When the General Data Protection Regulation (GDPR) took effect in 2018, it changed how websites worldwide requested consent from users for personal data processing overnight.
Five years later, we understand how, why, and when websites should ask for affirmative user consent as their legal basis.
In this guide, I teach you how to build compliant GDPR consent forms and how to obtain, record, and manage consent.
How To Make Compliant GDPR Consent Forms (With Examples)
If your business is subject to the requirements outlined by the GDPR, you may use consent as a legal basis for processing certain personal information.
If you decide that consent is the appropriate legal basis for your processing activity, you must follow specific guidelines when requesting consent from users.
According to the GDPR, individuals must give consent through a statement or explicit affirmative action and be:
- Freely given on a voluntary basis
- Specific
- Informed
- Unambiguous
Additionally, individuals must be given the right to withdraw their consent at any time as easy as it was given.
With this legal definition in mind, let’s discuss making a GDPR-compliant consent form for your website or app.
Make Your Consent Request Transparent
Implement these three transparency requirements into your consent forms:
- Write your consent request using language that is clear and easy to understand for anyone.
- Identify your business by name, and list any third parties you plan on sharing the data with.
- Ensure you clearly explain how you plan to use personal data and why you want to collect it.
Don’t Use Pre-Ticked Checkboxes on Your Consent Form
Don’t use pre-ticked checkboxes, implied consent, or default consent when you ask users to opt-in to your consent request. All of these techniques violate the GDPR.
Instead, provide an unticked box the users must actively select to express their agreement.
See a side-by-side comparison of what to and not to do with checkboxes below.
As the GDPR form example above shows, users must freely give you consent to send them email and be able to access your offering without subscribing to your newsletter.
Provide Multiple Opt-In Options
Consider implementing a double opt-in consent request when you ask users to sign up for a mailing list.
First, provide users with an online consent form they fill out manually to subscribe to your emails.
Then, send a confirmation email and ask them to click on a link to verify their email address, adding it to your mailing list.
While obtaining double consent in this way is not explicitly required by the GDPR, it’s a business best practice commonly used under GDPR.
When Don’t You Need a Checkbox On Your Consent Form?
Under the GDPR, you may use checkboxes when asking users to consent to multiple items on a single form. However, you don’t necessarily need to use one if the reason for consent is unambiguous.
For example, if you use a pop-up to request consent to a newsletter, you can ask them to enter their email address using a clear phrase and an explicitly labeled button to obtain valid consent.
Check out an example of the right and wrong ways to write this type of consent request below.
Additional Opt-In Method Concerning Emails
Depending on the applicable laws, you may be permitted to use previously collected details about an individual to send them an email without obtaining consent.
For example, this practice may be permitted in the United States, the European Union, Canada, Australia, and the United Kingdom, so long as you meet the following:
- The individual provided their email address to you as part of a previous sale on your site
- They’re properly informed via a notice, sales page, or privacy policy
- The emails are promotional in nature and are related to products or services similar to their original purchase from you
- You only promote services and products that belong to you and not a third-party
However, if the individual previously opted out of receiving your emails, you cannot send them any promotional content in this way.
You must also check each applicable law in detail, as the list above is neither exhaustive nor generally applicable.
Use Separate Consent From Requests for Other Legal Policies
The GDPR requires you to separate consent requests for different purposes.
In other words, you can’t bundle your consent for your legal policies, like your terms and conditions, with signing up for a newsletter.
For complete GDPR compliance, ensure your consent requests are distinguishable and obvious to the user.
See an example of how to and how not to do this below.
Provide Granular Consent Options
If your consent form asks users to agree to multiple processing operations, ensure you provide them the option to opt into each item individually.
Otherwise, your consent form doesn’t adequately follow the GDPR standard.
See an example of how to do this below.
Make Withdrawing Consent As Easy As Giving It
The GDPR mandates that you allow users to withdraw consent or change their minds at any time without consequence. Doing so must be as easy for the user as giving consent.
You must inform them how to withdraw consent, like by adding an opt-out option at the bottom of your marketing or promotional emails.
Below, see an example of how to do this successfully under the GDPR.
Keep A Record Of Consent
In addition to obtaining consent, the GDPR also requires you to maintain a log of your users’ consent choices.
To provide adequate proof of consent, you must keep track of the following details for each of your users:
- When you got their consent
- How you obtained it
- What you presented users with at the time of obtaining consent
The Do’s and Don’ts of GDPR Compliant Forms
To help you quickly and efficiently meet the GDPR consent obligations, I made a helpful list of the dos and the don’ts:
- DO use clear, simple language on your consent form so users understand it.
- DO give your users the option to opt in, opt out, and change their minds anytime.
- DO link to a GDPR-compliant privacy policy alongside your consent request so users can access all necessary information.
- DON’T make consent a prerequisite to receiving a service if collecting the data is not actually necessary.
- DON’T make it harder for users to say no than it is to say yes, or else you’ll be in contention with the regulation.
- DON’T use sneaky workarounds, like making the accept button more prominent than the deny button, as this isn’t GDPR compliant.
Recording and Managing Consent
The opt-in action, wording, and placement of your GDPR-compliant consent request is half the battle — you must also ensure you maintain a record of your users’ consent choices.
According to Article 7, section 1 of the regulation:
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
To help you meet this legal requirement, I’ll explain what information you must keep a log of and how you can allow your users to manage their consent in the following sections.
What Information Should Be Recorded
The records you maintain regarding your users’ consent choices should be as specific and detailed as the consent itself.
For complete GDPR compliance, keep a record of the following information:
- Who consented or opted out: Name, user ID, email address, or other identifiers, including IP address
- When they consented or opted out: Timestamp of when the user consented
- How they agreed or denied consent: The specific form or place on the site where the user consented, like a pop-up vs. signup form
- What they agreed to or opted out of: What exactly they consented to, including weekly newsletter or third-party offers
- If and when they withdrew their consent: Keep a log of any time a user changes their consent preference
My favorite method for keeping a log of users’ consent choices is an automated solution, like Termly’s Consent Management Platform (CMP).
It stores a record of your users’ choices, which you can access in your Termly dashboard.
How To Allow Users To Manage Their Consent
You also need to provide a way for your users to manage their consent choices because Article 7, Section 3 of the GDPR grants them the right to change their minds at any time.
It also states that withdrawing consent must be as easy as giving it.
Similarly, Chapter 3, Articles 15 – 21 of the GDPR gives consumers the following rights over their data:
- Access
- Correct or amend
- Transfer
- Delete
- Object to processing their data for specific purposes
To meet these requirements, post a consent preference center on your site with privacy controls that allow your users to update their choices whenever they want.
For example, the cookie banner on the Greek Data Protection Authority website can be re-activated at any time from the footer.
Additionally, I recommend publishing a Data Subject Access Request (DSAR) form.
To ensure your users always have access to the consent preference center and DSAR form, link both in static places of your site, like the footer or in a privacy center, if you use one.
Summary
When making a complaint GDPR consent form for your website, your users must have a real choice over how you collect and process their personal data.
Ensure your cookie and privacy policies are up to date, and include a live link to each one on any consent requests you implement.
Remember to obtain user consent whenever data collection occurs and keep a record of each user’s choice.
More about the author
Written by Teodor Stanciu, CIPP/E, CIPM
Teo is a Data Privacy Specialist and experienced Data Protection Officer (DPO) who is passionate about helping companies meet their data protection obligations. He has an experience of more than seven years as a DPO for an international organization active in 50 countries and based in Brussels, Belgium. Teo is a Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) with the International Association of Privacy Professionals (IAPP).
More about the author
