For businesses handling personal data within the European Economic Area (EEA), ensuring compliance with the General Data Protection Regulation (GDPR) is a critical step. A key element of this compliance is obtaining clear, informed consent from users. In this article, we aim to guide you through the process by showcasing eight diverse GDPR consent form examples across various industries, helping you visualise how to seamlessly integrate compliance into your user interfaces.
- Guide to EU GDPR
- Guide to GDPR consent
How to make GDPR-compliant consent forms?
Creating GDPR-compliant consent forms goes beyond just ticking legal boxes. It’s about making them easy to understand and encouraging users to consent. Here’s how you can do that effectively:
- Use clear language: Write consent forms in plain language that’s easy for everyone to understand. Avoid complex legal terms to prevent confusion, and make sure to cover all relevant privacy laws, including those for sensitive data like political opinions, sexual orientation or philosophical beliefs.
- Be transparent: Clearly state why you’re collecting data, like IP addresses or biometric data, and how it will be used. Let users choose what data processing activities they consent to, ensuring that all activities align with a lawful basis, like legitimate interest.
- Keep it concise: Provide essential information without overwhelming users. Summarise key points and use links or expandable sections for those wanting more details, which is especially helpful in eCommerce scenarios where quick decisions are key.
- Require active consent: Use checkboxes or buttons for users to actively opt-in, avoiding pre-ticked boxes. This affirmative action ensures users know exactly what they consent to, especially for sensitive data categories.
- Use visual aids: Incorporate icons or diagrams to make consent requests more engaging and easier to understand, such as when requesting consent for marketing emails or confirmation emails.
- Offer easy withdrawal: Make it straightforward for users to withdraw consent, like providing a link in a pop-up or privacy notice. This approach builds trust and respects users’ rights under GDPR.
- Include essential legal info: Instead of just linking to legal details, directly include key information, such as disclaimers about data retention or the role of the data protection officer. This increases trustworthiness and helps keep users engaged.
Now, let’s dive into some real-world GDPR consent form examples that illustrate these principles in action and key takeaways from them.
GDPR consent form example #1: CookieYes – cookie consent banner
CookieYes offers a customisable cookie consent banner that allows websites to comply with GDPR by obtaining user consent for using cookies. The banner clearly explains the purpose of different types of cookies (e.g., necessary, analytics, marketing) and allows users to accept or reject specific categories of cookies.
Key takeaways:
- Informed consent and transparency: The banner clearly explains the types of cookies used and their purposes, ensuring users understand what they consent to, which is crucial for GDPR compliance.
- Granularity and user control: Users can accept or reject specific categories of cookies, giving them granular control over their data preferences.
- Consent withdrawal: The banner includes an easy-to-access option for users to withdraw their consent anytime. This feature ensures users can change their cookie preferences, maintaining control over their data even after initial consent.
- Customizability: The banner can be tailored to match the website’s design and compliance needs, integrating seamlessly with the user interface while ensuring GDPR compliance.
- User-friendly interface: Designed for ease of use, the banner lets users make informed choices quickly without interrupting their browsing experience.
Looking to enhance your website’s GDPR compliance?
Explore CookieYes for easy-to-implement cookie consent banners that ensures compliance
Try for free14-day free trialCancel anytime
GDPR consent form example #2: Epic Games – account registration
Epic Games incorporates GDPR-compliant practices throughout its account registration and verification process. The registration form requires explicit consent for terms of service, followed by an email verification step that enables two-factor authentication (2FA) for added security.
Key takeaways:
- Explicit consent: During registration, users must actively check a box to agree to the terms of service. The checkbox is not pre-selected, ensuring that users consciously provide their consent. Additionally, a separate checkbox allows users to opt into receiving newsletters, surveys, and special offers, giving them control over their communication preferences.
- Informed decision-making: The form links to the “terms of service” and “privacy policy,” allowing users to review these documents before consenting. This transparency ensures that users are fully informed about the terms and conditions they agree to.
- Security and data protection: After account creation, users are prompted to verify their email address by entering a security code sent to their email. This step not only confirms the validity of the email but also sets up two-factor authentication (2FA), enhancing the security of the user’s account and protecting their personal data.
GDPR consent form example #3: Jaquar Group – Data subject consent form
Jaquar Group uses a comprehensive Data Subject Consent Form to obtain explicit consent from individuals before processing their personal data for various purposes, such as personal data sharing with third parties, direct marketing, or image processing. The form also provides clear instructions on how users can withdraw their consent at any time.
Key takeaways:
- Purpose specification: The form clearly outlines the specific processing activities for which consent is sought, such as data sharing, marketing, or image processing. This ensures that individuals are fully informed about how their data will be used, aligning with GDPR requirements for informed consent.
- Withdrawal flexibility: The form provides detailed information on how users can withdraw their consent, offering multiple methods, including email and postal mail, to designated offices. This flexibility ensures that users can easily manage their consent preferences.
- Formal documentation: The form requires a signature and date and serves as a formal record of consent, essential for compliance and accountability under GDPR.
- Global applicability: Including various Jaquar Group office addresses in different countries highlights the company’s commitment to complying with data protection laws across multiple jurisdictions, reflecting a robust approach to global data privacy.
GDPR consent form example #4: CookieLawInfo – newsletter signup
CookieLawInfo provides a transparent and user-friendly consent form for their newsletter subscription. The form is designed to inform users exactly what they are signing up for. Users must actively check a box to consent to receiving the newsletter, ensuring GDPR compliance.
Key takeaways:
- Transparency: The consent form clearly states that users will receive newsletters related to data privacy and cookie compliance updates by signing up. It also includes a link to their Privacy Policy, which explains in detail how the user’s data will be managed.
GDPR consent form example #5: National Nuclear Laboratory, UK – photo consent form
The National Nuclear Laboratory (NNL) uses a GDPR-compliant photo consent form to obtain explicit consent for using photographs that include individuals. The form is designed to ensure that the users (or their legal guardian, if the user is underage) fully understand and agree to use their image for various purposes, such as appearing in the organisation’s publications, websites, and advertisements.
Key takeaways:
- Purpose specification: The form clearly outlines the specific purposes for which the user’s image may be used, such as inclusion in publications, websites, and advertisements produced by the organisation. This explicit detailing ensures that the user is fully aware of how their image will be utilised.
- Consent validity and withdrawal: The form specifies that consent is valid for one year and gives the user the right to withdraw consent after this period. This clause not only complies with GDPR requirements but also empowers the user by giving them control over the long-term use of their image.
- Legal age consideration: The form includes a section to confirm whether the user is of legal age. If the user is underage, the consent must be provided by a legal guardian. This consideration ensures that the consent obtained is legally valid and appropriate.
- Data protection: The form assures the user that their images and personal information will be handled in compliance with GDPR guidelines. This assurance builds trust by affirming that the organisation will manage the data responsibly and securely.
GDPR consent form example #6:Boston Dynamics – contact sales form
Boston Dynamics utilises a contact sales form to gather information from potential customers interested in their robotics solutions. The form is designed to collect essential details such as name, email, company, and intended applications while obtaining explicit consent to receive communications from Boston Dynamics.
Key takeaways:
- Transparency and informed consent: The form includes a clear statement explaining that the user’s data will be used to send product news, updates, and other announcements. It also informs users that their data will not be shared with third parties and that they can unsubscribe anytime. Additionally, they have mentioned why they ask for user’s email address. This ensures that users are fully aware of how their data will be used, aligning with GDPR requirements.
- Explicit consent: At the bottom of the form is a checkbox where users can agree to receive communications from Boston Dynamics. This checkbox is unchecked by default, requiring users to actively provide their consent, which is crucial for GDPR compliance.
- User control and privacy: The form links to the Privacy Policy, allowing users to access more detailed information about how their data will be managed. Additionally, the option to unsubscribe any time gives users ongoing control over their personal information.
- Seamless integration: The consent checkbox is part of the form’s natural flow, ensuring it is easily accessible without disrupting the user experience.
GDPR consent form example #7:Spotify – multi-step signup form
Spotify’s signup process is designed to be user-friendly while ensuring compliance with GDPR. It includes multiple steps: users provide their email, create a password, enter personal details, and review terms and conditions. The final step involves obtaining explicit consent for marketing communications and data sharing. Users can sign up even without consenting to the options.
Key takeaways:
- Step-by-step process: The signup process is divided into clear steps, guiding users through the information they need to provide. This approach reduces complexity and makes it easier for users to understand what they consent to at each stage.
- Granular consent options: In the final step, users are presented with two checkboxes: one to opt out of Spotify’s marketing messages and another to share their registration data with Spotify’s content providers for marketing purposes. Both options are unchecked by default, ensuring that any consent given is explicit and informed.
- Specific consent: Users must agree to the Terms and Conditions of Use by default as part of the signup process. However, the consent for data sharing and marketing messages are kept separate and not bundled with the acceptance of terms and conditions.
- Transparency: Spotify provides direct links to its “Terms and Conditions of Use” and “Privacy Policy,” allowing users to easily access detailed information about how their data will be collected, used, and protected. This transparency is essential for GDPR compliance.
- User control: Spotify gives users control over their personal data by offering options to opt out of marketing communications and data sharing. Users can make informed decisions about how their data will be used, which aligns with GDPR’s emphasis on user autonomy and consent.
GDPR consent form example #8:Spotify – data download request
Here is another example from the music streaming platform. Though not a traditional consent form, Spotify’s privacy policy provides a user-friendly interface for users to request a copy of their personal data. The interface offers different categories of data that users can download, such as account data, extended streaming history, and technical log information. The form is designed to allow users to select the specific data they want to download, with clear explanations of what each category includes.
Key takeaways:
- Transparency and clarity: The form provides detailed descriptions of each data category, such as playlists, streaming history, payment data, and more, allowing users to understand exactly what they request. This transparency ensures that users are fully informed about the contents of their data download.
- Granular control: Users can select specific categories of data to download, such as their account data or extended streaming history. This level of granularity gives users control over what personal data they access, aligning with GDPR’s principle of data minimisation.
- User-friendly interface: The design is intuitive, with each category clearly labelled and explained, making it easy for users to navigate and select the data they wish to download.
What information should be recorded in GDPR-compliant consent forms?
To ensure GDPR compliance in managing consent, it’s crucial to track and record the following key details:
User identity
Record the name, email address, or identifying information linking the consent or opt-out to a specific user. This ensures that the consent is attributable to the correct individual.
Timestamp
Document the exact date and time when the user provided or withdrew consent. This timestamp is vital for demonstrating compliance and managing the validity of the consent over time.
Method of consent
Capture how the user provided or denied consent—whether through an online form, a checkbox, a verbal agreement logged in records, or another method. Ensuring the consent is explicit and affirmative (e.g., checking a box or clicking “I agree”) is essential.
Specific purposes
Clearly document the user’s consent to receive marketing communications, share data with third parties, or engage in other processing activities. Additionally, record any specific data processing activities they opted out of.
Withdrawal details
If the user withdraws their consent, record the date and time of the withdrawal along with the specific retracted consent. This information is crucial to ensure that data processing activities stop immediately for the purposes tied to the withdrawn consent.
Additional reading: The Role of Consent Form Design Under GDPR
FAQ on GDPR consent form
A GDPR consent form should include:
- Clearly state why personal data is collected and how it will be used.
- Specify what personal data is being collected.
- Include an opt-in mechanism (e.g., checkbox) for explicit consent.
- Inform users of their right to withdraw consent at any time.
- Specify how long data will be stored or processed.
- Mention if data will be shared with third parties and why.
- Outline rights like access, rectification, and erasure.
- Provide contact details for data protection.
The GDPR-specific requirement for consent is that it must be:
- Freely Given: Consent must be a genuine choice without any pressure or negative consequences for refusal.
- Informed: Individuals must be fully informed about what they consent to, including who is collecting the data, how it will be used, and any third-party involvement.
- Specific: Consent should be given for specific purposes, and each purpose must be clearly explained.
- Unambiguous: Consent must involve an explicit, affirmative action, such as ticking a box or clicking a button, that indicates agreement.
- Easily Withdrawn: Individuals must be able to withdraw consent as easily as they gave it, without any complications.
GDPR applies to organisations that determine the purposes and means of processing personal data (controllers) and those that process data on behalf of controllers (processors) and are:
- Operating within the EU, regardless of where the data processing occurs.
- Outside the EU that offers goods or services to, or monitors, users’ behaviour within the EU.