Under Europe’s GDPR rules, does every web form now require an explicit opt-in consent tick box? That’s a question we’ve been asked by a number of our customers.
Although we cannot provide a definitive “yes” or “no” answer, this article outlines some options for you to consider. GDPR is a complex topic – please seek your own independent legal advice.
Background
The European Union’s GDPR rules came into force on 25 May 2018. The updated law gave more control to individuals on how their personal data is used, and made organizations more accountable about how they gather, manage and use their customer and marketing data. For a broader article about what GDPR may mean for your training operation, read Data privacy, GDPR and how Arlo can help.
Since that article was written, we have enhanced the Arlo platform to allow customers to capture and report on data consent on their lead and registration forms.
Legal basis for processing data
GDPR applies to any personal data captured on your website. This means you must establish a legal basis for processing that data. There are three main legal bases that could apply to your forms.
1. Consent
If the form specifies what the data will be used for and asks for explicit consent, that forms a legal basis for the processing. This is often used for newsletters and other general marketing activities, and is regarded as the most transparent and indisputable of the three legal bases. The consent must be “freely given“, meaning data subjects must be able to withhold consent “without detriment”. For example, this means that you can’t force a data subject to sign up for a newsletter in order to be able to register their interest in a specific event.
Using consent as the basis for processing data for a specific event, for example, an Arlo lead or registration form, seems less logical, because the data subject would not want to withhold consent for receiving information about the event they’ve enquired about. The concept of withholding consent “without detriment” makes no sense in this context. For this case you could consider Legitimate Interests as a basis: “It may be the most appropriate basis when […] you cannot, or do not want to […] bother them with disruptive consent requests when they are unlikely to object to the processing” or Execution of a contract.
2. Execution of a contract
For forms about a specific event, for example, an Arlo registration form or lead form about an advertised course that does not yet have a set date, this legal basis could apply. “processing is necessary […] in order to take steps at the request of the data subject prior to entering into a contract”. If the data is only used to inform the person about an event they have inquired about, this can form a legal basis for the processing, even if they do not eventually enter into a contract. Note that the data cannot be used for any other purpose in this case. This legal basis should not be used to capture general interest in a topic.
3. Legitimate interests
This could be a valid legal basis for any type of forms. A data subject who registers for, or enquires about, an event will expect to receive marketing information about that event, and possibly related events. It should be relatively easy to document the balancing test for this case, provided that all marketing communications to the data subject provide an opt-out.