GDPR consent form examples – What to do and not to do

GDPR requires that organizations have a lawful basis for processing data. One such basis is consent, which according to the GDPR has to be explicit and freely given. This means that the mechanism for acquiring consent must be unambiguous and involve a clear affirmative action.

While you shouldn’t ask for it if you’re carrying out a core service or process personal data by law, you should ask for consent when you’re offering a non-essential service, like sending marketing emails and newsletters.

Here’s a breakdown of the most important things you must know about email consent under GDPR – with plenty of templates and examples of how to put them into action.

1. Be transparent with your GDPR consent requests

Avoid complex phrasing when explaining reasons for consent: specify why you want the data and what you’re going to do with it in “plain English”. Also, don’t forget to clearly name your organization and any third parties relying on the user’s consent.

2. Don’t use pre-ticked checkboxes on your consent forms

Ask users to positively opt-in, because under the GDPR pre-ticked checkboxes (or any other type of consent by default) are not allowed.

Example

GDPR consent form example - Consenting action must be explicit and freely given

Double opt-in

While not required by the GDPR, the safest way to handle a mailing list is the double opt-in, a process that includes two steps:

This method of registration is considered best practice in many countries, especially Germany and in the EU.

Looking for a simple and compliant way to manage consent for newsletter subscriptions?

Try our Newsletter Opt-in Booster 👉 it adds a customizable signup form to your site, allowing you to collect and manage consent through a double opt-in process for a more engaged and responsive audience.

When your consent forms don’t need checkboxes

Checkboxes are necessary when you are trying to get GDPR consent for separate things, but they’re not required where the purpose of the sign-up mechanism is unequivocal.

Example

In a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.

Soft opt-in

In short, soft opt-in can occur when your user has provided their email address while purchasing a product or service from you.

Note that this exception does not apply if the user has previously opted out (e.g. by unsubscribing from your newsletter).

3. Separate GDPR consent requests from terms and conditions

Under the GDPR, email consent needs to be separate.

For example, never bundle consent with your terms and conditions: agreeing to terms and conditions and giving consent to various activities (such as subscribing to a newsletter) are not the same thing. Make them easily distinguishable from each other and provide individual opt-ins for consent.

Example

GDPR consent form example - Multiple consents

4. Give separate granular consent options

Your forms should allow customers to consent to independent processing operations. Help users to have full control of their consents and permissions by creating an overview of each activity you need.

Example

GDPR consent form example - Separate granular consent options

5. Make it easy to withdraw consent

Users have the right to withdraw their consent at any time and you should clearly tell them where and how to do it without detriment. As a consequence, consent doesn’t have to be a precondition of a service.

Include an option to opt-out from receiving emails in the footer of every promotional email you send. Ideally, users should also have the ability to manage their email preferences from within their account.

Example

GDPR consent form example - Withdraw consent

“You are receiving this email because…” – How to write a good permission reminder

A permission reminder is a short paragraph in an email (usually in the footer) that helps recipients remember how you got their email address. It can help reduce spam complaints and unsubscribe requests.

An appropriate permission message is something like: “You are receiving this email because you’re a customer, or signed up via our [source]”.

6. Keep proof of consent

GDPR not only sets the rules for how to collect consent, but also requires companies to keep a record of these consents. It means that you must be able to provide proof of:

How iubenda can help with GDPR requirements for your consent forms

Our Consent Database simplifies the process of making your forms GDPR compliant by helping you to:

With our Consent Database, you can look at each individual subscriber, see when they opted in, and which form they used to do so.

Collect GDPR consent for your forms

About us

iubenda

Compliance solutions for websites, apps and organizations: collect GDPR consent, document opt-ins and CCPA opt-outs via your web forms.

See also