If you acquire any data through forms on your website, you have to have a lawful reason to do so.
The GDPR lists six bases on which data can be collected.
- Legitimate interest
- Contractual obligation
- Vital interests
- Public task
- Legal obligation
The ICO is attempting to stop companies from just defaulting to using consent as their reason for processing and storing data. This is because, on this basis, they could use that data for as long as they liked without any real reason for doing so, just because they acquired the subject’s consent one time.
The first three legal bases on the list are likely to apply to the data you obtain through your website’s forms.
It’s important that you think carefully about which one you are using as your reason for processing a subject’s data, and how you will make this known to the subject.
If you collect data to use for marketing purposes, newsletters, improving your services, or anything similar, you need to obtain the subject’s consent.
You can do this by adding the appropriate check boxes to your form, but these cannot be pre-ticked as the subject must actively carry out the action of checking the box to confirm that they are happy for you to process their data.
For example, if you plan to add their email address to a list that you routinely inform about new products, this would need to be specifically mentioned with a check box.
If you also plan to send them a weekly newsletter, this must be explicitly stated next to a separate, additional check box.
If you also intend to use their data to improve your service and/or find out how many people have visited your site, this would have to be stated next to a third check box.
The majority of a subject’s first time use of your form will be legitimised on the basis of them having given their consent.
However, if, in 6 months time, you start another newsletter or a new mailing list and want to add that person to it, do you need to get their consent again?
Answer: probably not.
If this new use for their data is linked to what you already know about them and what they have previously consented to, you can cite legitimate interest as your reason to contact them and/or use their data again.
For example, if you ran a garden centre and they signed up for more information about a certain product, such as a lawnmower, you know that they probably have a garden and have an interest in maintaining it.
You could, therefore, email them in the future about another product because you have legitimate reason to believe that they would be interested in it. You don’t need to obtain their consent again.
This is the least likely reason to apply to a form on your website, but it’s still worth mentioning.
Contractual obligation would be your reason for processing a subject’s data if you needed it in order to fulfil a contract that you have with that subject.
For example, if someone enquired about a product or service through your contact form and then decided to buy it, you can process their data on the basis that you will need it in order to complete their order. This doesn’t require a check box.
- You should always carefully consider the purpose and reason for processing data via a form on your website, and you should only use that data for that purpose.
- Don’t just default to using consent as your reason for every use of data. It can be limiting in the future if you want or need to use that data for a new purpose.