What is legitimate interest?
I could spend a whole blog post just explaining the concept of legitimate interest, so for the purposes of this post, I’ll try to shorten it. Essentially, It’s the idea that you have a reasonable reason to process the data which someone would reasonably expect, and that is ethical and legal.
Now there is a lot more to it than that, and you can read more about this on the ICO website which includes the full three-part consideration test that you should use to evaluate your legitimate interest reasoning (if you choose to use this as your basis for processing – more on that in a moment).
If you can justify legitimate interest for your grounds for processing, in the case of opt-in forms this means that you may not need a checkbox to conform to GDPR.
What is consent?
The idea of consent is seemingly clearer than the idea of legitimate interest, and yet it is still open to much interpretation.
In terms of GDPR, consent is a clear, affirmative action to give permission to processing.
For the purposes of opt-in forms and landing pages, this could be the action of inputting an email into a form and clicking submit, or it could be checking a box next to confirm agreement to a privacy message or condition under your form. These are all types of consent.
So what does all this mean for your opt-in forms?
Well the first thing to note is, if you can justify legitimate interest as your grounds for processing the data (i.e. collecting it on your opt-in form and then sending up follow-up emails) then this could mean you do not need a checkbox on your forms.
It’s important to note that although it might sound like the easy option here – you do need to have a solid evaluation of your reasoning for legitimate interest and have this well documented in case of any kind of audit or investigation. Not all situations will fit legitimate interest grounds so this shouldn’t be used as a one-size fits all solution.
A few steps to consider if you plan to use legitimate interest as your grounds for processing on opt-in forms:
- I’d highly recommend you get the GDPR Pack from Suzanne Dibble which includes a legitimate Interest assessment (as mentioned earlier) and review each of your forms/landing pages/opt-ins.
- Keep a clearly documented record of the outcome and your reasoning for each opt-in in the legitimate interest assessment form (this obviously needs to meet the requirements of legitimate interest to use this)
- Ensure you review the assessment if you change the nature of your processing in the future
- Remember that you must give prospects/subscribers the “right to object” at any time – so have clear unsubscribe/opt-out links on all emails and throughout the process. You may also want to highlight this in a privacy message below your forms.
- Keep all opt-in form wording as clear as possible – make it crystal clear what the individual is subscribing to and what they will be sent after opt-in. It’s advisable to include information that you will send marketing emails (or whatever you plan to do) in copy somewhere on your opt-in form – perhaps in the copy with the privacy link below the submit button.
How to get consent on your opt-in forms
If you’re not comfortable with using legitimate Interest as your grounds for collecting emails and marketing to your audience, you’ll need to rely on the basis of consent.
Using consent as your grounds for processing means that you are seeking a clear affirmative consent from the individual for any data processing you plan to initiate after the opt-in.
Before you immediately think that you need to add a ton of checkboxes below your forms, remember that the act of submitting your opt-in form (entering an email and submitting the form) is a clear affirmative action. So you should consider how you can word the copy around your opt-in form to indicate that your visitor is giving consent through the submission of their email.
For example: Let’s say I had a bonsai tree training business and wanted to send out a newsletter to my audience each week with bonsai news and the occasional promotion. I could potentially use a form like this: