Since its introduction in 2018, GDPR (General Data Protection Regulation) has changed the way that charities think about online user consent and data privacy
As well as stringent rules around reporting and managing data, charity marketers and fundraisers have had to get to grips with specific ways of communicating with supporters when asking for their details.
When collecting data, it’s essential to have correctly worded consent on donation forms, sign up pages and online documents. This allows people to keep in touch with your charity on their own terms.
Marketers could get away with communicating with people when consent was implied or inferred. But under GDPR, consent has to be expressly given for an organisation to continue communicating with them. The Information Commissioner’s Office (ICO) defines it as:
“a positive opt-in... offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”
A 2020 GDPR progess report from the EU Commission found that 69% of the EU population above the age of 16 have now heard of GDPR. This shows a growing awareness among the public about their data rights. And with COVID-19 driving charities to embrace more digital platforms, it’s never been more important to know the rules.
So whether your charity is undertaking digital marketing for the first time or you need a quick GDPR refresher, here is a brief overview of how to ask for consent.
Article 4 of GDPR defines consent as "any freely given, specific, informed and unambiguous.... clear affirmative action" by which a person gives permission for their personal data to be processed in a particular way.
Breaking that down, here’s what that means in brief.
Supporters can’t be seen to be pressured into giving their consent. There can’t be any emphasis on either ’accept’ or ’do not accept.’ There can’t be a pre-ticked box as default or one option in bigger
text or highlighted - it needs to be an obvious choice with no right answer.
Consent also needs to be as easy to withdraw. It must be clear to supporters on sign-up pages that they can unsubscribe at any time. There should also be information on how to do this, and the unsubscribe button should easy to find.
What’s crucial is that supporters know exactly what they’re opting into. Users can only consent to one type of data processing with each opt-in.
Here’s an example of what that means:
Opting in to receive updates about a specific fundraising campaign doesn’t give you permission to also send text alerts. It also doesn’t sign users up to hear about a completely different service. Giving them the option to sign up to more than one thing or means of communication is fine. As long as each thing has its own tick box and is clearly communicated.
For example, when signing up to receive emails, you might give them a tick-box list that says ’Yes please, keep me up-to-date via email:
Users need to know exactly what they’re consenting to, including the reason for processing. For example: ’Your information will be used to send you this whitepaper and to sign up to our weekly newsletter.’ Or an invitation to learn more and read full terms and conditions.
When providing a tick box for an email newsletter, unbundle what they’re signing up to by explaining exactly what content you will be sending them:
’We will inform you about the following information:
Where you might be sending personalised content tailored to the individual, they need to explicitly consent to this.
You must also give the name of your organisation and any subsidiaries or third parties you’re requesting consent on behalf of. This ensures supporters are fully informed about who they are giving consent to.
Your consent needs to be communicated in language that is clear, straightforward easy to understand. Confusing double negatives or vague phrasing won’t cut it. Keep things concise and on point, as this isn’t the place to try to be clever with copy.
Supporters must expressly consent by doing or saying something. For example clicking a box or button that says “I understand and accept.”
The box also can’t be pre-ticked and must be kept blank, as the person needs to actively tick the box themselves to opt in. Otherwise, as per the ’freely given’ rule, you are swaying their decision.
As an affirmative action, it’s a good idea to include a second opt-in layer that requires users to confirm they want to subscribe via a validation email.
Let us know what GDPR consent phrases you are using in the comments below.