8 Top GDPR Consent Form Examples to Ensure Compliance

For businesses that handle personal data within the European Economic Area (EEA), complying with the General Data Protection Regulation (GDPR) is essential. A crucial part of this compliance involves obtaining user consent that is clear and well-informed. This article features eight different examples of GDPR consent forms from various sectors, illustrating how compliance can be seamlessly integrated into user interfaces.

Before proceeding, here are some important resources:

• Guide to EU GDPR
• Guide to GDPR consent

How to Make GDPR-Compliant Consent Forms

Creating GDPR-compliant consent forms involves more than just fulfilling legal requirements; it's about making them easy to understand and encouraging users to provide consent. Effective methods include:

• Use straightforward language: Write consent forms using plain language that is easy for everyone to understand. Avoid complicated legal terms to prevent confusion and ensure all relevant privacy laws are covered, including those for sensitive data categories such as political views, sexual orientation, or philosophical beliefs.
• Be transparent: Clearly explain why you are collecting data, like IP addresses or biometric information, and how it will be used. Allow users to choose which data processing activities they consent to, ensuring all activities have a lawful basis, such as legitimate interest.
• Keep it brief: Provide essential details without overwhelming users. Summarize key points and use links or expandable sections for users who wish to learn more, which is especially beneficial in e-commerce where quick decisions are often needed.
• Require actively given consent: Use checkboxes or buttons that users must actively select to opt-in, avoiding pre-ticked boxes. This affirmative action ensures users are fully aware of what they are consenting to, particularly for sensitive data types.
• Utilize visual aids: Incorporate icons or diagrams to make consent requests more engaging and easier to understand, for example, when asking for consent for marketing or confirmation emails.
• Offer simple withdrawal: Make it simple for users to withdraw their consent, perhaps by including a link in a pop-up or privacy notice. This builds trust and respects user rights under GDPR.
• Include vital legal information: Instead of just linking to legal details, directly include key information, such as disclaimers on data retention or the data protection officer's role. This enhances trustworthiness and helps keep users engaged.

Now, let's look at some real-world GDPR consent form examples that demonstrate these principles and their key takeaways.

GDPR Consent Form Example #1: CookieYes – Cookie Consent Banner

CookieYes provides a customizable cookie consent banner that helps websites comply with GDPR by getting user consent for cookie usage. The banner clearly explains the purpose of different cookie types (e.g., necessary, analytics, marketing) and lets users accept or reject specific categories.

Key takeaways:

• Informed consent and transparency: The banner clearly explains the types of cookies used and their purposes, ensuring users understand what they are consenting to, which is crucial for GDPR compliance.
• Granularity and user control: Users can accept or reject specific cookie categories, giving them fine-grained control over their data preferences.
• Consent withdrawal: The banner includes an easily accessible option for users to withdraw their consent at any time. This feature ensures users can change their cookie preferences, maintaining control even after initial consent.
• Customizability: The banner can be tailored to match the website's design and compliance needs, integrating seamlessly with the user interface while ensuring GDPR compliance.
• User-friendly interface: Designed for ease of use, the banner allows users to make informed choices quickly without disrupting their browsing experience.

Interested in improving your website’s GDPR compliance? Discover CookieYes for easy-to-implement cookie consent banners that ensure compliance.

• Try for free 14-day free trial (Cancel anytime)

Further resources:

• How does GDPR affect cookies?
• GDPR cookie consent examples

GDPR Consent Form Example #2: Epic Games – Account Registration

Epic Games incorporates GDPR-compliant practices throughout its account registration and verification process. The registration form requires explicit consent for terms of service and includes an email verification step that activates two-factor authentication (2FA) for added security.

Key takeaways:

• Explicit consent: During registration, users must actively check a box to agree to the terms of service. The checkbox is not pre-selected, ensuring users consciously provide consent. A separate checkbox allows users to opt into receiving newsletters, surveys, and offers, giving them control over communication preferences.
• Informed decision-making: The form links to the "terms of service" and "privacy policy," allowing users to review documents before consenting. This transparency ensures users are fully informed about the terms and conditions they agree to.
• Security and data protection: After creating an account, users are prompted to verify their email address using a security code. This step confirms email validity and sets up 2FA, enhancing account security and protecting personal data.

GDPR Consent Form Example #3: Jaquar Group – Data Subject Consent Form

Jaquar Group uses a comprehensive Data Subject Consent Form to obtain explicit consent from individuals before processing their personal data for various purposes, including sharing with third parties, direct marketing, or image processing. The form also gives clear instructions on how users can withdraw consent at any time.

Key takeaways:

• Purpose specification: The form explicitly lists the specific processing activities for which consent is sought, such as data sharing, marketing, or image processing. This ensures individuals are fully informed about how their data will be used, aligning with GDPR requirements for informed consent.
• Withdrawal flexibility: The form provides detailed information on how users can withdraw their consent, offering multiple methods, including email and postal mail to designated offices. This flexibility ensures users can easily manage their consent preferences.
• Formal documentation: The form requires a signature and date, serving as a formal record of consent, which is essential for compliance and accountability under GDPR.
• Global applicability: Including various Jaquar Group office addresses in different countries highlights the company’s commitment to complying with data protection laws across multiple jurisdictions, reflecting a robust approach to global data privacy.

GDPR Consent Form Example #4: CookieLawInfo – Newsletter Signup

CookieLawInfo provides a transparent and user-friendly consent form for their newsletter subscription. The form is designed to inform users exactly what they are signing up for. Users must actively check a box to consent to receiving the newsletter, ensuring GDPR compliance.

Key takeaways:

• Transparency: The consent form clearly states that users will receive newsletters about data privacy and cookie compliance updates upon signing up. It also includes a link to their Privacy Policy, which details how user data will be managed.

GDPR Consent Form Example #5: National Nuclear Laboratory, UK – Photo Consent Form

The National Nuclear Laboratory (NNL) uses a GDPR-compliant photo consent form to obtain explicit consent for using photographs containing individuals. The form ensures users (or their legal guardians for minors) fully understand and agree to the use of their images for various purposes, such as appearing in the organization’s publications, websites, and advertisements.

Key takeaways:

• Purpose specification: The form explicitly outlines the specific purposes for which the user’s image may be used, such as inclusion in the organization’s publications, websites, and advertisements. This detailed explanation ensures the user is fully aware of how their image will be utilized.
• Consent validity and withdrawal: The form states consent is valid for one year and grants the user the right to withdraw consent after this period. This clause not only complies with GDPR but also empowers the user by giving them control over the long-term use of their image.
• Legal age consideration: The form includes a section to confirm whether the user is of legal age. If the user is underage, consent must be provided by a legal guardian. This ensures the consent obtained is legally valid and appropriate.
• Data protection: The form assures the user that their images and personal information will be handled in compliance with GDPR guidelines. This assurance builds trust by affirming that the organization will manage the data responsibly and securely.

GDPR Consent Form Example #6: Boston Dynamics – Contact Sales Form

Boston Dynamics uses a contact sales form to collect information from potential customers interested in their robotics solutions. The form collects essential details like name, email, company, and intended applications while obtaining explicit consent to receive communications from Boston Dynamics.

Key takeaways:

• Transparency and informed consent: The form includes a clear statement explaining that user data will be used to send product news, updates, and other announcements. It also informs users that their data will not be shared with third parties and that they can unsubscribe anytime. Additionally, they explain why they ask for the user’s email address. This ensures users are fully aware of how their data will be used, aligning with GDPR requirements.
• Explicit consent: At the bottom of the form is a checkbox where users can agree to receive communications from Boston Dynamics. This checkbox is unchecked by default, requiring users to actively provide their consent, which is crucial for GDPR compliance.
• User control and privacy: The form includes a link to the Privacy Policy, allowing users to access detailed information on data management. The option to unsubscribe at any time gives users ongoing control over their personal information.
• Seamless integration: The consent checkbox is part of the form’s natural flow, ensuring it is easily accessible without disrupting the user experience.

GDPR Consent Form Example #7: Spotify – Multi-step Signup Form

Spotify’s signup process is designed to be user-friendly while ensuring GDPR compliance. It involves multiple steps: users provide email, create a password, enter personal details, and review terms and conditions. The final step obtains explicit consent for marketing communications and data sharing. Users can sign up even without consenting to these options.

Key takeaways:

• Step-by-step process: The signup process is divided into clear steps, guiding users through the required information. This approach reduces complexity and makes subsequent consent easier to understand at each stage.
• Granular consent options: In the final step, users see two checkboxes: one to opt out of Spotify's marketing messages and another to share registration data with content providers for marketing. Both are unchecked by default, ensuring any given consent is explicit and informed.
• Specific consent: Users must agree to the Terms and Conditions of Use by default as part of signup. However, consent for data sharing and marketing is separate, not bundled with the acceptance of terms.
• Transparency: Spotify provides direct links to its “Terms and Conditions of Use” and “Privacy Policy,” allowing users easy access to detailed information on data collection, use, and protection. This transparency is essential for GDPR compliance.
• User control: Spotify gives users control over their personal data by offering options to opt out of marketing communications and data sharing. Users can make informed decisions about their data's use, aligning with GDPR’s emphasis on user autonomy and consent.

GDPR Consent Form Example #8: Spotify – Data Download Request

This is another example from Spotify. While not a traditional consent form, Spotify's privacy policy includes a user-friendly interface for users to request a copy of their personal data. The interface categorizes data that users can download, such as account data, extended streaming history, and technical log information. The form lets users select specific data to download, with clear explanations for each category.

Key takeaways:

• Transparency and clarity: The form provides detailed descriptions of each data category, such as playlists, streaming history, payment data, and more, allowing users to understand exactly what they are requesting. This transparency ensures users are fully informed about their data download's contents.
• Granular control: Users can select specific data categories to download, such as account data or extended streaming history. This level of granularity gives users control over the personal data they access, aligning with GDPR’s principle of data minimization.
• User-friendly interface: The design is intuitive, with each category clearly labeled and explained, making it easy for users to navigate and select the data they wish to download.

What information should be recorded in GDPR-compliant consent forms?

To ensure GDPR compliance in consent management, it's essential to track and record these key details:

• User identity: Record the name, email address, or identifying information linking the consent or opt-out to a specific user. This ensures consent is attributable to the correct individual.
• Timestamp: Document the precise date and time when the user provided or withdrew consent. This timestamp is vital for demonstrating compliance and managing consent validity over time.
• Method of consent: Capture how the user provided or denied consent—whether through an online form, a checkbox, a verbally logged agreement, or another method. Ensuring consent is explicit and affirmative (e.g., checking a box or clicking “I agree”) is essential.
• Specific purposes: Clearly document the user’s consent to receive marketing communications, share data with third parties, or engage in other processing activities. Also, record any specific data processing activities they opted out of.
• Withdrawal details: If the user withdraws consent, record the date and time of withdrawal along with the specific retracted consent. This information is crucial to ensure data processing activities cease immediately for the purposes tied to the withdrawn consent.

Further reading: GDPR compliance checklist for websites

Additional reading: The Role of Consent Form Design Under GDPR

FAQ on GDPR consent form

What should a GDPR consent form include?

A GDPR consent form should include:

• A clear explanation of why personal data is collected and how it will be used.
• Specificity about the personal data being collected.
• An opt-in mechanism (e.g., checkbox) for explicit consent.
• Information for users on their right to withdraw consent at any time.
• Details on how long data will be stored or processed.
• Mention of sharing data with third parties and why.
• Outline of rights like access, rectification, and erasure.
• Contact details for data protection queries.

What is the GDPR-specific requirement for consent?

The GDPR requirement for consent is that it must be:

• Freely Given: Consent must be a genuine choice, without coercion or negative consequences for refusal.
• Informed: Individuals must be fully informed about what they are consenting to, including who is collecting data, how it will be used, and any third-party involvement.
• Specific: Consent should be given for specific purposes, and each purpose must be clearly explained.
• Unambiguous: Consent must involve an explicit, affirmative action, such as ticking a box or clicking a button, indicating agreement.
• Easily Withdrawn: Individuals must be able to withdraw consent as easily as they gave it, without complication.

Who does GDPR apply to?

GDPR applies to organizations that determine the purposes and means of processing personal data (controllers) and those that process data on behalf of controllers (processors) if they are:

• Operating within the EU, regardless of where data processing occurs.
• Outside the EU but offering goods or services to, or monitoring, users within the EU.