How to create opt-in forms under the GDPR?

GDPR Opt-in form

As the General Data Protection Regulation (GDPR) has brought us many new requirements for email marketing, the most major confusion and most queries spun around one area – opt-in consent forms (also called sign-up forms).

We’d like to resolve the confusion about opt-in forms under GDPR data privacy laws by introducing to you real-world situations and analyzing what works and what does not.

We will approach the aspects of GDPR for:

– How to use lead magnets

– When too many explanations are confusing

– When you should use checkboxes

– Obtaining consent for one thing

– How to get GDPR consent for multiple things

– How to comply with age verification 

The attitude of the GDPR on consent

Before getting into the samples of opt-in forms, let us start with the actual legal terminology of the GDPR regarding email consent requests. In order to construct compelling opt-in forms under the GDPR, you first need to comprehend what the GDPR states.

Article 4(11) states,

“Data subject consent is any freely given specific, informed and unambiguous indication of the data subject’s wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed by means of a statement or unambiguous affirmative act.”

Recital 32 further states:

“Consent should be given by an unambiguous affirmative act by which the data subject indicates without constraint, on a case-by-case basis, in an informed manner and unambiguously that he or she consents to the processing of personal data relating to him or her, such as a written statement, including by electronic means, or an oral statement. This could include checking a box when visiting a website, choosing technical settings for information society services, or any other statement or conduct that makes it clear in this context that the data subject consents to the proposed processing of his or her personal data.”

As you can see, the GDPR sets a high standard for consent.

What are GDPR fields?

GDPR fields are parts that you can add to your signup forms so that you can appropriately collect and store subscriber consent. By using GDPR fields, you are assisting to keep your business compliant regarding the GDPR.

GDPR fields contain consent text explaining why the user’s data is being collected, sections in the form of checkboxes that allow the user to opt-in to certain services, legal text that explains in legal terms how the data will be used, and links to privacy policies and terms.

To facilitate the GDPR fields in INBOX, select the Marketing Permissions (GDPR compliant) and Privacy Policy fields in the signup form settings in your form editor.

Forbes GDPR consent example

Here is a superb example of an excellent opt-in form from Forbes. It explicitly remarks how often subscribers will receive the newsletter and what the emails are about. It also contained a link to the privacy policy and informed subscribers how to unsubscribe. Great job!

How to properly use incentives in forms

It’s very usual to give something away for free in exchange for an email address. These are often referred to as lead magnets. According to GDPR, you can not just receive an email with a lead magnet without explaining how you will use the email.

Red Bull GDPR lead magnet

Let’s have a look at Red Bull’s example, which is very clear and straightforward. They demonstrate how a free offer can be connected to a subscription. They mention the incentive, explain the consent to email marketing, and mention the option to unsubscribe. Superb!

When you do not need checkboxes

Checkboxes are necessary if you are trying to get consent for two different things, such as a newsletter and advertising. However, If you do not need checkboxes, it’s better not to use them. You’ll get higher conversion rates with fewer checkboxes!

The CBS Sports example 

CBS Sports has created a good, GDPR-compliant opt-in form. However, there is no need to add a GDPR checkbox, as consent for data processing is only obtained for one thing.

Age verification

Article 8 of the GDPR states that the processing of personal data of a child who is at least 16 years old is lawful if the information society services are offered directly to a child.

If the child is under 16 years of age, such processing is only carried out on a lawful basis if and to the extent that the holder of parental responsibility for the child has given consent or authorized it.

Parental consent

Member States may provide by law for a lower age for these purposes, provided that such age is not less than 13 years.

The Controller shall make suitable efforts to confirm in such cases that consent has been obtained or authorized by the holder of parental responsibility for the child, taking into account available technologies.

To fulfill these conditions, consider adding age verification or parental consent options to your forms when providing online services directly to children.

The European Data Protection Board has issued procedures explaining how to verify parental consent. This underlines that a proportional method should be taken when authorizing a parental consent carrier – data controllers should focus on obtaining a limited amount of information, such as the contact details of a parent or guardian.

In low-risk cases, it is advisable to obtain confirmation of parental commitment via parental email. In high-risk cases, trusted third-party verification services can be used, which offer solutions to decrease the amount of personal data that the controller must process itself.

The European Data Protection Board provides an example of how parental consent can be obtained:

An online gaming platform wants to ensure that underage customers subscribe to its services only with the consent of a parent or guardian. The controller proceeds as follows:

Step 1: Ask the user to indicate whether they are under or over 16 years old (or another age for digital consent). If the user indicates that he or she is under the age of majority.

Step 2: The service informs the child that a parent or guardian must consent or authorize the processing before the service is provided to the child. The user will be asked to provide the email address of a parent or guardian.

Step 3: The Service contacts the parent or guardian obtains their consent to the processing by email and takes reasonable steps to confirm that the adult has parental responsibility.

Step 4: In case of complaints, the platform takes additional steps to verify the age of the subscriber.

How to obtain consent for multiple purposes

Let us take a look at one of the most important declarations of the GDPR on consent, which can be found in Recital 32:

“Silence, ticked boxes or inactivity should therefore not be considered as consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the processing has multiple purposes, consent should be given for all purposes.”

It is compulsory to obtain consent for each purpose. Here’s a GDPR compliant example where there are separate consent boxes for marketing purposes and profiling.

 Juventus GDPR Consent Example

In this example from Juventus Torino, checkboxes have been included for each purpose for which the user’s data could be used. Although some users may not read these options, they are clear and if the user does not tick them, consent is not given.

If the text is too complex

The GDPR requires that the explanation of services be precise and clear. Even though this is a subjective rule, you need to do your best to communicate as clearly and efficiently as possible.

People do not like long or complex opt-in forms – they want to read through the “fine print” quickly and be sure what they are signing up for. Your copy needs to be simple and brief, without neglecting important information.

This brings us to our final example of how confusing wording can be. This is an example of what NOT should do: 

Single opt-in vs. double opt-in

Both methods allow you to grow your email list efficiently and securely. Why secure? Because in both cases, you get what you need most to remain GDPR compliant, which is consent.

Let us clarify that the GDPR does not mandate setting up the double opt-in method of collecting email addresses. In fact, the GDPR says nothing about single or double opt-in. The only thing that matters is the ability to provide proof of consent.

With a single opt-in, you should be able to capture a timestamp of the subscriber’s consent (time, date, location) and the source of consent (website, social media, etc.). If you have this personal information, you are in full compliance with the requirements of the General Data Protection Regulation (GDPR). However, to have better proof of consent on paper, you can enable double opt-in – which means that anyone who subscribes must confirm their request twice. Double consent is a more advanced method of collecting email addresses, but it does not invalidate or disallow single consent. 

A checklist for creating GDPR-compliant opt-in forms.

To help you create the best opt-in forms that are compliant with the GDPR, we have created a checklist to help you verify that your forms are ready to go.

Opt-in forms checklist

Use clear, simple, and easy-to-understand language.

Request consent separately for each specific purpose.

Ask users to actively opt-in and do not use checked boxes.

Make the request for consent clearly visible and separate from our Terms and Conditions.

Advise individuals that they can revoke their consent at any time.

Have simple and effective revocation mechanisms.

Ensure that individuals can opt-out of consent.

Explain why we are asking for their information and what we will do with it.

Obtain consent from children only using age-verification measures (and for younger children, parental consent).

Include a link to our privacy policy.


We wish that this article has been helpful for you.

Comments are closed.
© Copyright INBOX.  | Terms of Use | Anti-Spam Policy