Skip to content

GDPR consent form examples and expert advice: Tips for creating your own

Celestine Bahr, Director Legal at Usercentrics.
Author
Celestine Bahr
Read time
8 mins
Published
Oct 3, 2025
Resources / Blog / GDPR consent form examples and expert advice: Tips for creating your own
Summary

Consent forms are central to compliance with the General Data Protection Regulation (GDPR), shaping how your organization collects and processes data while deeply impacting relationships with customers. 

Three out of four people say they expect companies to prioritize compliance, even at the cost of business progress. But the way you design consent forms actually has a direct impact on business performance. 

Effective forms optimize opt-in rates and improve the quality of data you rely on for marketing initiatives. By contrast, unclear or poorly functioning forms risk damaging customer trust in your brand.

If you’re unsure whether your organization is GDPR-compliant, this guide shows you what valid consent looks like under the GDPR. We explore five effective GDPR consent examples, and outline best practices you can follow to create your own compliant forms.

Key takeaways

  • For consent to be valid under the GDPR, it must be freely given, specific, informed, unambiguous, granular, and easy to withdraw.
  • Real-world examples show that clear, prominent, and brand-consistent consent forms build trust while enabling businesses to remain privacy-compliant.
  • Organizations must separate essential data collection from optional marketing permissions to ensure consent is truly voluntary.
  • Best practices include using plain language, linking to a privacy policy, offering granular options, and keeping a record of consent choices.
  • A consent management platform like Usercentrics Consent Management Platform (CMP) helps automate compliance, optimize opt-in rates, and reduce legal risk.

Consent is one of the six lawful bases for collecting and processing personal data. However, it must meet GDPR consent requirements to count as valid and contribute to compliance:

  • Freely given: Users must have a genuine choice, without pressure or manipulation.
  • Specific: Consent must relate to specific purposes, such as receiving newsletters or enabling personalization.
  • Informed: Users need clear, easily accessible information about what data is collected, why, and their rights and how to exercise them.
  • Unambiguous: Consent requires affirmative action, such as clicking “accept” or ticking an empty box. Implied consent is not valid.
  • Granular: Users should be able to consent separately for different activities.
  • Prior consent: No processing should begin before explicit consent is obtained.
  • Right to withdraw: People must be able to withdraw consent as easily as they gave it, and processing must stop immediately.

Note that some website forms require explicit, opt-in consent, while others may give you another legal basis for processing data and have lighter requirements. 

Many organizations use pop-ups with embedded forms to automatically handle consent management. This enables them to collect permission from all relevant customers at scale and apply their preferences instantly.

But simply having a consent form doesn’t make your business GDPR-compliant. You must ensure your form follows all GDPR requirements to eliminate risk and respect data subject rights.

Let’s look at some different examples of consent forms and what makes them effective.

As the page loads, Steiff immediately displays its cookie banner front and center. No tracking tools are enabled until you either click Accept All or select your preferences under Individual Settings. This helps Steiff meet the GDPR requirement for unambiguous, opt-in consent.

Steiff’s consent banner also provides a clear statement about how they use cookies so visitors are fully informed. They use simple, easy-to-understand language. For anyone who’d like more information, they also include links to their full data protection declaration and privacy policy.

What it does well

  • Equal options: All three buttons on the consent form are equally visible and accessible so users have genuine choice and don’t feel pushed toward acceptance. This supports their right to freely consent or decline under the GDPR.
  • Clear right to withdraw: The banner text reminds users they can change their preferences and shows them how to achieve this. 
  • Language options: While not a GDPR requirement, providing multilingual options is good for user experience and strengthens compliance, as the cookie banner is accessible to a wider audience and supports them being informed.
  • Brand consistency: The banner design matches core elements of Steiff’s website, such as its font and logo. This makes it feel like part of the company rather than a random add-on, helping to build user trust.

2. Website analytics

Oxfam’s main priority as a nonprofit is understanding user behavior so it can optimize campaigns. Before they can collect data, however, they must still obtain valid consent to place analytics cookies under GDPR requirements. They accomplish this by loading a large banner on the side of the page when someone first visits the website.
To learn more, you can click on the More info link to find an explanation of all the cookies that Oxfam uses. They provide a brief explanation of the difference between essential and non-essential cookies, plus a table with all the tracking tools on their website. They also list any providers and expiry dates to give users as much information as possible.

What it does well

  • Prominent banner: Rather than having a small consent form at the bottom of the screen, Oxfam uses a large one that takes up a third of the screen. This demonstrates their commitment to GDPR compliance, which is crucial for a nonprofit, given that trust is part of their brand equity.
  • Cookie settings: The settings tab is still visible after the user has accepted or declined web analytics cookies, making it easy for them to change their preferences any time. 
  • Data minimization: Oxfam only lists five types of web analytics cookies, indicating they only process strictly necessary data. This demonstrates their strong compliance with the Art. 5 GDPR principle of data minimization

3. Newsletter signup

The website for e-commerce company Mammut displays a pop-up form when you click on the Sign Up button for its newsletter. Users must provide their email address and agree to the conditions to be added to the company’s subscription list, meeting the GDPR requirement for explicit opt-in consent. 

To ensure they have each user’s permission, the Subscribe button doesn’t work unless the box is ticked.

Additionally, there’s a brief explanation of how Mammut plans to use the data so users are fully informed. The text is in a prominent place just above the Subscribe button, so you’re unlikely to miss it. If users want to learn more, they can follow the link to Mammut’s Data Protection policy.

What it does well

  • Manual entry: The newsletter consent form doesn’t capture and autofill the user’s email address. They must type it into the box, confirming that they intend to sign up for the newsletter.
  • Plain language: Mammut uses simple, everyday terms to explain how they plan to use email addresses to ensure it has their informed consent. 
  • Signup confirmation: To check they have each user’s consent for email addresses, Mammut automatically sends everyone a confirmation email. This gives people the chance to immediately unsubscribe if there was a mistake.

4. Contact form

The Goethe-Institut, a German language school, must collect users’ personal details to respond to inquiries. This helps them provide the right information about their courses and arrange classes, exams, and cultural exchanges.

In other words, the Goethe-Institut has a legitimate interest in the personal data it collects through contact forms. As they meet another of the GDPR’s legal bases for processing personal information, they don’t need to collect explicit, opt-in consent. 

But the language school must still provide an opt-out mechanism, because Art. 17 GDPR gives data subjects the right to be forgotten. They provide a brief explanation of this law and explain how to withdraw consent with a link to their privacy policy. 

What it does well

  • Clarity over purpose: The Goethe-Institut explicitly states that they only use the data to respond to the inquiry, reassuring users that they won’t receive unwanted marketing materials.
  • Required information: Any necessary boxes are marked with an asterisk. The Goethe-Institut has only required essential details to keep data processing activities to a minimum.
  • Multilingual services: The Goethe-Institut provides two separate email addresses for revoking consent, one for German speakers and one for English speakers, to guarantee it’s accessible for a wide audience.

5. Account registration

HelloFresh requests customers’ shipping and payment information to set up their account. Because they need this to fulfill the contract of delivering their services, they don’t need to collect explicit consent under the GDPR.

But this legal basis only applies when they process the information to manage deliveries. They must still get consent to use a customer’s phone number for non-essential activities, such as sending their customers promotional text messages. 

That’s why they’ve included a separate tick box for users to agree to marketing and left it blank; users must take affirmative action to agree.

What it does well

  • Granular consent options: Service and marketing consent are clearly separated, so customers can register without agreeing to promotions.
  • Upfront explanation: HelloFresh’s explanation makes it clear that customers don’t need to tick the box to sign up for an account. This helps them ensure consent is freely given and makes them appear more transparent.

Let’s summarize the best practices from our examples for creating a privacy-compliant consent form.

  • Identify your legal bases for processing data from website forms and check where you need consent. 
  • Be clear about your specific purposes for consent requests. 
  • Use plain, accessible language to explain your data processing activities and users’ rights. 
  • Publish a privacy policy, keep it updated, and link to it from your forms and other relevant locations. 
  • Make all consent options equally prominent. 
  • Provide separate granular consent options for different types of data processing. 
  • Enable easy withdrawal of consent at any time. 
  • Keep an updated record of consent choices in case of an audit or DSAR.

And here are some dark patterns to avoid to ensure fairness and transparency:

  • DON’T pre-tick boxes or default consent elements to the affirmative position on your consent form. 
  • DON’T omit information that could lead users to decline or withdraw consent. 
  • DON’T use ambiguous language or technical or legal jargon to obscure data processing purposes or what consent is for. 
  • DON’T push users to agree using visual tricks like obscuring or removing options or formatting links as standard text. 
  • DON’T make site or service access or continued service contingent on consent.

Consent forms must keep pace with evolving GDPR requirements and regional interpretations if you want to stay compliant and foster trust with customers. This can make managing consent challenging, especially for smaller teams.

Usercentrics Consent Management Platform (CMP) empowers you to design and deploy GDPR-compliant consent forms. Our solution provides customizable templates for creating pop-ups and banners that align with your brand identity to reinforce trust. 

Usercentrics automates compliance by blocking tracking tools until you receive consent, keeping detailed records of user preferences, and updating your privacy policy as regulations change.

The platform enables you to perform A/B tests to see which versions of banners perform better, helping you keep opt-in rates high. This ensures you minimize the legal risk to your business while maximizing the amount of data you collect to support scaling and growth.

Learn more
Celestine Bahr
Director Legal, Compliance & Data Privacy, Usercentrics GmbH
Read more

Frequently asked questions

An example is a cookie banner that only activates tracking tools after a user clicks Accept All or selects their preferences. This supports unambiguous, opt-in consent.

A GDPR disclaimer typically clarifies that personal data will be collected and processed in line with the GDPR. For instance: “We use your email address to send you our newsletter. You can unsubscribe at any time via the link provided in each email.”

Write in plain, clear language, and provide multiple language options if possible. State what data is collected, why, who it may be shared with, and how long it will be stored. Always include how users can exercise their rights, such as withdrawing consent.

Not always, but often. Consent is one of six lawful bases for processing personal data under the GDPR. Other bases include contractual necessity, legal obligation, and legitimate interest.

Yes. Under Art. 7(3) GDPR, users must be able to withdraw consent as easily as they gave it. Businesses must stop processing immediately after withdrawal.

Forms may be noncompliant if they use pre-ticked boxes, hide decline options, use vague wording, or fail to explain data usage clearly. These practices undermine the requirement for informed and freely given consent.