer 'MyO2' privacy dashboard, with a sliding scale for how much communication they want to receive (click image).

O2 data policy

Offering customers the ability to opt-in or out (depending on compliance) of every aspect of communication with a business is a bold step, but one that will become more and more prevalent amongst brands as GDPR pushes Privacy by Design to the fore.      


Of course, it's the world of advertising where many consumers are revolting against brands using data without proper consent.

Ad blocking technology is putting pressure on advertisers to improve their media strategies and give consumers fitting and well-timed messages that they actually welcome. There are said to be roughly 198 million active adblocking accounts across the globe, and the rise has led to a number of companies rethinking how a customer's data can be better managed, handing back control. 

According to a recent Forrester report, AVG is currently one of the most forward-thinking in this realm, with its PrivacyFix dashboard offering a far easier route to controlling cookies, adblocks and other data sharing devices that require consent online.  


And even Google has had to redesign its privacy policy to put clearer, more concise information about data consent front-of-house:


"You’ve still got to go further and the GDPR will make companies go further," Thornton adds. "The information you’ll need to display in your privacy notices is sizeable. But too often this is left with legal and privacy guys. The regulations are trying to bring this out of the shadows and make this a transparency thing rather than a legal thing.  

"The benefits are massive. In terms of your marketing it makes absolute sense to have an up to date database where the marketing you send out is being sent to people that want it. Ultimately though, you have to think - if people aren’t going to buy your products, why waste time keeping them on your database?"

*Since going to press, AVG's PrivacyFix has been discontinued. More information here


Replies (3)

Please login or register to join the discussion.

By kierahawkins
03rd May 2016 08:31

Really nice post, really informative and helpful!

Thanks (1)
By Richard P
21st Jun 2016 08:51

Great article Chris.

Just a quick heads-up for your readers that the PrivacyFix service has been discontinued, which is a shame as it was a great tool. For anyone who was thinking of using PrivacyFix or who was using it there are still a number of steps you can take to keep your privacy protected:

- Adjust your Facebook privacy and security settings. These are under a few different places and there are a lot of different settings. It’s worth looking at all of these but for anyone thinking this sounds like too much work I’d urge you to look at, at lease these two: 1.Click the padlock in the top right corner should give you access to Facebook’s privacy check-up. Under ‘who can see my stuff’ you can limit this to just your friends, or even just yourself. 2. Under the ‘security’ link on the left hand side, go to login approvals. You can add your phone number here so that whenever you login from a new device two-step authentication is required, meaning you will be texted a code you will need to enter.

- Set up two-step authentication in Google. Once logged in to Google, you can find this under ‘sign-in & security’ where you can add your phone number and a recovery email.

- Stopping tracking was a great feature of PrivacyFix. Luckily there are some other apps that do this. I’d recommend installing the browser extension Disconnect, which does a good job of stopping most websites from tracking you.

Thanks (1)
By Cognitive Research
05th Sep 2017 11:21

Good post, I have been looking at a product called Consentua which allows you to build consent in the language most appropriate to the industry that you are in. I am looking at hospitality and wondered if you would phrase the consent around how the data is going to be used. I am trying to come up with maybe three or five questions that would be good examples in say a hotel setting.

(1)I consent to my life time conversations gathered by voice, email, social media, mobile or SMS interaction be used to better understand my travel and hotel accommodation preferences.
(2)I consent to XX brand holding my home address, business address, passport number, driver license number, credit card details one record to speed ‘check in ‘only

It might be too granular for GDPR or not even relevant, any comments while I go look at the Guardian data.

Thanks (0)