Australian PM supports save the reef petition!? Time to Change our ways.

privacy, ethical-tech

Good organisations who use dark patterns (manipulative User Interfaces and processes) to achieve their goals, however lofty, do a disservice to us all. Trust in the progressive movement is eroded, and when we act as if the means justfies the ends, we run the risk of becoming what we set out to change in the first place.

With the coming-into-force of Europe's GDPR exactly 2 years ago, campaigners and, well anyone collecting data online, went into a flurry of activity to ensure their data collection processes and forms conformed to a much higher expectation of data privacy and consent.

One aspect that particularly obsessed everyone was, not surprisingly, our precious email lists. Lots of nuanced and technical discussions played out online as participants shared concerns, strategies and form designs that clearly did and did not meet GDPR expectations.

However one key requirement of GDPR that seems to have been politely ignored by many organisations, particularly those with aggressive growth strategies, is gaining actual confirmed consent.

Who gives consent, exactly?

Marketers use opaque euphemisms for email marketing lists: 'single opt-in' and 'double opt-in' that turn out to be particularly important for online actions like petitions.

Here's a single opt-in form from petition platform in the EU:

A Change single-opt-in

With single opt-in, you implicitly trust whoever puts data in that form, with no attempt at verification. In GDPR compliant countries this includes an explicit choice the user must make, however globally Change's forms actually bundle up the consent with the action being taken, something that is explicitly forbidden under GDPR.

A forced-consent form from outside the EU:

A change no opt-in form

Regardless, their privacy privacy policy is quite explicit about the lack of verification in either case:

Part of's privacy statement

And while bundling consent with the action a person wants to take is clearly uncool, the lack of verification actually poses a much bigger problem. Who gives consent, exactly, when a random user (or a not so random trouble maker, or indeed an automated bot) fills out a form?

Did the Australian Prime Minister really sign this?

Did the Australian Prime Minister really sign this petition?[1] He's not known to be very supportive of Australia's Great Barrier reef, what with his love of coal and all:

Australian PM's precious coal lump in parliament

Instead of calling this process 'single opt-in' a more accurate term would be unverified consent, because no attempt has been made to verify the form data, particularly the email address.

A higher standard of process is called 'double opt-in'. The first 'opt-in' is submitting a form, and the second 'opt-in' is clicking a verification link emailed to the address that was submitted.

It makes sense when you think about it. The only way to confirm an email account holder consents to something is for that email address holder to do an action. Confirmation emails serve exactly that purpose.

Verified Consent - Best Practice

A more accurate, and less technical term than 'double opt-in' would be verified consent.

All this is quite important because this list data is often shared with third parties and the campaigner – or used to send more emails requesting support or money. Sometimes emails are sent to politicians or others in the name of the person who may or may not have filled out a form. Relying only on unverified consent means it's certain there are petition lists stored out there with email addresses and names linked to people who did not consent to supporting a particular issue or petition. A major breach of GDPR law if that person is an EU citizen.

It's worth pointing out that is common practise to rely on unverified consent for the simple fact that conversion rates are higher (lots of real people do sign forms and then forget to click the follow-up email link).

We're also only focusing on Change because it's one of the largest and most well-known sites that relies soley on unverified consent to scale its lists. (and it does so in the most aggressive way possible by default across the world, via bundled/forced consent)

Even Do Gooder offers unverified consent (and full disclaimer: we allow bundled consent in regions that do not outlaw it). But since the advent of GDPR we've invested in building out the option to enable verified consent for all our campaigns, and our recommendation is that for list quality,resultant deliverability and credibility, verified consent is the way to go. We even went a step further and made verified consent default because defaults matter, a lot.

Nothing changes, unless we do.

Want to know what's even better than best practice?

That's easy. Just sign up to our form below to see it in action. As soon as you submit your address, you're invited to confirm your email address, and that's when the magic happens. As soon as you click the link, the content below will change to acknowledge you've completed a task.

By including visual queues and a participation reward you can help increase conversion rates, even for verified consent processes. 😉

  1. Just in case it isn't clear, we didn't actually submit a fake petition on Change for that very worthy campaign! We mocked it up. No data or coal-loving prime ministers were harmed in the process! ↩ī¸Ž