The Ultimate Guide to GDPR Consent – With Examples

Gaining consent under the GDPR is a minefield. Here we cover everything you need to know to optimize your sign up process and comply with the GDPR consent requirements.

GDPR Consent Examples

We’ve put together these guidelines, checklist, and GDPR consent examples to help you grow your business by optimizing your GDPR consent experience.

Amazingly, according to the UN, 66% of countries now have privacy regulations in place. So it’s fair to say that privacy regulation is sweeping the world.

Importantly, it’s now critical to do things correctly, particularly when it comes to gaining consent. The alternative can be disastrous for your business.

Penalties for not getting it right can be devastating for even the largest companies.

For all businesses, it’s the damage to your reputation that can be the hardest to recover from.

On the other hand, recent research confirms that if you respect the privacy of your customers your business will benefit from increased trust and loyalty.

Who wouldn’t want that!

Before You Start, Do You Need GDPR Consent?

The first thing you need to know is that you don’t need to rely on gaining consent for everything you plan to do with personal data.

For data processing to be lawful under the GDPR, you need to identify and document your lawful basis of processing.

There are six lawful bases to choose from, and ‘consent’ is just one of them.

The lawful basis you select is important and must justifiable.

Other than Consent, your options are:

  • Contract
  • Legal Obligation
  • Vital Interests
  • Public Tasks
  • Legitimate Interests

If you can avoid having to gain consent then you should. There is a good summary of your alternative options on the ICO website here.

The most common alternatives to Consent are Contract and Legitimate Interests. Each has a clear definition and demands its own treatment.

However, if you are going to contact people or send them marketing materials you will likely need to gain consent to do so and record the details.

Marketing includes promotions, white papers, emails, newsletters etc. Essentially anything promoting something that the person hasn’t yet bought or signed up for.

How to gain GDPR consent – What you need to know

The Principles of Valid GDPR Consent

The GDPR has five essential aspects of consent.

For GDPR consent to be valid it must be gained under these principles:

  • Freely given
  • Specific
  • Informed
  • Unambiguous 
  • Clear affirmative action

The Do’s and Don’ts of Gaining GDPR Consent

There are two objectives in achieving a good consent process.

Firstly, making the process of as simple as possible for the user to consent.

Secondly, to comply with the regulations.

Each of these is simple by itself but to achieve a successful combination is not easy.

1. Don’t use pre-ticked checkboxes

Consent must be given by taking a clear affirmative action. By presenting users with a pre-ticked box you are only offering an opt-out, not an opt-in.

Example

Pre-ticked Opt-in Box Example

2. Give Separate Granular Consent Options

Where you are asking for consent for multiple purposes, wherever possible, give separate options to consent to different purposes and different types of processing.

Example

3. Make it Easy For Users to Withdraw Consent

Make it easy for people to withdraw consent.

A typical use case for this is to include an email ‘unsubscribe’ option in emails.

Most email service providers make it simple to include an unsubscribe link or a link to a communications preferences center.

Example

Above is an example of an email footer with a link to a communications preferences center. This is an effective way to give the recipient the ability to easily unsubscribe from communications.

Below is a typical communications preferences center user experience. The aim should be to make it as simple for the person to unsubscribe from your marketing as it was for them to subscribe.

Example

A communications preferences center like this gives granular control to the user. This is compliant with the regulations as it gives the user control over how their data is used.

Checklist For Gaining GDPR Consent Compliantly

If you are creating a website, app or just updating your signup process, here’s a handy checklist to help you gain consent correctly.

  1. Check that consent is the most appropriate lawful basis
  2. Make the request for consent prominent and separate from other terms and conditions
  3. Ask people to positively opt-in
  4. Don’t use pre-ticked boxes or other types of default consent
  5. Use clear, plain language that is easy to understand
  6. Specify why you want the data and what you are going to do with it
  7. Give separate granular options to consent separately to different purposes and types of processing
  8. Name your organisation and any third party controllers who will be relying on the consent
  9. Tell individuals they can withdraw consent
  10. Ensure that individuals can refuse consent without detriment
  11. Avoid making consent a precondition of service
  12. If offering online services to children, only seek consent if you have age-verification measures in place

Now see how successful organisations put that into practice.

Here are some examples of good and bad UX consent designs that will help guide you.

Mailchimp

Here is a great example of what not to do by an organization that should know better.

How Does Mailchimp Stack Up?

Mailchimp does well in their request for consent but they mess up on their opt-in.

The Good

They define the positive action that will commit the user to their terms and privacy policy (By clicking the sign-up button).

Mailchimp also makes it clear what the user is signing up for (creating a Mailchimp account), and who the company is (Mailchimp), as well as presenting links to their Terms of Use and Privacy Policy.

The Bad

What they get wrong is that their marketing consent is opted in by default.

This isn’t good. It’s what’s known as a reverse opt-in. i.e. it looks as if you are opted out, but in fact, you are opted in unless you opt-out.

Importantly, it’s deliberately confusing and something to be avoided at all cost.

Asana

How Does Asana Stack Up?

Overall Asana does well. They offer links to their privacy policy and Terms of Service at the point of data entry.

The Good

The experience is simple and clear. Links to both the Privacy Policy and Terms of Service are adjacent to the data entry and ‘Try for free’ button.

A link to the Terms & Privacy is also available in the footer at the bottom of the page.

The Bad

The ‘affirmative action’ is the action of signing up to try the service. There is no specific or granular opt-in.

Canva

How Does Canva Stack Up?

Canva does well. It is clear, easy to understand and makes the essentials available.

The Good

Simple, well presented UX.

Links to the Terms of Use and Privacy Policy are immediately below the ‘Get started!’ button.

The ‘affirmative action’ that is required for GDPR consent is clearly stated as being ‘By signing up…’

The Bad

Strictly according to the GDPR consent guidelines consent for two different elements should be separated to enable granular acceptance.

However, with SaaS products of this nature, it is necessary for the individual to accept both the Terms and Privacy Policy in order for Canva to provide that service.

Although this is not representative of best practice it is understandable why Canva and many others have chosen this route to gain consent.

HubSpot

How Does HubSpot Stack Up?

Hubspot does well and is typical of the way that leading businesses are gaining GDPR consent.

The Good

Clear and simple to sign up and accept the Terms of Service and Privacy Policy. Both are linked just below the ‘Next’ button.

As with other SaaS businesses the affirmative action required for GDPR consent is the action of ‘continuing’. The alternative would be to offer a checkbox but this adds an extra undesirable action for the user.

The Bad

Consent for both the Terms and Privacy Policy is combined however this approach is common with highly optimised signup processes.

SAP Concur

How Does SAP Concur Stack Up?

Concur does very well. It’s clear to see that they value the trust of their users highly.

The Good

Concur have taken the regulations at their word and give clear and explicit information with granular opt-in choices. They also give links to their Terms of Use and Privacy Statement.

In addition, they identify their legal entity by including the registered company name. They even go as far as presenting the address of the business.

Although offering all this information and detail creates more text and a potential hurdle to signup, it also demonstrates a commitment to doing privacy correctly. In other words it engenders trust in their users.

The Bad

There is nothing to say here. Concur are exemplary in their interpretation of GDPR consent and set a good example.

Shopify

How Does Shopify Stack Up?

Shopify is unusual in that they attempt to wrap up consent for their privacy policy together with consent to their cookies policy. This is confusing apart from anything else.

The Good

Shopify are innovative.

Like other services, their first objective is to capture the users’ email address and consent to enable them to market to them. This is simply good marketing practice. The affirmative action that triggers the marketing consent is ‘By entering your email’.

As the user experience unfolds Shopify seeks consent to their Terms of Service and Privacy policy once the user’s store has been created and when they collect the essential account data.

This split consent process is a highly effective way of reducing the initial signup hurdle and gaining compliant GDPR consent to use the personal information.

The Bad

As previously mentioned, Shopify attempt to gain consent to both their privacy policy and cookie policy in the cookie banner. This is highly unusual and not considered to be best practice.

To make matters worse, there is no ability to manage cookies.

Slack

How Does Slack Stack Up?

As we all know, Slack is great for team collaboration because it is simple and clear. They have taken this principle all the way through their signup process and it’s good. They very effectively combine a simple and attractive signup process with diligent compliance.

The Good

Like Shopify, the Slack signup process is slick. They collect the email address in advance of gaining consent. They gain consent later in the account creation process when the user is creating their Slack workspace.

This progressive gaining of consents optimises the success of the onboarding while also complying with the demands of GDPR consent.

It enables Slack to market to the people who drop out of the process early. It also enables them to seek full consent at a compelling stage of account creation.

The Bad

The collection of the initial email address does not have a statement of consent or a defined affirmative action that would constitute best practice GDPR consent.

It also lacks a description of what of what the user is consenting to by entering their email address.

SurveyMonkey

How Does SurveyMoney Stack Up?

SurveyMonkey does well.

The Good

SurveyMonkey clearly states that by creating an account the user is agreeing to their Terms of Use and Privacy Notice. This is good.

SurveyMonkey then goes on to add a further consent to receive ‘information and offers relevant to our services’. This is seeking consent to send marketing via email.

In addition, they then confirm that the user will be able to opt-out of the marketing emails. They also inform them where this can be done. In the My Account page.

The Bad

The amount of information given appears to be transparent but the way the consent is gained is not aligned with GDPR consent best practice principles.

Combining consent to both Terms of Use and Privacy Notice in one action is incorrect although it is frequently done.

To then add consent to receive marketing materials into the single affirmative action (clicking the Create Account button) is distinctly questionable.

There is no offer of granular consent.

WordPress

How Does WordPress Stack Up?

WordPress signup is simple but inadequate for GDPR levels of consent.

The Good

It’s clear and simple. The affirmative action is to ‘Create your account’. But that’s it.

The Bad

WordPress offers a take it or leave it approach to privacy. There is no apparent link to a privacy policy of any type.

The link to the Terms of Service goes only to that. It’s then up to the user to find their Privacy link in the footer of the site.

WordPress claims that “Your privacy is critically important to us” but their signup process would suggest the opposite.

The experience inspires no trust in their service as far as privacy is concerned and does not align with neither the principles nor the requirements of GDPR consent.

We’ve Made Privacy Policies Simple. Get Started