# [GDPR consent form examples and expert advice: Tips for creating your own](https://usercentrics.com/knowledge-hub/gdpr-consent-example/) **Author:** Celestine Bahr · **Read time:** 8 mins · **Published:** Oct 3, 2025 **See real GDPR consent form examples to follow, plus expert-backed tips, to help you create compliant, user-friendly forms that build trust.** [Download checklist](https://usercentrics.com/resources/cookie-banner-design/) · [Learn more](https://usercentrics.com/gdpr/) · [Book a Consultation](https://usercentrics.com/book-a-consultation/) --- **Summary:** This guide details GDPR consent, covering valid consent requirements and real-world examples. It outlines best practices for creating privacy-compliant, user-friendly forms that build trust, optimize opt-in rates, and meet legal requirements. Consent forms are central to compliance with the General Data Protection Regulation (GDPR), shaping how your organization collects and processes data while deeply impacting relationships with customers. [Three out of four people](https://www.dataprotection.ie/en/dpc-guidance/publications/DPC_Public_Attitudes_Survey_2025) say they expect companies to prioritize compliance, even at the cost of business progress. But the way you design consent forms actually has a direct impact on business performance. Effective forms optimize opt-in rates and improve the quality of data you rely on for marketing initiatives. By contrast, unclear or poorly functioning forms risk damaging customer trust in your brand. If you're unsure whether your organization is GDPR-compliant, this guide shows you what valid consent looks like under the GDPR. We explore five effective GDPR consent examples, and outline best practices you can follow to create your own compliant forms. --- ## Five GDPR consent examples that follow GDPR principles ### What is valid consent under the GDPR? **Key Takeaways** - For consent to be valid under the GDPR, it must be freely given, specific, informed, unambiguous, granular, and easy to withdraw. - Real-world examples show that clear, prominent, and brand-consistent consent forms build trust while enabling businesses to remain privacy-compliant. - Organizations must separate essential data collection from optional marketing permissions to ensure consent is truly voluntary. - Best practices include using plain language, linking to a privacy policy, offering granular options, and keeping a record of consent choices. - A consent management platform like Usercentrics Consent Management Platform (CMP) helps automate compliance, optimize opt-in rates, and reduce legal risk. Consent is one of the six lawful bases for collecting and processing personal data. However, it must meet [GDPR consent requirements](https://usercentrics.com/knowledge-hub/7-criteria-for-a-gdpr-compliant-consent/) to count as valid and contribute to compliance: - **Freely given:** Users must have a genuine choice, without pressure or manipulation. - **Specific:** Consent must relate to specific purposes, such as receiving newsletters or enabling personalization. - **Informed:** Users need clear, easily accessible information about what data is collected, why, and their rights and how to exercise them. - **Unambiguous:** Consent requires affirmative action, such as clicking "accept" or ticking an empty box. Implied consent is not valid. - **Granular:** Users should be able to consent separately for different activities. - **Prior consent:** No processing should begin before explicit consent is obtained. - **Right to withdraw:** People must be able to withdraw consent as easily as they gave it, and processing must stop immediately. Note that some website forms require explicit, opt-in consent, while others may give you another legal basis for processing data and have lighter requirements. Many organizations use pop-ups with embedded forms to automatically handle consent management. This enables them to collect permission from all relevant customers at scale and apply their preferences instantly. But simply having a consent form doesn't make your business GDPR-compliant. You must ensure your form follows all GDPR requirements to eliminate risk and respect [data subject rights](https://usercentrics.com/knowledge-hub/gdpr-data-subject-rights/). Let's look at some different examples of consent forms and what makes them effective. --- ### 1. Cookie consent As the page loads, Steiff immediately displays its cookie banner front and center. No tracking tools are enabled until you either click **Accept All** or select your preferences under **Individual Settings**. This helps Steiff meet the GDPR requirement for unambiguous, opt-in consent. Steiff's consent banner also provides a clear statement about how they use cookies so visitors are fully informed. They use simple, easy-to-understand language. For anyone who'd like more information, they also include links to their full data protection declaration and privacy policy. #### What it does well - **Equal options:** All three buttons on the consent form are equally visible and accessible so users have genuine choice and don't feel pushed toward acceptance. This supports their right to freely consent or decline under the GDPR. - **Clear right to withdraw:** The banner text reminds users they can change their preferences and shows them how to achieve this. - **Language options:** While not a GDPR requirement, providing multilingual options is good for user experience and strengthens compliance, as the cookie banner is accessible to a wider audience and supports them being informed. - **Brand consistency:** The banner design matches core elements of Steiff's website, such as its font and logo. This makes it feel like part of the company rather than a random add-on, helping to build user trust. --- ### 2. Website analytics Oxfam's main priority as a nonprofit is understanding user behavior so it can optimize campaigns. Before they can collect data, however, they must still obtain valid consent to place analytics cookies under GDPR requirements. They accomplish this by loading a large banner on the side of the page when someone first visits the website. To learn more, you can click on the **More info** link to find an explanation of all the cookies that Oxfam uses. They provide a brief explanation of the difference between essential and non-essential cookies, plus a table with all the tracking tools on their website. They also list any providers and expiry dates to give users as much information as possible. #### What it does well - **Prominent banner:** Rather than having a small consent form at the bottom of the screen, Oxfam uses a large one that takes up a third of the screen. This demonstrates their commitment to [GDPR compliance](https://usercentrics.com/knowledge-hub/gdpr-compliance/), which is crucial for a nonprofit, given that trust is part of their brand equity. - **Preference management:** The settings tab is still visible after the user has accepted or declined web analytics cookies, making it easy for them to change their preferences any time. - **Data minimization:** Oxfam only lists five types of web analytics cookies, indicating they only process strictly necessary data. This demonstrates their strong compliance with the [Art. 5 GDPR](https://gdpr-info.eu/art-5-gdpr/) principle of [data minimization](https://usercentrics.com/knowledge-hub/data-minimization/). --- ### 3. Newsletter signup The website for [e-commerce](https://usercentrics.com/knowledge-hub/gdpr-for-ecommerce/) company Mammut displays a pop-up form when you click on the **Sign Up** button for its newsletter. Users must provide their email address and agree to the conditions to be added to the company's subscription list, meeting the GDPR requirement for explicit opt-in consent. To ensure they have each user's permission, the **Subscribe** button doesn't work unless the box is ticked. Additionally, there's a brief explanation of how Mammut plans to use the data so users are fully informed. The text is in a prominent place just above the Subscribe button, so you're unlikely to miss it. If users want to learn more, they can follow the link to Mammut's Data Protection policy. #### What it does well - **Manual entry:** The newsletter consent form doesn't capture and autofill the user's email address. They must type it into the box, confirming that they intend to sign up for the newsletter. - **Plain language:** Mammut uses simple, everyday terms to explain how they plan to use email addresses to ensure it has their informed consent. - **Signup confirmation:** To check they have each user's consent for email addresses, Mammut automatically sends everyone a confirmation email. This gives people the chance to immediately unsubscribe if there was a mistake. --- ### 4. Contact form The Goethe-Institut, a German language school, must collect users' personal details to respond to inquiries. This helps them provide the right information about their courses and arrange classes, exams, and cultural exchanges. In other words, the Goethe-Institut has a legitimate interest in the personal data it collects through contact forms. As they meet another of the GDPR's legal bases for processing personal information, they don't need to collect explicit, opt-in consent. But the language school must still provide an opt-out mechanism, because [Art. 17 GDPR](https://gdpr-info.eu/art-17-gdpr/) gives data subjects the [right to be forgotten](https://usercentrics.com/knowledge-hub/gdpr-right-to-be-forgotten/). They provide a brief explanation of this law and explain how to withdraw consent with a link to their privacy policy. #### What it does well - **Clarity over purpose:** The Goethe-Institut explicitly states that they only use the data to respond to the inquiry, reassuring users that they won't receive unwanted marketing materials. - **Required information:** Any necessary boxes are marked with an asterisk. The Goethe-Institut has only required essential details to keep data processing activities to a minimum. - **Multilingual services:** The Goethe-Institut provides two separate email addresses for revoking consent, one for German speakers and one for English speakers, to guarantee it's accessible for a wide audience. --- ### 5. Account registration HelloFresh requests customers' shipping and payment information to set up their account. Because they need this to fulfill the contract of delivering their services, they don't need to collect explicit consent under the GDPR. But this legal basis only applies when they process the information to manage deliveries. They must still get consent to use a customer's phone number for non-essential activities, such as sending their customers promotional text messages. That's why they've included a separate tick box for users to agree to marketing and left it blank; users must take affirmative action to agree. #### What it does well - **Granular consent options:** Service and marketing consent are clearly separated, so customers can register without agreeing to promotions. - **Upfront explanation:** HelloFresh's explanation makes it clear that customers don't need to tick the box to sign up for an account. This helps them ensure consent is freely given and makes them appear more transparent. --- ## Best practices for making consent forms that comply with the GDPR Let's summarize the best practices from our examples for creating a privacy-compliant consent form. - Identify your legal bases for processing data from website forms and check where you need consent. - Be clear about your specific purposes for consent requests. - Use plain, accessible language to explain your data processing activities and users' rights. - Publish a privacy policy, keep it updated, and link to it from your forms and other relevant locations. - Make all consent options equally prominent. - Provide separate granular consent options for different types of data processing. - Enable easy withdrawal of consent at any time. - Keep an updated record of consent choices in case of an audit or [DSAR](https://usercentrics.com/knowledge-hub/data-subject-access-requests/). And here are some [dark patterns](https://usercentrics.com/knowledge-hub/dark-patterns-and-how-they-affect-consent/) to avoid to ensure fairness and transparency: - DON'T pre-tick boxes or default consent elements to the affirmative position on your consent form. - DON'T omit information that could lead users to decline or withdraw consent. - DON'T use ambiguous language or technical or legal jargon to obscure data processing purposes or what consent is for. - DON'T push users to agree using visual tricks like obscuring or removing options or formatting links as standard text. - DON'T make site or service access or continued service contingent on consent. --- ## Create GDPR-compliant consent forms with ease Consent forms must keep pace with evolving GDPR requirements and regional interpretations if you want to stay compliant and foster trust with customers. This can make managing consent challenging, especially for smaller teams. Usercentrics [Consent Management Platform (CMP)](https://usercentrics.com/website-consent-management/) empowers you to design and deploy GDPR-compliant consent forms. Our solution provides customizable templates for creating pop-ups and banners that align with your brand identity to reinforce trust. Usercentrics automates compliance by blocking tracking tools until you receive consent, keeping detailed records of user preferences, and updating your privacy policy as regulations change. The platform enables you to perform A/B tests to see which versions of banners perform better, helping you keep opt-in rates high. This ensures you minimize the legal risk to your business while maximizing the amount of data you collect to support scaling and growth. **Achieve and maintain GDPR compliance with the Usercentrics CMP** Geolocation features, automated updates, and customizable banners help you comply with the GDPR while building trust with customers. [Learn more](https://usercentrics.com/gdpr/) **Celestine Bahr** — Director Legal, Compliance & Data Privacy, Usercentrics GmbH --- ## Frequently asked questions ### What is an example of GDPR consent? An example is a cookie banner that only activates tracking tools after a user clicks **Accept All** or selects their preferences. This supports unambiguous, opt-in consent. ### What is an example of a GDPR disclaimer? A GDPR disclaimer typically clarifies that personal data will be collected and processed in line with the GDPR. For instance: *"We use your email address to send you our newsletter. You can unsubscribe at any time via the link provided in each email."* ### How do you write a GDPR disclaimer? Write in plain, clear language, and provide multiple language options if possible. State what data is collected, why, who it may be shared with, and how long it will be stored. Always include how users can exercise their rights, such as withdrawing consent. ### Do you always need consent under the GDPR? Not always, but often. Consent is one of six lawful bases for processing personal data under the GDPR. Other bases include contractual necessity, legal obligation, and legitimate interest. ### Can users withdraw GDPR consent at any time? Yes. Under [Art. 7(3) GDPR](https://gdpr.eu/article-7-how-to-get-consent-to-collect-personal-data/), users must be able to withdraw consent as easily as they gave it. Businesses must stop processing immediately after withdrawal. ### What makes a consent form noncompliant? Forms may be noncompliant if they use pre-ticked boxes, hide decline options, use vague wording, or fail to explain data usage clearly. These practices undermine the requirement for informed and freely given consent. --- ## Products - [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/) - [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/) - [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/) - [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/) - [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/) - [Preference Manager](https://usercentrics.com/preference-management/) - [Audience Unlocker](https://usercentrics.com/audience-unlocker/) - [Integrations](https://usercentrics.com/integrations/) - [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/) - [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/) - [ROAS Calculator](https://usercentrics.com/roas-calculator/) ## Solutions - [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/) - [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/) - [Migration](https://usercentrics.com/migration/) - [Media & Publishing](https://usercentrics.com/media-publishing/) - [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/) - [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/) - [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/) - [Gaming](https://usercentrics.com/gaming/) - [Education](https://usercentrics.com/education/) - [Automotive](https://usercentrics.com/automotive/) - [Travel & Hospitality](https://usercentrics.com/travel/) ## Regulations & Frameworks - [GDPR (EU)](https://usercentrics.com/gdpr/) - [GDPR (UK)](https://usercentrics.com/uk-gdpr/) - [CCPA (California)](https://usercentrics.com/ccpa/) - [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/) - [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/) - [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/) - [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/) - [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/) - [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/) - [View all regulations](https://usercentrics.com/regulations-and-frameworks/) ## Resources - [Blog](https://usercentrics.com/knowledge-hub/) - [Whitepapers](https://usercentrics.com/whitepapers/) - [Checklists](https://usercentrics.com/checklists/) - [Courses](https://courses.usercentrics.com/) - [Case Studies](https://usercentrics.com/case-studies/) - [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/) - [Events](https://usercentrics.com/webinar/) - [CONSENTED Podcast](https://usercentrics.com/consented/) - [Guides](https://usercentrics.com/guides/) - [Release Notes](https://releases.usercentrics.com/en) - [Developer Documentation](https://usercentrics.com/docs/) - [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/) - [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/) ## Company - [About Us](https://usercentrics.com/about-us/) - [Press](https://usercentrics.com/press/) - [Our Offices](https://usercentrics.com/contact/) - [Trust Center](https://trust.usercentrics.com/) - [Careers](https://usercentrics.com/career/) - [Open Positions](https://apply.workable.com/usercentrics/) - [Diversity & Inclusion](https://usercentrics.com/dei/) ## Support - [General Support](https://support.usercentrics.com/hc/en-us) - [Contact Sales](https://usercentrics.com/book-a-consultation/) - [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new) - [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing) - [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340) - [Partner Login](https://partnerportal.usercentrics.com/) - [Partner Program](https://usercentrics.com/partner-program-overview/) - [Affiliate Program](https://usercentrics.com/affiliates/) ## Legal - [Terms & Conditions](https://usercentrics.com/terms-and-conditions/) - [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/) - [Privacy Policy](https://usercentrics.com/privacy-policy/) - [Legal Notice](https://usercentrics.com/legal-notice/) - [Legal Documents](https://usercentrics.com/legal-documents/) - [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/) © 2026 Usercentrics GmbH