---
title: How to Create a GDPR-Compliant Consent Form
description: "Cookie banners tend to dominate the conversation around GDPR compliance, but consent requirements extend far beyond just tracking technologies. Whenever a website asks users for permission to process their personal data for a specific purpose, it does so through a GDPR consent form. These forms come in a variety of formats, such as newsletter sign-ups, contact forms, account registration pages, and countless other interactions where personal data changes hands. However, getting the wording or mechanics wrong on any of these can amount to a GDPR violation, even if your cookie banner itself is fully compliant. This article explains what the GDPR [&hellip;]"
url: https://www.cookiebot.com/en/gdpr-consent-form/
categories: [Uncategorized]
---

# How to Create a GDPR-Compliant Consent Form

## At a Glance

  Key Takeaways - A consent checkbox alone isn't enough. GDPR sets seven specific conditions consent must meet, and a form that misses any one of them is not compliant, regardless of how it looks.
- Not every form on a website needs a consent checkbox. Contact forms used only to respond to an enquiry can use legitimate interest instead. The lawful basis for the processing determines the mechanism.
- Pre-ticked boxes, bundled consent, and consent walls are explicitly non-compliant under the GDPR, and regulators enforce on design, not just legal text.
- Consent wording must name the purpose, the data collected, and how users can withdraw.
- Managing cookie consent at scale is challenging, and risks allowing scripts to be fired before consent is given. A CMP is generally needed to reliably block tracking scripts.

Cookie banners tend to dominate the conversation around GDPR compliance, but consent requirements extend far beyond just tracking technologies. Whenever a website asks users for permission to process their personal data for a specific purpose, it does so through a GDPR consent form. These forms come in a variety of formats, such as newsletter sign-ups, contact forms, account registration pages, and countless other interactions where personal data changes hands.

However, getting the wording or mechanics wrong on any of these can amount to a GDPR violation, even if your cookie banner itself is fully compliant.

This article explains what the GDPR requires, what valid consent looks like across different types of forms. It also covers how to write a compliant GDPR consent form for a few common scenarios.

## What Makes Consent Valid Under GDPR: The 7 Requirements

The GDPR doesn't just require that a consent mechanism exists. It requires that the consent collected through it meets seven specific legal conditions, set out in [Article 7](https://gdpr-info.eu/art-7-gdpr/) and Recital 32.

This means that merely adding a checkbox, [a privacy policy link](https://www.cookiebot.com/en/how-to-write-a-privacy-policy/), and legally drafted wording does not guarantee GDPR compliance if your form design overlooks the core legal requirements.

To determine whether a consent form is GDPR compliant, it must be evaluated against each of the seven requirements outlined below. Each of these conditions affects how consent requests must be presented, collected, and managed.

### 1. Freely Given

Consent isn't valid if it's conditional on something else. If access to a service depends on agreeing to data processing that isn't strictly necessary for that service, the consent is coerced rather than free.

This means you cannot make marketing consent a requirement for signing up or accessing your site, and you can't make one processing purpose a condition of another.

### 2. Specific

Each processing purpose needs its own consent request. Therefore, bundling multiple purposes under a single checkbox fails this condition.

If an email address is being collected for both transactional messages and marketing, those need to be separate opt-ins with separate checkboxes.

### 3. Informed

Users need to know what they're agreeing to before they agree. That means the consent request must name the controller, explain the purpose, identify what data is being collected, and tell users how to withdraw.

Vague language like "we may use your data to improve your experience" doesn't meet this standard, even if it's written by a lawyer.

### 4. Unambiguous

Consent requires clear affirmative action from the user. A pre-ticked box doesn't qualify, and neither does silence, scrolling past a notice, or continuing to use a site. The user has to actively do something to signal agreement.

### 5. Intelligible

The consent request must be written in plain language that a non-expert can understand without legal assistance. Dense legal terminology and disclosures buried in footnotes fail this condition even when they're technically accurate.

### 6. Withdrawable

Withdrawing consent must be as easy as giving it. If a user opted in through a single checkbox, they shouldn't need to contact a support team to opt out.

Therefore, a visible unsubscribe link in every marketing email is the minimum; for cookie consent, users need access to a preference center where they can change their choices.

### 7. Verifiable

Under Article 7(1), organizations must be able to demonstrate that [GDPR consent](https://www.cookiebot.com/en/consent-management/) was obtained. That means maintaining a record that captures what was agreed to, when, through which form, and with what wording.

Without that record, consent can't be verified in an audit, and the burden of proof sits with the organization, not the regulator.

## GDPR Consent Form Requirements by Form Type

One of the most common misconceptions about GDPR consent forms is that every form on a website needs to be checkbox. In reality, it depends on what data is being collected, how it will be used, and which lawful basis applies to the processing.

Cookie banners, marketing opt-ins, contact forms, and registration pages each have different requirements, and treating them all the same is where many compliance gaps arise.

### Cookie Consent Banners

Cookie consent sits on its own because of the [ePrivacy Directive](https://www.cookiebot.com/en/eprivacy-regulation/), which requires opt-in consent before non-essential cookies can fire. That means a [cookie consent banner](https://www.cookiebot.com/en/cookie-banner/) must appear before any tracking scripts load, not alongside them. It needs to offer:

- a choice between accepting and declining,
- be specific about which categories of cookies are covered,
- and log the consent given.

If tracking scripts load before the user has responded to the banner, the site is non-compliant regardless of how the banner itself is designed.

### Newsletter and Email Marketing Sign-Ups

Marketing email requires [opt-in consent](https://www.cookiebot.com/en/opt-in-vs-opt-out-consent-website/): a clearly labeled, unticked checkbox that the user actively selects. The consent text must:

- name the sender,
- describe the type of content subscribers will receive,
- and link to the privacy policy.

If the same form is also collecting data for a different purpose, that requires a separate field, not a broader checkbox that covers both.

### Contact and Enquiry Forms

A standard contact form where data is collected solely to respond to the user's message can generally rely on legitimate interest rather than consent. This means that no checkbox is required for that processing.

However, if this same form is used to add a person to a marketing list, that requires its own explicit opt-in consent, kept visually and structurally separate from the contact processing notice.

### Account Registration Forms

Registration forms can collect the data needed to create and manage an account on a contractual basis. Consent isn't required for that part of the processing. It's only needed for additional uses that go beyond account management, such as behavioral profiling or marketing communications. Those purposes need to be separated from the registration flow and opted into individually.

## How to Create a GDPR Consent Form: Step-by-Step

Getting the form types and wording right is only half of it. The other half is making sure the consent mechanism actually works end to end: that scripts don't fire before consent is given, that withdrawal works without friction, and that there's a record of all of it.

Here’s how to create a compliant GDPR consent form:

1. Map every point on the site where personal data is collected. Forms, chat tools, analytics scripts, embedded widgets. For each one, note what data is collected and the stated reason for collecting it.
2. Determine the lawful basis for each type of processing. Consent, legitimate interest, contract, or legal obligation. Only use consent where it's the appropriate basis, not as a default for anything that doesn't fit elsewhere.
3. For cookie consent, implement a [Consent Management Platform (CMP)](https://usercentrics.com/knowledge-hub/cmp-definition/) that automates scanning, categorization, banner display, and consent logging. This is the layer that requires the most ongoing maintenance as vendors update their scripts and new tools are added to the site.
4. For other form types, write consent wording that meets all seven GDPR conditions using the templates in the next section.
5. Add a visible, accessible withdrawal mechanism for every processing activity that users can opt into. For email, that's an unsubscribe link in every message. For cookie consent, that's a preference center users can return to.
6. Test the full consent flow before going live, including withdrawal, across both desktop and mobile. Check that no scripts fire before consent is given and that declined categories stay blocked.
7. Maintain consent records that capture what was agreed to, through which mechanism, and when. These are your evidence of compliance if a Data Protection Authority asks.

## Good vs. Bad: GDPR Consent Form Design Examples

Regulators don't only enforce legal text. The [EDPB's Guidelines 3/2022](https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-32022-dark-patterns-social-media_en) on Dark Patterns make clear that they assess the full design of a consent mechanism, and that specific interface choices can constitute violations even when the surrounding legal language appears correct.

These are the four most commonly cited patterns.

### Dark Pattern 1: Pre-Ticked or Pre-Selected Options

Pre-selected checkboxes don't constitute a clear affirmative action under Article 7 and Recital 32. The EDPB explicitly identifies this as a dark pattern. Consent obtained this way is invalid regardless of the wording around it.

### Dark Pattern 2: Consent Bundled Into Terms of Acceptance

Bundling consent for marketing or data processing into acceptance of terms fails the specificity requirement. Each processing purpose needs its own request. The [EDPB's Guidelines 05/2020](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en) are explicit: a single checkbox covering multiple purposes doesn't produce valid consent for any of them.

### Dark Pattern 3: Making Consent Mandatory for Service Access

A consent wall, where access depends on accepting data processing that isn't strictly necessary for that service, makes consent conditional and therefore not freely given. The EDPB's Guidelines 05/2020 are clear that access to a service cannot be made contingent on consenting to processing beyond what's needed to provide it.

### Dark Pattern 4: Asymmetric Opt-Out (Hard to Withdraw)

When withdrawing consent is meaningfully harder than giving it, through visual hierarchy, extra clicks, or hidden controls, the mechanism violates the withdrawable requirement. The EDPB's interface design guidance requires that accept and decline options be equally accessible, not just technically present.

##  You Don't Need to Manage Consent Manually

Use Cookiebot CMP to automate cookie consent collection, maintain consent records, and simplify one of the most complex parts of GDPR compliance.

 [Try Cookiebot CMP for Free!](/en/cookie-consent-solution/)

## GDPR Consent Wording: Ready-to-Use Templates

Wording and design go hand in hand when creating a GDPR consent form. The templates below cover common scenarios and are intended as starting points for you to create a compliant GDPR consent form. Before use, replace the bracketed text with details that accurately reflect the specific processing activity.

### Newsletter Opt-In Consent Wording

“I agree to receive marketing emails from [Company Name], including news, product updates, and offers. [Company Name] will use my email address for this purpose only. I can unsubscribe at any time by clicking the link in any email or by contacting [contact@company.com]. See our [Privacy Policy] for full details.”

This wording names the controller, states the purpose, limits use to what's described, and gives a clear withdrawal route. The content description, "news, product updates, and offers," should be customized to accurately reflect what subscribers will actually receive.

### Contact Form Consent Wording (Where Marketing Is Added)

“[Company Name] will use the information you provide to respond to your enquiry.

I'd also like to receive occasional updates and marketing communications from [Company Name]. I can opt out at any time.”

The first sentence covers contact processing under legitimate interest, so no checkbox is required for that part.

The second is a separate opt-in for marketing only. Keeping these visually and structurally distinct is what satisfies the specificity requirement; combining them into a single statement would invalidate both.

### GDPR Consent Statement for Data Sharing With Third Parties

“I agree to [Company Name] sharing my personal data with [named third party or category of third parties] for the purpose of [specific purpose, e.g., "personalized advertising"]. I can withdraw this consent at any time by [withdrawal method, e.g., "visiting my account settings or contacting privacy@company.com"]. See our [Privacy Policy] for details.”

Third-party data sharing requires explicit, specific consent. The third party must be named. Vague references to "partners" or "selected companies" don't satisfy the specificity requirement and have been cited in regulatory enforcement actions.

## Your GDPR Consent Forms Are Only as Strong as Your Setup

Valid wording and correct form design are necessary, but they only hold up if the technical layer works too. Scripts also need to stay blocked until consent is given and withdrawal needs to be honored. In addition, brands must keep a record of this.

Cookie consent is often where these requirements become most difficult to manage. Websites may rely on dozens of third-party scripts, each of which needs to respond correctly to a user's consent preferences. Controlling when each one fires based on individual consent signals isn't something that can be handled manually at scale.

A CMP like Cookiebot can help automate these processes by controlling script deployment, maintaining consent records, and supporting ongoing compliance. While the templates above can help with consent wording across forms and data collection points, cookie consent typically requires a technical solution.

##  Take the guesswork out of GDPR

Deploy a fully compliant, transparent consent mechanism built to earn visitor trust from day one, with audit-ready records maintained throughout.

 [Try Cookiebot for free](/en/signup/)