Iubenda logo
Start generating


Table of Contents

GDPR consent form examples – What to do and not to do

GDPR requires that organizations have a lawful basis for processing data. One such basis is consent, which according to the GDPR has to be explicit and freely given. This means that the mechanism for acquiring consent must be unambiguous and involve a clear affirmative action.

While you shouldn’t ask for it if you’re carrying out a core service or process personal data by law, you should ask for consent when you’re offering a non-essential service, like sending marketing emails and newsletters.

Here’s a breakdown of the most important things you must know about email consent under GDPR – with plenty of templates and examples of how to put them into action.

1. Be transparent with your GDPR consent requests

Avoid complex phrasing when explaining reasons for consent: specify why you want the data and what you’re going to do with it in “plain English”. Also, don’t forget to clearly name your organization and any third parties relying on the user’s consent. 

2. Don’t use pre-ticked checkboxes on your consent forms

Ask users to positively opt-in, because under the GDPR pre-ticked checkboxes (or any other type of consent by default) are not allowed. 


GDPR consent form example - Consenting action must be explicit and freely given
Email consent must be freely given: users should always be able to download your guide without subscribing to your newsletter

Double opt-in

While not required by the GDPR, the safest way to handle a mailing list is the double opt-in, a process that includes two steps:

  • In step 1 potential subscribers fill out and submit your consent form.
  • In step 2 they’ll receive a confirmation email and click a link to verify their email, which is added to your mailing list.

This method of registration is considered best practice in many countries, especially Germany and in the EU.

When your consent forms don’t need checkboxes

Checkboxes are necessary when you are trying to get GDPR consent for separate things, but they’re not required where the purpose of the sign-up mechanism is unequivocal.


In a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.

Soft opt-in

In short, soft opt-in can occur when your user has provided their email address while purchasing a product or service from you.

Under some countries’ laws, you may use the details collected to send future promotional emails without obtaining prior consent if:

  • the email address was collected as part of a previous sales process on your site;
  • the customer is adequately informed of it (e.g. by a notice on the sales page or in your privacy policy);
  • the promotional emails are related to products and services similar to the ones the user initially purchased from you; and
  • the products/services promoted are your own (i.e. not third-party promotion).

Note that this exception does not apply if the user has previously opted out (e.g. by unsubscribing from your newsletter).

3. Separate GDPR consent requests from terms and conditions

Under the GDPR, email consent needs to be separate.

For example, never bundle consent with your terms and conditions: agreeing to terms and conditions and giving consent to various activities (such as subscribing to a newsletter) are not the same thing. Make them easily distinguishable from each other and provide individual opt-ins for consent.


GDPR consent form example - Multiple consents

4. Give separate granular consent options

Your forms should allow customers to consent to independent processing operations. Help users to have full control of their consents and permissions by creating an overview of each activity you need.


GDPR consent form example - Separate granular consent options

5. Make it easy to withdraw consent

Users have the right to withdraw their consent at any time and you should clearly tell them where and how to do it without detriment. As a consequence, consent doesn’t have to be a precondition of a service.

Include an option to opt-out from receiving emails in the footer of every promotional email you send. Ideally, users should also have the ability to manage their email preferences from within their account.


GDPR consent form example - Withdraw consent
Always include a visible unsubscribe link in your newsletter

“You are receiving this email because…” – How to write a good permission reminder

A permission reminder is a short paragraph in an email (usually in the footer) that helps recipients remember how you got their email address. It can help reduce spam complaints and unsubscribe requests.

An appropriate permission message is something like: “You are receiving this email because you’re a customer, or signed up via our [source]”.

6. Keep proof of consent

GDPR not only sets the rules for how to collect consent, but also requires companies to keep a record of these consents. It means that you must be able to provide proof of:

  • when and how you got consent, and
  • what users were told at the time.

How iubenda can help with GDPR requirements for your consent forms

Our Consent Database simplifies the process of making your forms GDPR compliant by helping you to:

  • easily store proof of consent, and
  • manage consent and privacy preferences.

With our Consent Database, you can look at each individual subscriber, see when they opted in, and which form they used to do so.

Collect GDPR consent for your forms

Explore our Consent Database

About us


Compliance solutions for websites, apps and organizations: collect GDPR consent, document opt-ins and CCPA opt-outs via your web forms.


See also