Lack of interest Contact Us form should require explicit consent

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
K

Kirby

Well-known member
When using the default contact us form, the entered data can be submit it without ever having read the privacy policy and giving explicit consent to processing the entered data, especially if done by a guest.

As this data does contain PII (emai) I suggest to add a checkbox to confirm that the user is giving consent for submitting and processing of the data, ideally with a link to the privacy policy with further information
 
Upvote 3
This suggestion has been closed. Votes are no longer accepted.
But surely by submitting the form in the first place he/she is giving their permission?

You could modify the form to include a header saying that on submission of this form you are giving us permission to use your data to contact you in reply - or something along those lines
 
Dear Grandma

I know you have enjoyed receiving Christmas and birthday cards from us over the years, along with the occasional round robin to let you, grandad and various aunts, uncles and cousins know that you had a lovely gandaughter last year.

We'd hate to lose contact with you, so this is just to let you know that if you'd like to continue as part of our loving family you must opt in so that we can continue to let you know all the greeat news. Of course you have the right to unsubscribe by clicking on the link at the bottom of this email. I know you sometimes have trouble with computers, so I'm happy to pop round and show you how to click on the link and update your family preferences.

PS: we know you don't have long to live, and would like to take this opportunity to (double) opt in to having our personal data being added to your will.

Love and kisses from us all, except Tyson and Meghan, who are too young to tick the consent box.
 
Ok, so I'm gong to fill in a contact form but I don't want you to use my information to contact me in return ?
This puts a whole new level on communication
 
webbouk said:
@Kirby - 4 hours with a lawyer?? I'd get a new lawyer if I was you, as the time where you might need him he'll be on yet another holiday at your expense
Click to expand...
While I think that our lawyer is pretty good, it's not my decision anyway - I am just an employee :)

webbouk said:
But surely by submitting the form in the first place he/she is giving their permission?
Click to expand...
Not explicitly, and that's the whole point of this suggestion:
The consent is only implied, which is not sufficient for Art. 6 (1) lit a GDPR according to out lawyer.
 
Yeah, I agree with Slavik here. It seems your lawyer may be confusing "unambiguous" vs "explicit" consent under the GDPR, and possibly ignoring other-legal-basis exceptions.

GDPR says consent can be given through “another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data"

So unambiguous consent is virtually the same thing as implied consent, and is okay for many types of personal information, such as email address, provided you can show when and how consent was given (i.e. user submitted contact form on date X).

When seeking consent, you only need the explicit consent ("I understand/agree" box) for the "sensitive" personal information class, which includes your DNA, criminal record, credit rating, and other things like that.

However ICO says "Consent is one lawful basis for processing, but there are alternatives. Consent is not inherently better or more important than these alternatives. If consent is difficult, you should consider using an alternative."

And you only need consent at all if you can't show a different basis for processing that information (e.g. you don't use IP address to monitor against security threats or spammers, or your business doesn't require you to follow Know Your Customer regulations).
 
Lawyers are by necessity going to take the most conservative approach - because if they don't and you follow their advice and still get into trouble, you're going to sue them for bad advice.

Just because they are lawyers, doesn't mean they are "right" (where "right" is never black and white - but a murky grey area of degrees and circumstances and potential outcomes).

It is a lawyer's job to tell you everything that can possibly go wrong so that you can then make a decision about how far you're willing to push things, fully informed of the consequences and taking responsibility for your own actions.

If you always follow the advice of lawyers to the letter, you'll never do anything, lest the worst case scenario come to pass.

Of course, I'm not advising you to ignore your lawyer - how you choose to implement things is of course entirely up to you. Personally, I won't be asking for explicit consent on my contact forms - simply linking people to my privacy policy to read before they submit will be sufficient for my purposes.
 
So if you want to contact a site you must agree to their privacy policy? What happens if my questions is about the privacy policy, and I need it answered before I can agree?
 
FWIW - I know plenty of companies who will add you to their marketing email list if you fill out their contact form - which was not the reason for contacting them and something that annoys me no end.

In that scenario I absolutely agree that you MUST seek explicit consent on the contact form.
 

Similar threads

cwe
  • Suggestion Suggestion
Contact form should respect Banned Emails list
Replies
10
Views
1K
Gladius
Gladius
md_5
Not a bug Contact Us Form should not send email 'from' users address
Replies
3
Views
969
md_5
md_5
Weiyan
  • Question Question
Contact Us Form Should close after submmiting
Replies
9
Views
1K
ragtek
R
Top Bottom