GDPR and form consent: legal requirements for data collection

Home / Everything About / Everything About Forms / GDPR and form consent: legal requirements for data collection

GDPR is the privacy law for Europe. If your form collects any information from visitors in the European Union, even just their email, GDPR applies to you. This is not something that affects only large companies or specific industries. GDPR covers every business anywhere in the world that gathers data from European residents, and the penalties for getting it wrong are severe.

GDPR and form consent are the legal rules that govern what data you can collect from EU visitors, how you ask for it, and what you do with it. Understanding these rules is essential before you build any form that collects data from European residents.

What you'll learn: What GDPR is and who it applies to, what legal consent means, how to structure form fields and checkboxes to meet GDPR requirements, and what happens if you do not comply.

What is GDPR and does it apply to your forms?

GDPR (General Data Protection Regulation) is a European Union law that controls how organizations collect, store, and use personal data. It applies to any company, anywhere in the world, that collects information from EU residents.

Your forms fall under GDPR if:

  • You have any visitors from the EU and your form collects information from them
  • You collect email addresses, names, phone numbers, IP addresses, or any other identifying information
  • You collect information about EU residents even if you are not based in the EU

It does not matter if your business is large or small, what industry you are in, or whether you sell anything. If you collect data from EU residents, GDPR applies.

What does GDPR require of forms?

GDPR sets several specific rules for forms that collect data:

Transparency: Tell visitors what you are collecting

Before someone fills out your form, they must know what data you are collecting and why. You must provide clear information about:

  • What data you are collecting (email, name, etc.)
  • What you will do with it (send them emails, add them to a mailing list, store it for future contact)
  • Who will have access to it (your team, third-party services, etc.)
  • How long you will keep it

This information should be visible to visitors before they submit the form. A privacy policy that you link to is not enough. You must provide the key information right on the form page or above the form itself.

Consent: Ask explicitly, do not assume

For most data collection, you need explicit consent from the visitor. They must actively agree to your terms. Checking a box is consent. Being silent is not.

This is different from how forms worked before GDPR. You cannot assume that because someone submitted a form to contact you, they are automatically willing to be added to your marketing email list. Each use of the data requires separate consent.

Consent must be freely given

The consent cannot be a condition of using your service if the data is not necessary for that service. For example, if someone fills out a contact form to ask a question, you need their email to respond. You do not need consent for that because it is necessary. But if you want to add them to your marketing newsletter, that is optional, and you need explicit consent.

The consent mechanism itself must be clear

If you use a checkbox for consent, it must start unchecked. Visitors must actively check it. Pre-checked boxes do not count as consent. The language must be clear and simple, not buried in legal jargon.

Structuring forms for GDPR consent

Essential vs. optional data

First, separate the data you absolutely need from data that is optional:

  • Essential: Information you need to fulfill the request (email to respond to a contact form, address to ship an order)
  • Optional: Information you want for marketing or analytics (which channel did they come from, what is their job title)

Mark optional fields clearly with "(optional)" so visitors know they do not have to fill them in.

Separate consent checkboxes

If you want to use data for multiple purposes, use separate checkboxes. One for "I agree to be contacted by email" and another for "I agree to receive marketing emails." Do not combine them into one checkbox.

<label>
  <input type="checkbox" name="contact_consent" required>
  You agree that we may contact you to respond to this inquiry
</label>

<label>
  <input type="checkbox" name="marketing_consent">
  I agree to receive marketing emails about new products and special offers
</label>

Notice that the first checkbox is required (necessary for the service) but unchecked by default. The second is optional (marketing is not necessary) and also unchecked by default.

Clear, readable consent language

The checkbox text must be clear and specific. Generic phrases like "I agree to your terms and conditions" do not satisfy GDPR. Be specific about what the visitor is agreeing to.

Bad: "I agree"

Better: "I agree to receive marketing emails"

Best: "I agree to receive marketing emails about products and offers approximately twice per month"

The more specific, the better. Tell visitors exactly what they are consenting to.

Link to your privacy policy

After the consent checkboxes, include a link to your full privacy policy. This allows visitors to read the complete details about how you handle their data if they want to.

By submitting this form, you agree to our <a href="/privacy-policy">privacy policy</a>.

Data retention and GDPR

GDPR also requires that you only keep personal data as long as necessary. You must set and follow a data retention policy.

  • How long will you keep contact form submissions? (30 days? 6 months? Until the inquiry is resolved?)
  • How long will you keep people on a marketing email list? (Until they unsubscribe?)
  • How long will you keep customer data after a purchase? (7 years for tax records, then delete)

Document your retention policy and enforce it. Set up a schedule to delete old submissions and data automatically.

Rights that GDPR gives to data subjects

When someone submits a form to your site, they have rights under GDPR:

  • Right of access: They can ask what data you have about them
  • Right to be forgotten: They can ask you to delete their data (though there are exceptions, like tax records)
  • Right to rectification: They can ask you to correct incorrect data
  • Right to data portability: They can ask you to give them their data in a portable format
  • Right to withdraw consent: They can withdraw consent to marketing emails or other uses at any time

You should be prepared to handle these requests. This usually means having a process for people to submit these requests (an email address, a form, etc.) and a way to respond within 30 days.

GDPR fines and consequences

GDPR violations carry significant penalties:

  • Up to 20 million euros or 4% of your annual worldwide revenue (whichever is higher) for the most serious violations
  • Up to 10 million euros or 2% of revenue for less severe violations
  • In practice, even small companies face six-figure fines for data breaches or consent violations

Beyond fines, a GDPR violation can damage your reputation, lose you customers, and create legal liability if data is misused.

GDPR compliance checklist for forms

  • [ ] You have identified what data you are collecting
  • [ ] You have a clear privacy policy
  • [ ] You display the key privacy information above or within the form
  • [ ] All checkboxes start unchecked
  • [ ] Consent checkboxes use clear, specific language
  • [ ] You have separate checkboxes for separate uses of data (contact vs. marketing)
  • [ ] Your form explains data retention (how long you keep submissions)
  • [ ] You have a data retention policy and enforce it (delete old data)
  • [ ] You have a process for people to request access, deletion, or correction of their data
  • [ ] You can easily unsubscribe people from marketing emails
  • [ ] You know where visitor data is stored and who has access to it

What WEMASY does for GDPR compliance

WEMASY forms include consent management features that help you meet GDPR requirements. You can add consent checkboxes to your forms and WEMASY records which options each visitor consented to. Submissions include timestamps so you know when consent was given. WEMASY also helps you manage data retention by allowing you to set automatic deletion policies for old submissions.

Your brand still needs a privacy policy and needs to decide how to handle data access requests, but WEMASY handles the technical infrastructure for consent and data management.

Learn more about compliance features in your plan on the pricing page.

Frequently asked questions

Does GDPR apply if all my visitors are outside the EU?

With WEMASY's <a href="/website-builder" target="_blank">website builder</a>, you can set this up directly on your website.

Can I pre-check consent boxes if they are not required for my service?

What if someone does not consent to marketing but still wants to use my service?

How do I respond to a data deletion request?

Is IP address considered personal data under GDPR?