When the General Data Protection Regulation (GDPR) took effect in 2018, it changed how websites worldwide requested consent from users for personal data processing overnight.
Five years later, we understand how, why, and when websites should ask for affirmative user consent as their legal basis.
In this guide, I teach you how to build compliant GDPR consent forms and how to obtain, record, and manage consent.
If your business is subject to the requirements outlined by the GDPR, you may use consent as a legal basis for processing certain personal information.
If you decide that consent is the appropriate legal basis for your processing activity, you must follow specific guidelines when requesting consent from users.
According to the GDPR, individuals must give consent through a statement or explicit affirmative action and be:
Additionally, individuals must be given the right to withdraw their consent at any time as easy as it was given.
With this legal definition in mind, let’s discuss making a GDPR-compliant consent form for your website or app.
Remember, consent is one of the six legal bases under which businesses may process personal data under GDPR.
Implement these three transparency requirements into your consent forms:
Don’t use pre-ticked checkboxes, implied consent, or default consent when you ask users to opt-in to your consent request. All of these techniques violate the GDPR.
Instead, provide an unticked box the users must actively select to express their agreement.
See a side-by-side comparison of what to and not to do with checkboxes below.
As the GDPR form example above shows, users must freely give you consent to send them email and be able to access your offering without subscribing to your newsletter.
Consider implementing a double opt-in consent request when you ask users to sign up for a mailing list.
First, provide users with an online consent form they fill out manually to subscribe to your emails.
Then, send a confirmation email and ask them to click on a link to verify their email address, adding it to your mailing list.
While obtaining double consent in this way is not explicitly required by the GDPR, it’s a business best practice commonly used under GDPR.
Under the GDPR, you may use checkboxes when asking users to consent to multiple items on a single form. However, you don’t necessarily need to use one if the reason for consent is unambiguous.
For example, if you use a pop-up to request consent to a newsletter, you can ask them to enter their email address using a clear phrase and an explicitly labeled button to obtain valid consent.
Check out an example of the right and wrong ways to write this type of consent request below.
Depending on the applicable laws, you may be permitted to use previously collected details about an individual to send them an email without obtaining consent.
For example, this practice may be permitted in the United States, the European Union, Canada, Australia, and the United Kingdom, so long as you meet the following:
However, if the individual previously opted out of receiving your emails, you cannot send them any promotional content in this way.
You must also check each applicable law in detail, as the list above is neither exhaustive nor generally applicable.
The GDPR requires you to separate consent requests for different purposes.
In other words, you can’t bundle your consent for your legal policies, like your terms and conditions, with signing up for a newsletter.
For complete GDPR compliance, ensure your consent requests are distinguishable and obvious to the user.
See an example of how to and how not to do this below.
If your consent form asks users to agree to multiple processing operations, ensure you provide them the option to opt into each item individually.
Otherwise, your consent form doesn’t adequately follow the GDPR standard.
See an example of how to do this below.
The GDPR mandates that you allow users to withdraw consent or change their minds at any time without consequence. Doing so must be as easy for the user as giving consent.
You must inform them how to withdraw consent, like by adding an opt-out option at the bottom of your marketing or promotional emails.
Below, see an example of how to do this successfully under the GDPR.
In addition to obtaining consent, the GDPR also requires you to maintain a log of your users’ consent choices.
To provide adequate proof of consent, you must keep track of the following details for each of your users:
To help you quickly and efficiently meet the GDPR consent obligations, I made a helpful list of the dos and the don’ts:
The opt-in action, wording, and placement of your GDPR-compliant consent request is half the battle — you must also ensure you maintain a record of your users’ consent choices.
According to Article 7, section 1 of the regulation:
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
To help you meet this legal requirement, I’ll explain what information you must keep a log of and how you can allow your users to manage their consent in the following sections.
The records you maintain regarding your users’ consent choices should be as specific and detailed as the consent itself.
For complete GDPR compliance, keep a record of the following information:
My favorite method for keeping a log of users’ consent choices is an automated solution, like Termly’s Consent Management Platform (CMP).
It stores a record of your users’ choices, which you can access in your Termly dashboard.
You also need to provide a way for your users to manage their consent choices because Article 7, Section 3 of the GDPR grants them the right to change their minds at any time.
It also states that withdrawing consent must be as easy as giving it.
Similarly, Chapter 3, Articles 15 – 21 of the GDPR gives consumers the following rights over their data:
To meet these requirements, post a consent preference center on your site with privacy controls that allow your users to update their choices whenever they want.
For example, the cookie banner on the Greek Data Protection Authority website can be re-activated at any time from the footer.
Additionally, I recommend publishing a Data Subject Access Request (DSAR) form.
To ensure your users always have access to the consent preference center and DSAR form, link both in static places of your site, like the footer or in a privacy center, if you use one.
When making a complaint GDPR consent form for your website, your users must have a real choice over how you collect and process their personal data.
Ensure your cookie and privacy policies are up to date, and include a live link to each one on any consent requests you implement.
Remember to obtain user consent whenever data collection occurs and keep a record of each user’s choice.
Teo is a Data Privacy Specialist and experienced Data Protection Officer (DPO) who is passionate about helping companies meet their data protection obligations. He has an experience of more than seven years as a DPO for an international organization active in 50 countries and based in Brussels, Belgium. Teo is a Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) with the International Association of Privacy Professionals (IAPP).
