No results were found...


How to create effective opt-in forms that still work under GDPR

Marta Poliakova Marta Poliakova
· 21 min read · Websites and forms · Sep 27, 2021

The General Data Protection Regulation (GDPR) has given us many new requirements to consider with email marketing, but the biggest source of confusion and the most questions have revolved around one area—opt-in consent forms (aka subscriber signup forms).

We want to clear up the confusion surrounding opt-in forms under GDPR data privacy laws by showing you real-world examples and analyzing what works and what doesn’t. 

We'll show you GDPR opt-in examples for:

  • Getting consent for one thing

  • How to use lead magnets

  • When to use checkboxes

  • How to comply with age verification

  • How to get GDPR consent for multiple things

  • When too much explanation is confusing

Let’s get started!

Firstly, here's a little announcement from us.


This article is made available by MailerLite for educational purposes only as well as to give you general information and a general understanding of the law. It does not aim to provide specific legal advice. By using this blog site, you understand that there is no attorney-client relationship between you and MailerLite. We strongly recommend consulting a lawyer to discuss the individual needs of your business.

All good? OK, let's go!

Before we get into all the fun opt-in form examples, we want to start with the actual legal language from GDPR regarding email consent requests. Creating effective opt-in forms under GDPR starts with understanding what it actually says.

Article 4(11) states,

“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Recital 32 further specifies:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”

Wow! That is a lot to take in. As you can see, the GDPR sets a high standard for affirmative consent. 

GDPR fields are elements that can be added to your signup forms to enable you to properly collect and store subscriber consent. By using GDPR fields, you will help to ensure that your organization remains compliant regarding the GDPR. 

GDPR fields include consent text with a description of why the user’s data is being collected, options using checkboxes to allow the user to opt-in to specific services, legal text which explains in legal terms how the data will be used, and links to privacy policy and terms. 

To activate GDPR fields in MailerLite, in the Signup form settings within your form editor, select Marketing permissions fields (GDPR-compliant) and Privacy policy.

GDPR fields in MailerLite

Check out this video tutorial to learn about more GDPR tools in MailerLite.

Now let’s go over some opt-in form examples to help you figure out how to implement these requirements.

If you only need consent for one item, such as to receive newsletters, the opt-in form can be super easy and straightforward. The easier your form is to fill in, the more subscribers you will get.

Discovery magazine GDPR consent example

Asking for consent to receive newsletters from Science News

This is a good opt-in form example to follow. There’s no need to add a GDPR compliance checkbox because consent is needed for one purpose—to receive weekly news. There’s also a link to the Privacy Policy which is a good practice.

That said, pay attention to the statement underneath the submit button. It says that after signing up, a subscriber will receive occasional surveys and special offers. This is not clear to the subscriber.

To avoid a misunderstanding, we recommend that this text is placed in the main area. So the copy could read:

“Get the latest weekly science news, occasional surveys and special offers delivered right to your inbox”. 

This would be a better way to approach consent.

The Huffington Post GDPR consent example

Asking for consent to receive newsletters from Huffpost

This is also a good example of a simple, clear and accurate opt-in form with no unnecessary information. From our point of view, the only thing missing is a link to the Privacy Policy. It’s also a good practice to mention that the person can unsubscribe at any time.

Smashing magazine GDPR consent example

Smashing magazine GDPR consent example

The above opt-in example is another good one to follow. Smashing magazine elaborated even further by mentioning how many times per month they send out their newsletter. However, it would have been better if they added a link to their Privacy Policy.

TechCrunch GDPR consent example

TechCrunch GDPR consent example

Another interesting example of an opt-in form can be seen above by TechCrunch. They made it possible for their subscribers to choose the topic of the newsletter they would like to receive. It's a great way of letting your subscribers pick the content topics that they're truly interested in. What makes this example even better is that the unsubscribe and Privacy Policy links are also included.

Digital Spy GDPR consent example

Digital Spy GDPR consent example

Let’s review the disclaimer at the bottom of the opt-in form, it says: “Digital Spy and other brands published by Hearst UK would like to contact you about our products and services as well as discounts and offers, as detailed in our Privacy Notice. Please tick this box if you'd rather not receive these emails.” 

Unfortunately, this is not the right way of getting subscribers’ consent. As you know, consent means a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of agreement to the processing of personal data. In simple terms, this means that you have to ask people to actively opt-in.

Forbes GDPR consent example

Forbes GDPR consent example

Yay, here’s a great example of a picture-perfect opt-in form created by Forbes. They made it explicitly clear how often subscribers will receive their newsletters and what their emails will be about. They also added a link to the Privacy Policy and informed subscribers about the possibility to opt-out. Well done!

It is very common to give away something for free in exchange for an email address. These are often called lead magnets. Under GDPR, you can’t just obtain an email with a lead magnet without explaining how you will use the email.

CottonOn & Co. Perks example

Give away exchange for email address GDPR example from CottonOn

In this e-commerce example, there is not a clear explanation of what the person is signing up for. If you are asking to exchange an email address for a freebie or voucher, you won’t be able to send them newsletters, news, special offers or other emails.

A safe option here would be to add a GDPR checkbox underneath and ask people to tick the box if they want to get a newsletter or special offers.

You could also say something like:

"To receive a voucher, please subscribe to our newsletter and daily news. Don’t worry, you can unsubscribe at any time."

You wouldn't need to add any GDPR tick boxes in this case because you make it explicitly clear that the lead magnet is being offered in return for joining the email list.

Red Bull does a much better job in the next example.

Red Bull GDPR lead magnet example

Give away exchange for email address GDPR example from Redbull

Follow Red Bull’s example of being super clear and explicit. They show how a freebie can be connected to a subscription. They include the incentive, the explanation of email marketing consent and they mention the unsubscribe option. Great job Red Bull!

Moda Operandi lead magnet example

Moda Operandi lead magnet example

Another good example of newsletter consent including a freebie! The discount is offered to attract more subscribers to sign up for the newsletter and people are informed about what they will receive.

Bark Post lead magnet example

Bark Post lead magnet example

This is another good opt-in form example with a lead magnet. Our only advice is to not make the text under the subscribe block too small because as a Data Controller you have to make it explicitly clear for what purposes you are collecting emails and not hide anything. Also, don’t forget the link to the Privacy Policy in your opt-in forms!

Checkboxes are necessary when you are trying to get consent for two separate things, such as a newsletter and advertising. If you don’t need to use checkboxes, it is much better to avoid them. You’ll get higher conversions with fewer checkboxes!

Bratislava GDPR checkbox example

Unnecessary checkboxes for opt-in forms under GDPR example from Bratislava

From our point of view, the GDPR tick boxes in the form above are not necessary. Let’s take a closer look at the first checkbox, which says:

“I agree to my email being stored and used to receive the newsletter.”

There is GDPR compliance without this checkbox because the only purpose of this form is to get consent for receiving newsletters. The second checkbox is not needed because you are allowed to put offers in your newsletters.

If someone has to read several checkboxes and make multiple decisions, they are less likely to complete the form.

Michael Kors GDPR checkbox example

Unnecessary checkboxes for opt-in forms under GDPR example from Michael Kors

GDPR compliance is also shown with this opt-in form. However, we would recommend that you let your customers choose how they want to receive news from you—by email, via SMS, by post, etc. In this case, you would use multiple checkboxes.

The checkbox is needed because the original purpose of the form is to check out of the store. To send newsletters, they needed to add a separate checkbox asking for explicit consent.

CBS Sports example

CBS Sports signup form example

CBS Sports created a good GDPR-compliant opt-in form, however, there’s no need to add a GDPR tick box because the consent to data processing is being asked for only one thing.

YOOX example

YOOX example of unnecessary GDPR fields

This is our last example of a good GDPR-compliant opt-in form. However, the checkbox here is not needed as the subscriber's consent is given for one purpose only.

Article 8 of the GDPR states that regarding the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old.

If the child is below the age of 16 years, such processing shall be done on a lawful basis only if and to the extent that consent is given or authorized by the holder of parental responsibility for the child.

Monki Style GDPR age verification example

Age verification under GDPR example

Do you think the above form works under GDPR?

Let’s take a closer look at it. There are two types of confirmation: age verification and consent to receive personalized marketing material, but only one checkbox.

What if someone wants to confirm that they are 16+ years, but they want to disagree to receive marketing emails? From our point of view, this kind of opt-in form is bundled, which means it should separate the two items using checkboxes.

That said, the text they use to verify age is good. Just don’t merge it with the other things and you are good to go.

COS example

COS example

As you can see, the GDPR tick box  says: “I confirm that I am 16 years or older and I consent to COS processing my personal data in order to send personalized marketing material in accordance with the privacy notice.”

At first glance, this sounds good, but what if the subscriber is older than 16 years old and not interested in personalized marketing material? For this reason, we would suggest having two separate consent checkboxes.

Member States may provide by law a lower age for those purposes provided that such lower age is not below 13 years.

The controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility for the child, taking into consideration available technology.

To comply, you should consider adding age verification or parental consent options to your forms if you offer online services directly to children.

The European Data Protection Board has issued guidelines in which they explained how to verify parental consent. They highlight that a proportionate approach should be taken towards the authorization of a holder of parental responsibility—data controllers should focus on obtaining a limited amount of information, such as the contact details of a parent or guardian. 

In low-risk cases, it is suggested to obtain the verification of parental responsibility via the parent’s email. In high-risk cases, trusted third-party verification services, that offer solutions to minimize the amount of personal data the controller has to process itself, might be used.

The European Data Protection Board provides an example of how parental consent can be received:

An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of a parent or guardian. The controller follows these steps:

Step 1: Ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent). If the user states that they are under the age of digital consent.

Step 2: The service informs the child that a parent or guardian needs to consent or authorize the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian.

Step 3: The service contacts the parent or guardian and obtains their consent via email for processing and takes reasonable steps to confirm that the adult has parental responsibility.

Step 4: In case of complaints, the platform takes additional steps to verify the age of the subscriber.

nintendo parental consent form

In this example from Nintendo, the user is prompted to enter the email address of a parent or guardian, after submitting their details. This prevents underage users from receiving content that is unsuitable for their age. 

Let’s take a look at one of the most important GDPR explanations regarding consent, which is stated in Recital 32:

“Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”

It is mandatory to ask for consent for each purpose. Here are some GDPR-compliant examples, which place separate consent checkboxes for marketing purposes and profiling.

Armani Store GDPR consent example

Getting consent for multiple purposes under GDPR example from Armani

Juventus GDPR consent example

Getting consent for multiple purposes under GDPR example from Juventus

In these examples from Armani and Juventus, they’ve included checkboxes for each purpose the user’s data could be used for. While some users might skip reading these options, they are clear and concise, and if the user doesn’t check them, no consent is given. 

Guess GDPR consent example

Getting consent for multiple purposes under GDPR example from Guess§

The important thing to notice in the example above is that if a subscriber doesn’t choose the "Yes” or “No” boxes, it counts as "No”. We recommend simply using one checkbox to avoid a confusing user experience.

Insure4Sport consent example

Insure4Sport consent example

As you can see there are 2 options here: Subscribers are asked to choose whether or not they would like to get offers and information from their partners. However, we would suggest having only one option: “Yes”. Otherwise, it should mean “No”.

GDPR requires the explanation of services to be explicit and clear. While this is a subjective rule, you need to do your best to communicate as clearly and efficiently as possible. 

People aren’t fond of lengthy or complicated opt-in forms—they want to get through the “fine print” quickly and be sure of what they’re signing up for. Your copy needs to be simple and concise, without skimping on important information. 

This brings us to our last example, which shows how wording can get confusing. This is an example of what NOT to do:

GDPR opt-in form explanation of services

If you thought that the double opt-in method is the only form allowed by GDPR, we have some news for you!

First of all, let’s cover the similarities and differences between these 2 methods. 

Both methods allow you to grow your email list in a simple and secure way. Why secure? Because both times you receive what you need most in terms of staying GDPR-compliant, which is consent. 

Let's clarify that GDPR doesn’t make it mandatory to set up the double opt-in method for collecting email addresses. Actually, GDPR says nothing about single or double opt-in. The only thing that matters is the ability to provide proof of consent.

Using the single opt-in method, you should be able to capture a timestamp of subscriber consent (time, date, location) and the source of the opt-in (website, social media, etc.). Possession of this personal information makes you fully compatible with GDPR opt-in requirements. However, to have a stronger paper trail of the proof of consent, you can enable the double opt-in method—which means that anyone who subscribes will have to confirm their request twice. 

Double opt-in is a more advanced way of collecting email addresses, however, it doesn’t make the single opt-in method invalid or improper.

Learn how MailerLite’s GDPR tools ensure your email marketing is GDPR compliant.

To help you create the best opt-in forms that comply with GDPR, we created a checklist that you can use to verify that your forms are good to go.  

Handy dandy opt-in form checklist

✅ Use clear, plain and easy-to-understand language.

✅ Ask for consent separately for each specific purpose.

✅ Ask users to actively opt-in and don’t use pre-ticked boxes.

✅ Make the request for consent prominent and separate from our terms and conditions.

✅ Tell individuals they can withdraw their consent at any time.

✅ Have simple and effective withdrawal mechanisms in place.

✅ Ensure that individuals can refuse to consent.

✅ Explain why we ask for their data and what we’re going to do with it.

✅ Only seek consent from children using age-verification measures (and parental-consent measures for younger children).

✅ Add a link to our Privacy Policy.

We hope that this article was helpful. If you still have questions regarding GDPR email consent, checkboxes or the structure of opt-in forms, please leave your comments below and we will do our best to answer your questions.

Editor's note: This post was originally published in June 2018 and has been updated for accuracy and comprehensiveness.

Create your first GDPR-compliant form in minutes!

Our free plan includes pop-up subscribe forms, embedded signup forms, landing pages and other amazing features!

Sign up for free
Marta Poliakova
Marta Poliakova
Hi, my name is Marta, legal counsel at MailerLite. As a legal professional, it’s my job to ensure we’re always following the rules, especially regarding GDPR compliance. To blow off steam, I enjoy kickboxing. I call my punching bag “Mr. GDPR,” and boy do I get a good workout.