GDPR and Episerver: Unbundled consent in signup forms
Make sure your signup forms are explicit about why you're asking for user consent.
With Episerver Forms, it's easy to create signup forms for events, contests or whitepaper downloads.
Most signup forms require the registrant to supply some kind of personal data, like name, email, company or title.
It's also common to try to get the user subscribed to newsletters or promotional offers at the same time.
Here's a typical example:
However, after GDPR, the form above would not be compliant. Can you tell why?
The answer: Consent has to be unbundled:
"If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters (...)" - Article 7(2)
In essence, forcing users into your marketing program cannot be a mandatory or implied part of the signup process.
Users consent to you gathering their personal data for the explicit purpose of the event, but not the purpose of you building an email marketing list.
Note: Within the consent the user has given by signing up, you are allowed to send purely transactional emails, like registration confirmation, a reminder the week before, or a follow-up thank-you note after the event. But as mentioned, you cannot take this as implicit consent to continue sending out marketing messages to the registrant afterwards.
Fixing the form
If you want to use personal data for additional purposes besides the event signup, you need explicit consent for those purposes.
To achieve this, add an extra checkbox (which has to be unchecked by default!) to your form.
Explicitly state what additional purposes the user will be giving their consent to. The user must be able to complete the form without giving additional consent - so you cannot set it the extra checkbox as a required field.
It's also a good idea to provide a link to your privacy policy, where users can read more about how you process their personal data.
The revised, more GDPR-friendly form could look something like this: