A very relevant question with GDPR coming into effect any day now. I guess my legal team would like me to state I’m not an attorney!
Best practise has always stated that you need the correct permission states in place. Let people why you are collecting their data and for what purposes, what they should expect ad stick to this, do not pre-check boxes! People have often worried about the language used in such statements but if you are clear on those details feel free to use your normal brand tone of voice.
Other key things you should be looking at how you can delete contacts to cater for the right to be forgotten, how you can export contacts to facilitate ‘subject access requests’. What you store about the contact . GDPR Article 7 states that our customers should be able to demonstrate that contacts have consented to the processing of their data (‘consent’, is any "freely given, specific, informed and unambiguous indication of [a contact’s] wishes. Here at dotmailer we are enabling our customer to store the permission state used at the time consent was giving. Finally make sure that the data is passed to you is done so in a secure encrypted way using HTTPs.
We have a lot of information on this subject freely available here: