What is GDPR Consent Form? 8 Best Practices for GDPR Compliance

Mahiyath C ○ February 27, 2020 ○ 12 minutes
GDPR consent form

The gradual expansion of the internet has opened doors to many possibilities, including some adverse ones. With the internet being more accessible to everyone, ensuring data protection is becoming increasingly difficult. The general people are now prone to security threats more than ever. In the European Union alone, over two-thirds of the population have voiced their concern about the somewhat restricted control they have over the data they share and the overall procedure.

The General Data Protection Regulation (GDPR) was adopted to provide citizens with better data security and a free choice over exactly what data they want to share. The European Parliament, along with the Council of the European Union, and the European Commission approved the regulation, on the 27th of April, 2016. It came to fruition in May 2018, forcing web admins and marketers to change their strategy, keeping clients’ data security in mind.

This regulation provides a guideline for different service/product providers to follow when it comes to requesting personal information from users. GDPR is primarily an ethical measure to build a business responsibly in this digital era.

What is GDPR, and where does it apply?

GDPR consent form protects the data of EU residents
GDPR consent form protects the data of EU residents

Almost every aspect of our lives is now intertwined with various data. Things that may seem mundane to you, like what kind of coffee you like, are valuable data to some concerned parties like a restaurant planning to make a separate cafe branch. Somebody asking for your choice of coffee seems harmless, but it gets annoying when you are bombarded with coffee ads every step of the way. And this is what is happening.

With businesses continually fishing for personal information to boost their revenue, sensitive data like health information, financial details, etc. aren’t even safe anymore. Almost every service we use, like banks, retailers, and social media, involves collecting and analyzing our data.

Managing mass data is a tricky feat. Information is often lost or stolen and ends up in the wrong hands. Sometimes people collect data in the guise of games and quizzes and sell them later on. These various sided data breaches leave people and the world open to manipulation. GDPR hopes to tackle this problem head-on and ensure a fairground for the people.

This regulation forces marketers to be creative and not intrude into anyone’s personal space. Organizations are obliged to ensure that any information they collect is relevant to their cause and is collected ethically under strict conditions. Not only that, but the law also requires the ones responsible for managing this data to protect it from exploitation and protect the rights of the data owners. In case any party fails to do that, they should be ready to face penalties.

GDPR safeguards the data of all residents across the whole of Europe. Now, if you are a business outside Europe, you might naturally be asking yourself, “Why do I need to concern myself with GDPR? I don’t live in Europe.” While you may not be stationed anywhere in Europe, your clients might. Even if you have one client residing in Europe, you should be GDPR compliant. GDPR holds for any company that provides products and/or services to EU residents or if they store personal data. GDPR compliance is forcing content marketers to rethink how to build their email list.

What is consent in GDPR?

consent is one of the six legal bases is GDPR
Before asking for data, you need to check if your questions seem intrusive

GDPR states six legal bases and consent is one of them. The others, as stated in Article 6 of the GDPR, including contracts, legal obligations, vital interests of the data subject, public interest, and legitimate interest. Rules for lawful consent are now more strict, and if anything seems suspicious, it is bound to start inquiries.

Lawful consent implies a real choice of users. It is crucial to allow users to make a free and informed choice under GDPR. The consent will becomes invalid if any external influence takes place.. And any hint of inappropriate intrusion can result in investigation and penalties. To avoid these, you will have to take special care when it comes to requesting information from users. Plain and simple Terms & Conditions mean that the user doesn’t get lost in words.

It is also crucial to ensure that the subscribers can withdraw their consent at any given time. And the procedure should be as simple as well, like the checkboxes they ticked when they approved. And if you use double opt-in forms to make sure that the user doesn’t give consent by mistake, you will have proof of consent in case you face an inquiry.

How to comply with GDPR

When new regulations are passed, businesses are forced to mold their marketing strategy around the new laws. GDPR is no different. When GDPR came into formation, content marketers all around had to rack their brains to come up with new approaches so as not to seem intrusive. There are some common tricks, though, for GDPR compliance.

GDPR consent form defines why a specific piece of information is needed and discards it afterwards
Define why you need a piece of specific information and discard it after use

Request as little as possible

Keep your form as short as possible. Ask only the questions you need answers to. This will gain your confidence among your clients and avoid all unnecessary commotion during data collection. Users frequently skip long forms too.

Only process personal data for a specific purpose

Avoid asking for personal data like name, home address, IP address, etc. If you must ask for them, mention clearly in the form where the data will be used and why. Use the information only for that specific purpose.

Delete data once the task is complete

If you are dealing with personal data of people, take extra care while managing them. Store them with the utmost care and take every precaution against a security breach. Once the task is complete, delete all the data.

Users whould be able to withdraw consent anytime they want
GDPR consent form gives users full control of their data

Make withdrawing consent easy

A user may no longer feel comfortable sharing their details with you at any point in the procedure. They have the full right to withdraw their consent at any time they feel like under GDPR. You need to make this process smooth for GDPR compliance. If the withdrawing process is challenging to understand, or aren’t visible in plain sight, a user may have to give consent unwillingly. This will look like forcible persuasion.

Mention if you plan to share data with a third party

If your program requires you to share the acquired data with a third party, mention it definitively. Make sure your users know about the collaboration and are comfortable with it. If the users want to withdraw at any point in the procedure, you should be ready to oblige.

GDPR consent form gives users full clarity
Make sure the users know everything before giving consent

Use a double opt-in mechanism

Checkboxes can sometimes elude the users’ minds. Subscribers may be preoccupied and tick the checkbox by mistake. To stop this from happening, you can use a double opt-in form. The users will be sent an email once they click on the checkbox. They’ll be enlisted only if they go to the verification page link sent via email. You can save yourself from a lot of unnecessary paperwork this way.

Give your users the full picture

Be very clear about GDPR. If your users don’t have enough knowledge about GDPR, do not think of this as a plus point, and cut corners. Give them proper information. If people reach out to you about GDPR, be distinct and truthful about it. This clarity will help you build trust with your audience and keep you in compliance with GDPR.

Make the Terms & Conditions clear

The terms and conditions should appear plain and straightforward in the GDPR consent form. The users should get a clear idea of what they are dealing with from the terms and conditions. Give them exact information and avoid all vagueness like may, some, possibly, likely, etc.

Best practices for GDPR compliance

By now, you should have a firm hold of what GDPR is and some tips on how to make your GDPR consent form more compliant. But there are some more things that you need to concern yourself with. These regulations don’t only apply to your GDPR consent form. You will also need some more smart practices to keep yourself GDPR compliant.

Make sure the DPA and GDPR checkbox is there in your GDPR consent form
Make sure the DPA is there

Include DPA in your form

The Data Processing Agreement or DPA is a legal document stating the rights and obligations of both the data controller, who provides the data and data processor, who processes those data. DPA is one of the crucial requirements that you have to fulfill if you want to avoid GDPR fines. You must attach it with your GDPR consent form. Whether you do that physically on paper, or by a link is up to you.

Have a GDPR checkbox in your consent form

At the end of your form, include a GDPR checkbox. By adding a GDPR checkbox, you are allowing yourself a more active email list. These are the people that chose to be here and not just people who are here because they didn’t have any other choice. The GDPR checkbox can save you from wasting resources on people that aren’t even interested.

Delete data if the users ask for it
Delete data if the users ask for it

Delete data at the user’s behest

Users have the full authority of their data under GDPR. They have the full right to know why their data is needed and where it is used. They should have the liberty to withdraw consent at any given moment without any prior announcement. If they do, you are liable to delete all of their data. This includes any information that you may have shared with a third party or given to a company for processing. You are to alert every concerned personnel and urge them to delete all the information.

Store proof of consent

Merely getting the subscribers’ consent before adding them to your email list is not enough. You will need proof of consent as well. Keeping proof of consent will come very handy in the event of an audit. If you have subscribers that were previously enlisted with the GDPR consent form, send them a consent form now. Especially if you have users coming from the EU, EEA, and Switzerland. Simply use their IP addresses and create a separate section. Send them consent forms and save the proof of consent. Use double opt-in forms for this purpose. If your form requires permission on multiple fronts, include a checkbox to gain explicit consent for each one of them. Make sure subscribers are well informed before they hit the Call-To-Action buttons.

GDPR consent form should give users the chance to mark freely
Do not manipulate users with premarked checkbox. Let them tick the boxes freely

Check if your checkboxes are premarked

If the checkbox is premarked, users will pay less attention to it. Some may even skip the checkbox altogether. Because a premarked checkbox is often ignored. So, although you are giving the subscriber to tick off the checkbox, the premark leaves a margin of error. Some might even say this is trickery. And if the users do not have fair ground, it will not count as active consent.. Luckily for you, form builders like WP Fluent Forms offer an automatic GDPR consent field.

Use a Link Trigger

If you have a long email list, keeping tabs on all your subscribers can be very tricky. Checking separately which one of the users gave consent and who didn’t is going to be very difficult, especially if you have some previously enlisted subscribers. Use a link trigger in this case. The users who click on the link will be tagged and identified. You can easily distinguish which of your users haven’t clicked on the link to your GDPR consent page and send them an additional follow up mail.

Have a privacy policy

A privacy policy is a detailed document on how you will conduct your business regarding the client’s data. The privacy policy includes how the information will be used, processed, stored, and disclosed. You can attach it directly to the form via a link. Or you can send it via email.

Don't ask for sensitive data that may harm the user
It is best to skip some data

Skip some data

Some email service providers don’t store sensitive personal data. While storing personal data like name, email address, etc. is okay with lawful consent, sensitive personal data like ethnicity, religious beliefs, etc. should be avoided. If you must use them for a survey or something, make them untraceable to the person. Sensitive personal data may include –

  • Biometric data
  • Ethnic origin
  • Genetic information
  • Health details
  • Personal life
  • Philosophical beliefs
  • Political opinions
  • Racial background
  • Religious beliefs
  • Sexual orientation
  • Trade union membership


You don’t have to worry about consent and GDPR compliance all that much. There are plenty of plugins now to help you with that. And if you don’t want an additional plugin, smart form builders like Fluent Forms come with a GDPR consent field to ease your trouble. All you have to do is drag and drop the field into your form.

We hope you got some primary ideas about data security under GDPR and how to comply with it. Tell us what you think in the comments. And don’t shy away from reaching us on social media. Connect to our Facebook and Twitter page and stay updated with all the new features and functionalities.

Mahiyath C
Mahiyath C

Mahiyath is a digital marketer for Fluent Forms. She likes to explore through the alleys of WordPress and learn about the themes and plugins, currently specializing in WordPress forms. When she’s not doing that, she’s planning her next adventure.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search Post

Subscribe for weekly email
fluentform Newsletter Inline
We won’t send you spam. Unsubscribe at any time.