How to Create GDPR Compliant Consent in Web Forms

How to Create GDPR Compliant Consent in Web Forms

The EU’s General Data Protection Regulation (GDPR) introduces a number of new rules and regulations related to 1) capturing, 2) using, and 3) managing prospect and customer data. This blog focuses on recommending best practices as relevant to 1) capturing prospect information through web forms in order to be GDPR-compliant.

The single most important requirement to make any web form GDPR compliant is obtaining from your web site visitors their explicit, positive consent to have their data stored and used by you, the web site owner and data controller.

Who does the GDPR apply to?

The scope of the GDPR encompasses all organizations that control the personal data of EU residents or monitors individuals’ behaviors conducted within the EU, regardless of the entity’s location. The terms data controller and personal data are defined broadly: Data controllers are companies that collect and hold consumer data and personal data means “any information related to an identified or identifiable natural person.”

Stated simply, if you manage a website where you capture any personal data, and there is a chance that any of your web visitors are EU citizens and/or residents, the GDPR applies to you. Luckily, having your top-of-funnel activities become GDPR compliant boils down to simply obtaining positive consent from the users who submit their information.

Obtaining positive consent

As relevant to capturing information, the GDPR states that controllers must obtain consent from the data subject in order to use their information. The consent needs to be explicitly given by the EU citizen through a manual opt-in. Simply adding a text disclaimer with links such as “Our company values your privacy” or “By submitting this form you agree to our terms” is not sufficient to meet GDPR requirements. Under the GDPR, obtaining consent will most commonly be achieved by adding an acknowledgement checkbox at the end of the form. Alternately, and because the GDPR only applies to EU citizens/residents, some controllers prefer to not front-load their forms with consent checkboxes and with what some may consider off-putting language.

Click here for a full guide on how to ask for positive consent, the types of approaches you can take for asking consent and what to do for incomplete consent scenarios.

What’s next?

Having GDPR compliant forms is only one step in achieving GDPR compliance for your organization. Treasure Data offers a number of resources that cover the areas of GDPR compliance beyond the capturing of web form data, including:

Get Treasure Data blogs, news, use cases, and platform capabilities.

Thank you for subscribing to our blog!

Interpretation of the GDPR is up to your organization. While we’ve done our homework, the GDPR isn’t explicit in defining the principles for compliance. With language that makes it difficult to interpret, we advise you to consult your GDPR experts, legal counsel and the national data protection authorities in the EU.

Nikolay Belitchenov
Nikolay Belitchenov
Nik has worked at Treasure Data for four years serving on the front-end, product, design, and marketing teams. Nik has been heading the design and web team in Treasure Data’s marketing organization since 2017. Prior to TD, he worked as a UI Designer and Developer at Karmasphere, as well as at companies in e-commerce, automotive, finance, and CPG. An EU citizen, Nik now lives in the US, and often fills out lead forms on websites whose data controllers are located all over the world. As a dual citizen of the EU and US, Nik could be the GDPR poster boy as data subject as well as data controller.