Form Best Practice
Eliminate all unnecessary fields and make the fields you do need as easy to fill out as possible.
GDPR discourages data processors from collecting any information that is unnecessary.
If it doesn’t serve the user, it shouldn’t be sitting in your database.
If you’re looking to email your subscribers information on how to grow their ecommerce business, you probably don’t need to know their age. Or their fax number. Or any other number of non-related pieces of data that it may seem “useful” to collect.
GDPR also states that any person can request access to the data you have on file for them—and that they can request that you purge or modify all that data, at any point.
Keep the data you collect to a minimum and easy to access.
Add a link to your Privacy Policy to the bottom of your form.
Here’s how to do it easily:
The first thing you’ll need to do is create your privacy policy on its own separate page on your site. View instructions
Now go back and click on your form and insert a “Privacy Policy” text field and link it to the page you created. View instructions
----------------------------------------------------------------------------------------------------------------------------
At its core, GDPR is about transparency, privacy, and a commitment to keeping your user data safe.
And, as it happens, users like to hand their data over to companies they feel are transparent, private, and committed to keeping their data secure.
So, if you collect any personal data from your users, and store it, you will need to collect consent in a way that complies with new laws. Personal data means any piece of information which can be used to identify someone. This includes name, id number, location data, email, phone, address, company, ip-address, etc… and all require that you ask for consent.
You’re probably already doing this for the most part. If you collect emails, your forms probably have a giant “subscribe” button, or a little checkable box that says “I consent to receive promotional emails.” Just make sure that the person giving you their information, knows exactly why they are giving it to you and what you will be doing with it.
The GDPR says:
“Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.”
Here are a few common mistakes you may be making on your forms:
Bundling
If you’re asking for consent to store and use someone’s data—you have to make that request clear, and independent of other terms. So consent isn’t a precondition to sign up for a service—giving it has to be an independent decision for your users.
Lumping consent to use personal data, with another term or offer, is called bundling. And it’s a big “nope” for GDPR compliance.
The most common example of this is a single checkbox, lumping data consent with something benign and mandatory—like your terms of service.
The above form is not GDPR compliant and you’ll need to change this to two separate boxes: one for data opting into an email list, one for your Terms of Use.
Negative opt-ins
This one’s a no brainer.
NO pre-checked boxes
Your “By checking this box, I want to receive emails” disclaimers has to be blank, and actively “checked” by users.
Or, you can set up a binary choice, in which both options have equal prominence, like the one below.
Non-granular opt-ins
Are you going to be contacting consumers by text, and phone, and email? Then that needs to be clear.
The safest bet is to give options to consent separately for different types of communications
The key is: ask yourself when you collect user data “what am I using this for?”
Then follow up with a quick: “is that clear to the user?”
If not, your consent collecting process needs some work.