Contrary to popular belief, having a checkbox on every form that collects personal data is not required under the GDPR. A checkbox isn’t required if the user, by submitting a form for its stated use, gives explicit consent.
For example, a contact form needed for support requessts, where the intended use of the collected data is to send a reply to your question, does not require an additional consent checkbox.
If additional actionable uses of the collected data may exist, an explicit consent checkbox will probably be required. See below examples regarding newsletters, it can be easier andmore effective than you might realize!
Example: Collected data is not relevant to stated use
If you’re collecting data that is not directly related to the stated use, you will need consent and your privacy statement should explain how this data is handled. Instead of personalizing content based on personal information, let users pick prefilled categories that are relevant to them.
- This data is not relevant to the stated use.
- The acceptance checkbox is needed due to irrelevant datasets.
- The acceptance checkbox is unchecked by default for explicit consent!
Example: Although allowed. You don't need a checkbox.
The stated use is “Get a monthly update about our services to your inbox.” The act of subscribing consents to the stated use. In this case the frequency and content are clear and concise, but do not deviate from the exact purpose.
- The stated use is clear about frequency and content.
- The acceptance checkbox is not necessary
Example: Simple and effective
This is a simple and effective way of collecting email addresses, without any consent.
- While correct, please make sure you're not using the email address for anything other than stated.
