How to create effective opt-in forms that still work under GDPR
Want to create GDPR-compliant opt-in forms that work? Ditch the endless checkboxes, legal jargon, and T&C’s. Just make it clear what people are signing up for, link to your privacy policy, keep a record of consent and, most importantly, deliver on your promise.
With the right balance, you’ll create forms that grow your list quickly while being compliant with GDPR. Read on to learn more about GDPR forms, see real examples, and discover how MailerLite makes creating compliant forms a breeze.
This article is made available by MailerLite for educational purposes to give you a general understanding of the law. It does not aim to provide specific legal advice. By using this blog site, you understand that there is no attorney-client relationship between you and MailerLite. We strongly recommend consulting a lawyer to discuss the individual needs of your business.
What does GDPR state about consent?
Here’s what the General Data Protection Regulation (GDPR) says about email consent. It’s dense legal talk, so grab a cup of coffee and get your dictionary ready. Or, head to the end of this section where we’ve summarized the key points.
Regulation (EU) 2016/679 GDPR Article 4(11) states:
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Recital 32 further specifies:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement, or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”
Your form must clearly state what the subscriber is agreeing to receive. If you want to collect the email address for multiple purposes, mention each one or use opt-in checkboxes
Explain how you'll use the subscriber’s email address and any other data you collect. Link to your privacy policy for more information
Use clear language and a text size that is easy to read. Don’t hide information in tiny disclaimer text
Subscribers must actively opt-in, not passively accept marketing. Don’t use pre-checked boxes!
Don’t trick people into joining your email list. Don't attract signups with a lead magnet, then bombard them with promotional messages, unless the form states that they will be added to your list
Gather proof that someone opted in to receive your emails. MailerLite forms capture the IP, location, date, time, and source of the subscription to solidify your consent documentation
What are GDPR fields?
GDPR fields are elements you can add to your signup forms to collect and store subscriber consent, helping you remain compliant with GDPR.
GDPR fields include:
A description of why the user’s data is being collected
Checkboxes to let the subscriber choose what purposes their data can be used for
Legal text which explains how the data the user provides will be used and protected
You can easily add GDPR fields to MailerLite sign-up forms by opening the Signup form settings menu in the form editor and then selecting the Marketing permissions fields (GDPR-compliant) and Privacy policy options.
This will add 2 checkboxes to your form that subscribers can use to opt-in to your emails. These checkboxes correspond to fields in the user’s profile, so you can easily see who has opted in to different purposes.
See an example in the image below. You can edit the content and add or remove checkboxes to make the opt-in relevant to your needs.
This setup helps you collect consent in a way that aligns with GDPR standards, safeguarding both your organization and your subscribers.
Check out this video tutorial to learn about more GDPR tools in MailerLite.
GDPR opt-in form examples
Here are examples of GDPR-compliant and non-compliant opt-in forms. We’ve categorized them by use case and highlighted what’s good about each one. Plus, we’ve listed places where they can improve.
You can easily create similar forms using MailerLite’s sign-up form builder. Just choose a template and then customize the content.
MailerLite is GDPR compliant and has plenty of features to ensure your forms are too:
Add links to pages like your privacy policy
Add custom consent fields for each type of marketing
Customize the text and buttons to clarify what people are signing up for
Document the opt-in so you can prove it occurred
Head here to sign up to start creating GDPR-compliant forms today. Or read on to see the form examples!
GDPR opt-in forms for a single purpose
You often only need an email address for a single purpose, such as sending an email newsletter. Asking for consent in these situations is super simple: Say what you will use the email address for in your form copy, include a subscribe button, and link to your privacy policy.
With this method, there’s no need for complex checkboxes or legal jargon. The best thing? Because these forms are easy to complete, they typically result in more subscribers.
Forbes
This is a picture-perfect single-purpose opt-in form from Forbes. The form is explicit about how often subscribers will receive the newsletter and the type of content it will include.
The brand also informs subscribers they can opt out and adds a link to the privacy policy and terms and conditions. Well done!
The Huffington Post
This is a simple, clear and accurate opt-in form with no unnecessary information: People know exactly what they are subscribing to.
The only thing missing is a link to the privacy policy so people can read more about how you use their data. It’s also good practice to mention that subscribers can leave your list at any time.
Smashing Magazine
The above opt-in example is compliant because it clearly mentions the type of content the subscriber will receive and how many times per month they’ll get the newsletter.
The brand could improve the form by linking to its privacy policy. This would give potential subscribers easy access to further information about how the company uses their data.
Discovery
At first glance, this form seems compliant. It states what the subscriber will receive when they provide their email address and links to the brand’s privacy policy.
However, the statement underneath the submit button says that the brand will also send surveys and special offers from its partners. This is not clear from the main text.
To avoid misunderstandings, you should either let people opt-in to these partner emails with a check box, or mention them in the main content.
Digital Spy
Here’s an example of a form that isn’t GDPR compliant. To see why, compare the main form content with the disclaimer.
The form content says the user is opting in to receive “the best source for all things TV, movies and streaming.”
But, the disclaimer adds that users who sign up will also receive content about products, services, discounts and offers from Digital Spy and other Hearst UK brands. They have to uncheck the box to opt out.
Using an opt-out checkbox is not the right way to get a subscriber’s consent. The good news is that there’s an easy fix to make the form compliant: The brand should make the checkbox opt-in so the person can choose to receive the extra content mentioned.
GDPR opt-in forms with lead magnets
Many email marketers use lead magnets to collect email addresses. This practice is allowed under GDPR.
However, you can’t send marketing content to email addresses provided in exchange for a lead magnet unless the form makes it clear that sign-ups will also receive promotional messages.
If you plan to send marketing emails to lead magnet sign-ups, you must mention this in the form you use. Alternatively, you could add checkboxes so people can opt in to receive the newsletter.
Moda Operandi
Here’s a perfect example of a lead magnet opt-in form that also signs people up for the brand’s newsletter.
The opt-in form content clearly states that people will receive daily content from the brand and 10% off their first purchase. The text in the email address box clarifies this further: There’s no doubt about what the person will receive when they enter their data.
The form also links to the brand’s privacy policy and lets people choose whether they are interested in womenswear or menswear. This lets the brand tailor its content to their interests.
CottonOn & Co. Perks example
This e-commerce opt-in form example says the person will receive a $10 voucher and join CottonOn & Co. Perks. While the $10 voucher is clear, there’s no explanation of what joining CottonOn & Co. Perks means.
There are 2 ways the brand could improve the form:
Add a GDPR checkbox people can use to opt-in to receive a newsletter or special offers.
Clarify what exactly people are opting in for in the sign-up form content.
If you want to use the second option, add text like: "To receive a voucher, please subscribe to our newsletter and daily news. Don’t worry, you can unsubscribe at any time."
Bark Post
This opt-in form uses a disclaimer to clarify that people who sign up for the lead magnet will also receive promotional emails.
While mentioning this is a good start, the text is too small which means it’s not clear that this is how the email address will be used.
If you want to make a similar form, consider either:
Enlarging this text so it’s more prominent.
Mentioning that subscribers will receive promotional emails in the opt-in form’s main content.
Adding an opt-in checkbox next to the disclaimer.
You should also link to your privacy policy in your opt-in form, so people can discover more about how you use their data.
GDPR opt-in forms with checkboxes
Opt-in checkboxes are a surefire way to collect GDPR consent from the subscriber. There are 2 main things to consider when using them.
First, use a single checkbox for each purpose. For example, if you want to send a newsletter and use the address for ad platform retargeting, you need two boxes. This allows people to choose what they want to sign up for.
Second, consider whether you actually need the boxes or whether you could adjust your main form content to become GDPR compliant. Checkboxes act as a barrier to signup so it’s better to not use them when possible.
Michael Kors
When people buy from an online store, they usually provide their email address so the brand can give order updates. However, you can’t also add the person to your newsletter list since they never opted in to receive promotional content.
Adding an opt-in checkbox to the checkout process, like Michael Kors in the example above, is an effective way to let people join your list during the signup process.
The form is GDPR compliant since it’s opt-in and clearly mentions that the brand will contact the subscriber by email, phone and mail.
We recommend that you use a separate checkbox for each contact channel. This lets your customers choose how they want to receive news. This could increase signups as people who don’t want to receive SMS or mail content can still sign up to receive promotional emails.
CBS Sports
This GDPR-compliant opt-in form from CBS Sports uses a checkbox people can use to sign up for the newsletter.
However, this isn’t necessary. The opt-in form content clarifies what the person is signing up for, so the brand could remove the checkbox to boost signups while remaining GDPR-compliant.
GDPR opt-in forms with age verification
GDPR doesn’t let organizations process the personal information of minors. In most member countries, minors are those aged under 16, although some countries have set the age limit as low as 13.
If the person trying to sign up is classed as a minor under GDPR, you need permission from the person who holds parental responsibility.
The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
In low-risk cases, GDPR suggests that you obtain the verification of parental responsibility via the parent’s email.
In high-risk cases, you can use trusted third-party verification services that offer solutions to minimize the amount of personal data the controller has to process itself.
You’ll notice that most newsletter sign-up forms don’t have a check box to confirm that the person signing up is 16 or over.
This is because brands that aren’t likely to appeal to people under this age don’t need to include the checkbox.
For example, we don’t add this opt-in box to MailerLite newsletter sign-up forms. It’s unlikely that a minor would be interested in using our service.
Nintendo
The European Data Protection Board provides an example of how parental consent can be received.
In the example, an online gaming platform wants to make sure underage customers only subscribe to its services with the consent of a parent or guardian.
The controller follows these steps:
Step 1: Ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent).
Step 2: If the user states that they are under the age of digital consent, the service informs the child that a parent or guardian needs to consent or authorize the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian.
Step 3: The service contacts the parent or guardian and obtains their consent via email for processing and takes reasonable steps to confirm that the adult has parental responsibility.
Step 4: In case of complaints, the platform takes additional steps to verify the age of the subscriber.
The above form from Nintendo is a good example of this. The brand prompts minors to enter the email address of a parent or guardian after submitting their details.
It can then contact the specified person with instructions about how to create an account for the child. This prevents underage users from receiving content that is unsuitable for their age.
Monki Style
This confirmation form asks potential subscribers to confirm two things: That they’re over 16 and that they consent to receive personalized marketing material.
However, since the main form content clearly mentions that they will receive marketing emails, they could change this box to simply ask the reader to confirm that they are over 16.
That said, the text they use to verify age is good. Just don’t merge it with the other forms of consent.
GDPR opt-in forms for multiple purposes
To collect consent in a way that complies with GDPR, you must ask for consent for each specific purpose of using the data.
GDPR starters in Recital 32 that:
“Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
Here are some GDPR-compliant examples that use separate consent checkboxes for different purposes.
TechCrunch
This opt-in form from TechCrunch lets subscribers choose the topic of the newsletters they would like to receive.
Offering multiple options is a good alternative to using separate single-purpose opt-in forms for each newsletter. It’s a more streamlined process and it may result in people subscribing to more newsletters than if they had to go through completely separate forms.
We also like that the brand includes both unsubscribe and privacy policy links in the form.
Armani Store
Armani uses opt-in checkboxes to let the subscriber agree to receive marketing emails and record and analyze their preferences via profiling. Subscribers can easily opt-in to one or both of these purposes.
The company could increase the chances of people opting into the latter point by mentioning that recording and analyzing preferences will allow the brand to share more relevant content and offers.
Guess
In this example, Guess uses checkboxes to let people opt-in to receive personalized marketing content and share their data with ad platforms.
Without the latter consent, you shouldn’t use your email list to create custom audiences on ad platforms like Facebook.
The above example uses separate checkboxes for "Yes” and “No.” We recommend using a single opt-in checkbox to streamline the user experience.
Insure4Sport consent example
The first part of this form allows the reader to subscribe to the brand’s newsletter. It then uses checkboxes to let subscribers also sign up for offers and information from content partners.
This is a compliant way to ask for this permission. However, we would suggest using a single checkbox. If the subscriber doesn’t check anything, it should mean no.
GDPR opt-in form best practices
Here are 3 more best practices to consider when creating your opt-in forms. Keep them in mind to build GDPR-compliant forms that work.
Keep your form text clear
GDPR requires the explanation of services to be explicit and clear. While clarity in communication is subjective, do your best to make your copy simple and concise, without skimping on important information.
Here’s an example of a form that is not clear. Instead of this complex wording, simply list in plain language what you want the subscriber to opt in to and provide a checkbox so they can do so.
Ask users to resubscribe if they change their email address
If one of your existing subscribers changes their email address, ask them to resubscribe to your list with the new address.
This adds an extra layer of safety by ensuring you have a record of their consent related to their updated address.
Single opt-in versus double opt-in
Single opt-in is when you use a form to let people opt-in to your email marketing. Double opt-in is when you send them a further email that they must click on to complete the signup process. This requires subscribers to go through an extra step during the opt-in process.
Both single opt-in and double opt-in are allowed by GDPR. All that matters is that you collect opt-in consent from subscribers and that you have the ability to prove this consent.
Double opt-in provides a stronger paper trail of consent. But you can still prove consent with a single opt-in by capturing a timestamp of subscriber consent that includes the time, date, location, IP address, and source of the opt-in. MailerLite forms do this automatically.
There are other benefits to each method of consent. You’ll grow your list faster with single opt-in since it removes a barrier to joining your list. But double opt-in reduces the chances of people joining your list with fake accounts or addresses with typos. Plus, it’s harder for bots to join when double opt-in is set up.
A checklist for creating GDPR-compliant opt-in forms
To help you create the best opt-in forms that comply with GDPR, we created a checklist that you can use to verify that your forms are good to go.
✅ Use clear, plain and easy-to-understand language.
✅ Ask for consent separately for each specific purpose.
✅ Ask users to actively opt-in and don’t use pre-ticked boxes.
✅ Make the request for consent prominent and separate from our terms and conditions.
✅ Tell individuals they can withdraw their consent at any time.
✅ Have simple and effective withdrawal mechanisms in place.
✅ Ensure that individuals can refuse to consent.
✅ Explain why we ask for their data and what we’re going to do with it.
✅ Only seek consent from children using age-verification measures (and parental-consent measures for younger children).
✅ Add a link to our Privacy Policy.
We hope that this article was helpful. If you still have questions regarding GDPR email consent, checkboxes, or the structure of opt-in forms, please leave your comments below and we will do our best to answer your questions.
Create your first GDPR-compliant form in minutes!
Our free plan includes pop-up subscribe forms, embedded signup forms, landing pages and other amazing features!
Editor's note: This post was originally published in June 2018 and has been updated for accuracy and comprehensiveness.
