GDPR consent

Under the GDPR, consent to process personal data must be freely given, specific, informed and unambiguous, captured by a clear affirmative action. In form terms that means an unticked checkbox the respondent actively selects — never a pre-ticked box and never consent bundled into the act of submitting.

Specific means one purpose per consent: a checkbox that simultaneously agrees to terms and opts into marketing is not valid, because the respondent cannot consent to one without the other. Separate distinct purposes into separate, granular choices.

Consent must be as easy to withdraw as to give, and you must be able to demonstrate it: record what was agreed, the wording shown, and when. Pair this with double opt-in for email lists and with data portability so you can honour access and erasure requests.

← Back to the glossary · or build a form free.