GDPR Consent Form Examples

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 20 December 2024.

GDPR Consent Form Examples

If you operate in Europe or have customers there, the General Data Protection Regulation (GDPR) means you will need consent for many of the ways you use their data. A GDPR consent form proves you got this consent and that it is meaningful.

This article will explain what these forms are, what components should go into them, and show examples of a few.



A GDPR consent form is any document (paper or electronic) that confirms a data subject (the person the data is about) consents to you processing their personal data for a particular purpose. This consent is often necessary to make the processing lawful.

Do I Need a GDPR Consent Form?

You'll need a GDPR consent form if:

  • The GDPR applies to you,
  • You are processing personal data, and
  • You aren’t relying on another lawful basis

Let's break that down in more detail.

The GDPR applies if you or the data subject are in any of the following countries:

  • The 27 European Union member states (where the GDPR applies automatically)
  • Iceland, Liechtenstein or Norway (which have agreed to follow the GDPR)
  • The United Kingdom (which has mirrored the GDPR in its national laws)

The GDPR also applies if you process the data in one of these countries, for example on a data center server.

Processing means collecting, using or sharing data in any way. Personal data means data that relates to an identified or identifiable individual.

Processing personal data is only lawful under GDPR when one of a range of lawful bases apply. Several of these only cover specific situations such as health emergencies or government data processing. "Performance of a contract" is a legitimate basis, which would cover using somebody's physical address to send goods they had ordered.

Some business activity is covered by "legitimate interests" which is where the data processing is necessary for your normal business operations and doesn't outweigh the data subject's privacy rights.

For example, legitimate interests would usually cover processing somebody's email address to send a purchase confirmation email. It wouldn't usually cover sending them marketing material, which is helpful to your business but not necessary.

This means that some or even most of your data processing will rely on the lawful basis of consent from the data subject.

What's The Purpose of a GDPR Consent Form?

The GDPR consent form proves not only that you got the person's consent, but that this consent meets the requirements of the GDPR.

The text of the GDPR simply says you must be able to demonstrate the person has consented and that this consent was "freely given." The recitals (explanatory notes) accompanying the GDPR specify that:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

A GDPR consent form can protect you if somebody complains your data processing broke the law, but it's not just a helpful optional extra. The GDPR explicitly says you must always be able to demonstrate a person gave consent (not just when there's a dispute).

A consent form is the best way to do this.

What Format Should a GDPR Consent Form Use and What are The Key Elements?

Despite the name, a GDPR consent form doesn't have to be a printed or standalone document requiring a physical signature. The GDPR explicitly says that it could be in electronic format such as ticking a box on a website. There's no requirement to directly mention the GDPR on the consent form.

In principle, a GDPR consent form can be anything with two key elements:

  • A request for consent presented "in an intelligible and easily accessible form, using clear and plain language."
  • A "clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data."

Here's an example of a GDPR-compliant consent form:

Scientific American newsletter sign-up form with consent checkboxes

The requirement that the consent be clear and affirmative means you cannot assume or infer consent based on a lack of action. This means you can't say that data subjects consent to processing unless they opt-out or object. If you use a tick box or toggle, it can't be pre-ticked or pre-set to consent.

The requirement that the consent be unambiguous means you can't say that continuing to use your website or placing an order automatically counts as consenting.

The requirement that the consent be informed means you'll need to give clear details about not only what the consent covers, but also the consequences of the processing, the way you do it, and the data subject's rights.

Normally this would be too long for a consent form, so the best option is to link to a dedicated Privacy Policy.

You can ask the data subject to confirm they have read and agreed to the Privacy Policy. If the Policy details the data you collect, this confirmation can also count as consent to the data processing.

Examples of GDPR Consent Forms

Let's examine some GDPR consent forms to explore the different approaches businesses take and the ways in which they meet the GDPR's consent requirements.

The European External Action Service uses two tick boxes to cover personal information processing for two different purposes. This makes the consent more meaningful as the data subject can consent to one purpose while withholding consent for the other:

European External Action Service GDPR consent form

The Suffolk Agricultural Association indirectly asks for permission to process personal information (such as name and email address) for specific purposes. It avoids any confusion by linking to a full Privacy Policy:

Suffolk Agricultural Association GDPR consent form

Buckingham Canal Society uses an unchecked checkbox and clearly explains what a user is indicating by checking it:

Buckingham Canal Society GDPR consent form

As well as detailing what data it processes and why, ISQ Recruitment requires a specific, unambiguous action to confirm consent, namely replying to an email using a specific word:

ISQ Recruitment GDPR consent form

The Cheltenham Whaddon Bowling Club goes to great lengths to make sure it gathers valid consent. It gets specific consent for specific purposes of data processing. It also offers multiple ways to give consent (submit online form, return physical form) that guarantee the data subject makes an active and meaningful choice to consent:

Cheltenham Whaddon Bowling Club GDPR consent form

The Civil Service Employee Assistance Service refers the reader to an attached GDPR Statement (a form of Privacy Policy) to detail its personal information processing, rather than detail it in the consent form:

Civil Service Employee Assistance Service GDPR consent form

Consent forms don't have to explicitly mention the GDPR. Cadbury collects consent through an online form that includes a clear declaration of consent by the data subject accompanied by a link to a Privacy Policy giving full details of what the consent covers:

Cadbury GDPR consent form

TGI Fridays does not directly address consent in the form itself:

TGI Fridays GDPR consent form

However, it does require the data subject to agree to the Privacy Policy. This details the consent the data subject is giving by signing up to a newsletter (including using their email address for marketing) and how to withdraw it later on. This combination of agreement and information constitutes valid consent:

TGI Fridays Privacy Policy: Consent clause

Summary

A GDPR consent form is a way to prove you have a data subject's consent to process their personal information for a specific purpose or purposes. You'll need this if the processing comes under the GDPR and you're relying on consent as the lawful basis for the processing.

There's no prescribed wording or format for a GDPR consent form: it could be a printed document, a dedicated electronic form, or part of another document or form such as an account sign-up page.

What matters is that you can prove the data subject gave a clear and positive signal of consent and that they had clear information about what data you collected and how you would use it.
The signal can be a signature, checkbox or similar mechanism, though you can't use a pre-ticked checkbox.

The information could be outlined in the consent form if it's brief enough. Alternative you could link to a Privacy Policy. If so, make clear that completing the form means agreeing to the Privacy Policy, in turn consenting to the data processing.