GDPR: Does my Contact Us form need an opt-in?

Evelyn Wolf by Evelyn Wolf   23 Feb


GDPR Consent Contact Us

It seems a little counterintuitive to have an opt-in on a contact us form, after all, the person completed the form has asked to be contacted. Here’s why you should add one in.

Let’s talk about consent

Let’s take a step back and talk about consent under the GDPR. It’s when someone agreed to allow you to process their personal data. Here, I’m talking about opt-in to hearing more from you (ePrivacy Directive and GDPR). You will need to start using a clear and explicit opt-in on all your forms whether it’s an ebook download, a webinar registration or, yes, a contact us, if you plan to contact the person completing the form with any additional marketing information.

Did you notice the keyword in that last sentence? Additional. This means when someone completes the form and has handed over digital currency (aka their data) they expect to receive in return what you have promised, nothing more.

It’s important to have a clear and explicit opt-in. This means that you can’t bamboozle people with wording that is unclear to them. Be sure your target audience can understand what they opt in to. If you plan to email people, then note this in your opt-in and be specific on what you plan to send them. A nice add on is to mention that they can opt out at any time and ideally you want to link to your privacy statement. This allows people to read up on how their data will be stored, for how long and more detail on what you plan to do with it.

The expectation

Let’s head back to your “contact us” form and even expand this to demo requests, free consultations and other forms that are clearly completed because the person doing so wants to be contacted by your company.

In our opinion (*disclaimer: we are not legal experts and as cases based on GDPR will be decided after May 25th 2018 this may change), it is reasonable to assume that if someone willingly provides you with their contact details that they are okay with you storing their data and for you to contact them based on this request. 

The person by filling out your contact us has not opted-in to receiving marketing emails from you. Their reasonable expectation is that they will be contacted on a one-on-one basis to discuss whatever it is they contacted you about. After that, this conversation may evolve but at no point have they agreed to receiving marketing emails like newsletters or promotional offers.

Adding consent to “contact us”

So then what happens if you responded to a contact request and the conversation ended there? Perhaps the person isn’t ready to buy just yet. Of course, you may stay in touch within reasonable expectation on a one-on-one basis but that’s not really scalable. Also, is that not the job of your awesome inbound lead nurturing strategy?

Your hands are tied if this contact didn’t opt-in to receiving marketing messages from you. You're simply not compliant if you still send this contact marketing email. You are left with two options:

1. Gain consent after the event.

This would involve you sending the contact in one of your direct communications with them to a landing page to download perhaps an ebook and complete an opt-in there. Or receiving written consent in an email that you can then screenshot and store in their file. While certainly an option, it’s a tougher route and more work on your end.

2. Gain consent before the event.

Simply add a clear and explicit opt-in to your contact us, demo, consultation etc. pages and get consent out of the way right from the start. Communicate with the lead one-on-one regarding the contact query and be able to send them relevant marketing materials that they consented to.


Addition to the blog post - Added 09/07/2018

This is by far one of our most popular blog posts at the moment and the one we get a lot of questions about. The big one is: Do you not need consent to process the data in the first place as well as opt-in to email?

Here it is again, the ePrivacy Directive (PECR in the UK) and GDPR, opt-in vs consent question. I don’t want to go into detail here (you can read a full post here), but I do want to clarify when it comes to this specific example of consent and opt-in on Contact Us forms.

One thing we can’t get away from, if you want to send additional marketing email, you need clear and explicit opt-in (ePrivacy). This is one data process and the one described in the post. So for this you do need an affirmative opt-in.

From a technical perspective, if someone completes any of your forms, you are likely processing their personal data (GDPR). This is because the data ends up in your CRM where it is stored (that’s processing already). It now is important that as a business, you make a call on how you handle this from a lawful processing basis. You may argue legitimate interest and not have a consent box (described in the article above). Or use consent as your lawful basis in which case you will need to obtain it.

In BusinessBrew, we’ve come to realise that we cannot have a form completed without processing the data. The data immediately goes into our CRM and Marketing Database, and we cannot stop this. However, we do want to let you know that we are processing your data. We opted for now to make the field required. We are monitoring closely whether this will be an accepted method or not, please let us know your thoughts on this solution.   

Consent, opt-in and all that goes it with is probably one of the most difficult areas to wrap your head around. Certainly that was my experience! Feel free to ask us questions and start discussions.


Topics: Inbound Marketing, GDPR

Evelyn Wolf

Written by Evelyn Wolf

Inbound strategy specialist and content creator. She will turn your web presence into a magnet and always has wind in her sails.