Customer data: Best practice for obtaining consent 

Part of the mandate for the General Data Protection Regulation (GDPR) is to encourage a more transparent, value-driven approach to the data exchange between business and consumer. 

However, at present, brands are often left confused about whether their approach complies with current regulations, and crucially, whether they will comply with the impending rules due to be finalised for GDPR. Indeed, some businesses still struggle with the current opt-out and opt-in status for consent across different marketing channels, which has led to the Information Commissioner's Office handing out huge fines in recent times.

Just to recap, here's the current compliance for opting-in or out of non-web channels, as provided by the ICO:

  
The question many businesses are now having to ask is whether solely being compliant is really enough, in  the eyes of the customer.

Beyond regulation?

Although compliance is paramount and a topic that we'll be covering in relation to GDPR in later chapters of this guide, this arguably detracts from the real debate around data consent: what should be considered ‘best practice’, and what degree of control is handed to the customer, especially via the web.    

As previously stated by MyCustomer.com, almost half (48%) of consumers are now suspicious about how companies use their data, with the figure increasing year-on-year as data security breaches become more frequent and of greater interest to the wider public. Many experts, including Zach Thornton, external affairs executive for the Direct Marketing Association (DMA), believe simply adhering to the opt-in or opt-out regulations for data is likely to be deemed the bare minimum in the near future:

“We’ve seen with the charity scandal in the UK – if you’re not upfront with customers or donors and you don’t explain how you’re using data, there’s a backlash eventually. If you can’t explain to people what you’re doing, you’re probably doing something that they don’t like, and eroding trust. 

“If you want to flip this around - consumers have trust when they enter into most transactions and they want to do business. Companies offer products and services they may want. Being transparent is the best way to make a transaction, and transparency requires more communication than just a tick box to opt a customer out of you using their data.” 

And Dene Walsh, operations and compliance director for Verso Group, argues that many brands have often failed to acknowledge how much they value their customer’s data with the customer themselves.   

“Until now consent has been primarily about terms and conditions rather than explaining a wish to have a valued conversation. Many struggle with simply cutting and pasting standard opt-in terms onto web pages or paper forms. Some of the biggest UK brands have been warned by the ICO for getting this wrong. Selling consumers on the value of creating dialogue during the consent process is a rare skill. 

“The reality is that there may be beautifully crafted descriptions of why brands or retailers wish to have dialogue with customers elsewhere in the marketing process, but most are on a steep learning curve when it comes to asking the vitally important consent question." 

A better way? 

So which brands currently do data consent policies well? Thornton states it is those that have already taken data transparency to a new level regardless of GDPR, and, as Walsh earlier explained, have recognised the need to be more communicative with their customers about how they use their data and the value both parties can glean as a result.

"The best brands are those that explain in layman's terms what they're doing from the outset, with the legal stuff embedded behind. The text is legible, and designed for every demographic of customer they have.

"A good example is – if you were an app on a smartphone and your target audience is, say, 16 year olds, well they’d need to be able to understand your data policy. You’d have to write things in very plain English. It’s a tricky thing and a genuine skill – a technical challenge to be able to show that information without bamboozling the customer.

"But beyond that, it's also about choice. Making it clear that a customer can choose to not have their data used for certain practices, and letting them decide what is and isn't OK."

The Guardian

Given the Guardian's editorial stance on data privacy, it was always going to need to have a data policy of its own that pushed beyond the boundaries of simple compliance. 

"What the Guardian is explicitly explaining is that, 'if you do x it will make things better for y reasons, but equally you haven’t got to do that', which is clear" says Thornton. "You have complete control over the data you share. If you don’t want to share your email address, go online and click a button and your email address is taken away and advertisers don’t have access.

"That’s the pinnacle of transparency – putting the ball completely in the consumer’s court and saying ‘this is why we need your data’ and it does ‘x and y’ but you’re more than welcome to opt out."

And where The Guardian has excelled is in the method it chooses to communicate its consent policy to its audience (click image):

"The ICO calls this type of messaging a 'blended approach'," says Georgina Graham, an associate and data privacy expert for international legal firm, Osborne Clarke. "It's this type of innovation - including things like just-in-time notifications, icons, symbols, videos and privacy dashboards - that are most likely to resonate with people as they're methods for breaking up the heavyweight privacy text."  

MyO2

While the Guardian may offer its customers clear messaging, an example of Thornton's last point about 'choice' is perhaps better highlighted by telecoms giant, O2, which offers its customers the ability to pick and choose exactly what is and isn't used via its customer 'MyO2' privacy dashboard, with a sliding scale for how much communication they want to receive (click image).

Offering customers the ability to opt-in or out (depending on compliance) of every aspect of communication with a business is a bold step, but one that will become more and more prevalent amongst brands as GDPR pushes Privacy by Design to the fore.      

AVG*

Of course, it's the world of advertising where many consumers are revolting against brands using data without proper consent.

Ad blocking technology is putting pressure on advertisers to improve their media strategies and give consumers fitting and well-timed messages that they actually welcome. There are said to be roughly 198 million active adblocking accounts across the globe, and the rise has led to a number of companies rethinking how a customer's data can be better managed, handing back control. 

According to a recent Forrester report, AVG is currently one of the most forward-thinking in this realm, with its PrivacyFix dashboard offering a far easier route to controlling cookies, adblocks and other data sharing devices that require consent online.  

And even Google has had to redesign its privacy policy to put clearer, more concise information about data consent front-of-house:

"You’ve still got to go further and the GDPR will make companies go further," Thornton adds. "The information you’ll need to display in your privacy notices is sizeable. But too often this is left with legal and privacy guys. The regulations are trying to bring this out of the shadows and make this a transparency thing rather than a legal thing.  

"The benefits are massive. In terms of your marketing it makes absolute sense to have an up to date database where the marketing you send out is being sent to people that want it. Ultimately though, you have to think - if people aren’t going to buy your products, why waste time keeping them on your database?"

*Since going to press, AVG's PrivacyFix has been discontinued. More information here