GDPR – the General Data Protection Regulation – will come into force in May 2018, Brexit or no Brexit, hell or high water. It will force businesses to completely rethink their outbound marketing.

At its most basic, GDPR demands that organisations provide evidence that contacts have consented to having their data stored, and are aware of how their data will be used in turn.

This simplicity has been muddied by the sheer number of competing interpretations of the regulation. Our own reading of the ruling – founded on DMA guidelines – is below.

The biggest problem is the issue of consent, which is the focus of this article. Businesses not only have to make their websites GDPR-compliant; they also have to make them persuasive enough to encourage customers to hand over their personal data.

To do this, online opt-in forms must be well-written, designed according to user experience (UX) best practices and – where possible – offer additional value for the visitor.

Read on for our favourite examples of GDPR-ready opt-in systems by UK brands, and those who deserve a smack on the bottom (or a hefty €20 million fine, as of May).

Opt-in compliance: the basics


GDPR provides organisations with six legal bases on which they can gather, store and use customer and contact data:

  • Consent, where an individual gives permission for the processing of their personal data;
  • Contract, where data is required for the successful execution of a contract;
  • Legal obligation, where data is required for the organisation to fulfil a legal duty;
  • Vital interest, where data is required to protect the interests of the individual owner;
  • Public task, where data is required to perform a task in the public interest, and
  • Legitimate interest, of the organisation or a third party attached to it.

For B2B businesses, ‘personal data’ as defined by GDPR includes corporate email addresses.

This article is concerned with the first base above: consent. We’ve written about legitimate interest, here.

For an organisation to justify the collection, storage and processing of an individual’s data by consent, they must:

  • Prove that the individual took affirmative action to opt-in to their data-gathering service;
  • Educate the individual on how their data will be used;
  • Offer a clear privacy notice alongside their opt-in form, separate from their terms and conditions, and
  • Maintain evidence to prove all of the above.

Achieving all this with a single opt-in form requires good copywriting and good UX design. So which businesses are winning the race, and which are making a pig’s ear of things in the run-up to May 4th?

The good, the bad, the ugly

Doing badly


Grade: E

+ Multiple fields to capture business information

– Form is not GDPR-compliant

– Uninspiring, characterless copy

– ‘Marketing Challenge’ field is intimidating for user

Dull, ambiguous and impersonal. This form lacks even basic indicators that, in completing it, the reader has is offering their consent to receive marketing messages. This is the old ‘implicit consent’ model of business that GDPR exists to prevent.

The form requires excessive specific detail from the user, including their employee headcount, phone number and company website. At the same time, it lacks any information on how the user can expect to be contacted. Fear of being hounded with marketing phone calls or irrelevant emails is likely to put off many users. The business should instead make details like the reader’s phone number an optional addition, and provide a basic description of the form and types of messages to follow.

Usability is another major shortcoming here. Offering radio buttons or a dropdown menu would make it easier for users to provide accurate responses. Besides saving time, this would also support readers with the ambiguous, intimidating query around their ‘Marketing Challenge’.

That said, even if radio buttons were added – “I consent to these details being held on file”, “I consent to receiving marketing messages via email or phone” and the like – it would still be dull and uninspiring.

What we’re seeing here is standard, solid, functional, content marketing practice. There are two opt-ins here and both offer value in return. For handing over some professional contact data, the user gets a downloadable document; they can also opt in to be contacted regularly, provided the contact comes in the form of tips on business income generation.

Even here, however, the form raises questions. Why does the business need to know their job role and company name to supply a free guide? They don’t, and they don’t explain what they’re going to do with that data. Result: this isn’t compliant.

Finally, the copy is uninspiring, giving the impression that any subsequent marketing comms will be similarly lacklustre. Opt-in forms are a chance to show off a brand’s personality. This one has all the charisma of a tax return: it fails on all possible fronts.

Doing due diligence


Grade: C

+ Short, with little commitment required

– No reminder of the benefits to the demo

– Copy is uninspiring

– No link to privacy policy

This example is compliant – but only just. It tells the user what the information will be used for in very general terms and indicates that submitting details via this form gives consent to specific uses of data (but they’re outlined elsewhere).

It’s shorter than the previous example, requiring the user to jump through fewer hoops to get their hands on the free demo. That brevity is problematic, though. The form doesn’t provide a reminder about the value of the free content, which could prevent apprehensive users from handing over their info. The use of the word ‘free’ in the title is also divisive – as it could prevent customers from valuing the demo.

This example includes a disclaimer, informing the user that their data is to be used for promotional purposes, but it fails to provide any link to the privacy policy mentioned. Accessing our digital rights should not be a challenge, and forms should clearly state what the user can expect to receive, how often and by whom.

GDPR is user-perspective legislation – it’s intended to help users understand and use their data rights – and this kind of small print approach serves the letter rather than the spirit of the law. It’s lazy, and it’s going to stand out as such when standard practice shifts after May 2018.

Doing it better


Grade: B

+ Offers alternative choices

+ Links are clear

+ Language indicates user is in control

– Drop-down menu lacks options

While not the most aesthetically pleasing, this form is a great effort. Up top, it does two things: reassure the user that they’ve unsubscribed from emails, and gives them chance to control other notifications. This choice is not something the user will have expected, and putting the user in control reassures them that their communications will offer value. They’ve created the assumption that other users also want to manage their notifications.

The use of direct language helps Spotify stay GDPR-compliant and puts the user in the driving seat – supported by the use of possessive and personal address (I, my, you, your) throughout.

Then there are the options on offer. The amount of choice over the Twitter notifications the user can receive is impressive, divided between the user’s own activity and that of their network. The ‘default’ option is also a nice touch. Research suggests that if a user is too indifferent, conflicted or confused to make a choice, they are happy to stick with the default choice provided.

What the form lacks is clarity around the user’s ability to opt out of all email notifications. Adding a ‘no notifications’ option to the drop-down menu would give even more control to the user. And then there’s the impact of brevity on their ability to persuade. What value does the user get for interacting with these options and agreeing to these messages?

Doing… better than us, actually


A good example of a GDPR compliant and user friendly preference centre

Grade: A+

+ Uses an interactive slider system

+ Buttons are clear and bold

+ Copy is full of personality

+ Aesthetically pleasing design

This is brilliant. Interactive, visually pleasing with carefully crafted copy, this form is a GDPR dream.

The design is interesting and functional, with the options clearly separated and the clickable objects clear against the background. The tone is warm and witty, and there’s a sense of specific value added to the mail preferences (with a summaries-only option for the time-poor user who wants to know what’s going on but doesn’t want detail).

The slider system is unexpected, emphasising user control in a fun and simple manner. The novelty factor is an added bonus here, offering a distraction from the user’s original reason for visiting the page. In fact, unsubscribing is a last, nearly-hidden option.

UX research has shown that the eye spends most time looking at the left-hand side of screens, which is where the control centre features here.

This high standard of visual design is complimented by the friendly copy, which reassures users that the brand understands they might not want to receive all their content, all the time. The tone strokes an ideal balance between warmth and not appearing intrusive or glib. Crucially, the copy and layout clearly expresses the value that the user will receive from future emails – focussed as it is on lifestyle travel imagery.

Finally, allowing people to unsubscribe for a limited time is a masterstroke. Users often fleetingly feel they have too many emails (we do). Allowing people to declutter their inboxes without disengaging altogether means they don’t have to be won back around.

Wish we’d thought of that.

Good copy, good design and valuable content will make the difference for businesses seeking to thrive in and survive GDPR. For weekly best practice tips on content, copy and email, subscribe to our newsletter below.

(See what we did there?)

Picture credit

(CC) The Blue Diamond Gallery

The following two tabs change content below.