Consent Management

GDPR Consent Form: What to Include, What to Avoid, and a 2026 Example

DataShyre Staff
DataShyre Staff Jun 24, 2026
5 min read

GDPR Consent Form: What to Include, What to Avoid, and a 2026 Example

A lot of teams still reach for consent by default. That is usually the first mistake.

A gdpr consent form only works when people can make a real choice, understand what they are agreeing to, and change their mind later without friction. If your signup flow, lead form, or preference center cannot meet that standard, consent is probably the wrong legal basis.

Privacy consent form shown on a laptop and mobile screen with clear unticked checkboxes and subtle DataShyre.com branding

The European Data Protection Board’s SME guidance says consent requests should clearly identify the controller, explain the purpose, describe the data involved, and tell people they can withdraw consent at any time. For special-category data, the bar is higher: the EDPB says the request should be express and specific.

If you are tightening the surrounding disclosures too, this checklist for a GDPR compliant privacy notice is a useful companion. If you need system support for logging choices at scale, our guide to picking a consent management provider can help.

When you actually need a GDPR consent form

Consent is only one lawful basis under the GDPR. The EDPB’s lawful-basis guide makes that plain: you should choose the right basis before processing starts, not retrofit consent onto every workflow.

That means a consent form is a good fit when you are asking for something optional, such as:

  • marketing emails or newsletters;
  • optional profiling or personalization;
  • publishing a customer testimonial or case study; or
  • certain uses of special-category data where explicit consent is required.

It is usually a poor fit when the person cannot realistically say no. Employment settings are the classic example. The EDPB has repeatedly warned that a power imbalance can make consent invalid because it is not freely given.

That is why William Malcolm of the ICO described good consent in April 2026 as “real, specific and freely given.” He also said it should be “just as easy to withdraw.” That is a concise test for almost any form UX.

GDPR consent form: what it should include

You do not need a bloated legal document. You do need the right pieces.

1. A separate request, not buried in terms

GDPR consent has to be presented in an intelligible, accessible form. In practice, that means keeping the request separate from general terms and avoiding one checkbox that tries to cover everything at once.

2. A clear purpose in ordinary language

Tell people exactly what they are opting into. “Receive monthly product updates and webinar invites by email” works. “Consent to communications” does not say enough.

3. An active opt-in

Use an unticked checkbox, toggle, or signature field. Pre-ticked boxes and implied consent are not valid. That point has been settled for years, but bad implementations still show up in audits.

4. Granular choices when purposes differ

If you want email marketing, partner offers, and product research participation, split those choices. One yes for three different purposes is weak on specificity and hard to defend later.

5. A simple withdrawal path

Your form should say how consent can be withdrawn and where that control lives. If the answer is “email support and wait,” the experience is already off.

6. Proof you can actually produce

A consent record should capture who consented, when, what they were shown, what they selected, and which policy or form version applied at the time. This is not theoretical housekeeping. In January 2026, CNIL opened a consultation focused on proof of consent in direct marketing, which tells you the evidence question is still very much alive.

Checklist workflow showing purpose, opt-in, proof, withdrawal, and explicit consent with subtle DataShyre.com branding

7. Explicit wording for sensitive data

If your form covers health data, biometric data, or other special-category information, do not rely on vague wording. The EDPB says explicit consent needs an express statement of agreement. Make the request stand on its own.

A simple example might look like this:

I agree that DataShyre may send me product updates and event invitations by email. I can withdraw my consent at any time through the unsubscribe link or my privacy preferences.

That is not universal boilerplate. It is just the shape of a usable request: who, what, channel, and withdrawal.

What to avoid

Three patterns keep causing trouble:

  • bundling consent into general terms or account creation;
  • making refusal harder than acceptance; and
  • asking for consent when another lawful basis would make more sense.

In February 2026, EDPB Chair Anu Talus said privacy models still need a “real choice.” She was speaking in a different regulatory context, but the principle travels well. If your form funnels people toward yes through pressure, default settings, or vague wording, the problem is not cosmetic.

If you are comparing broader compliance obligations across jurisdictions, our GDPR vs. CCPA guide helps frame where consent matters most and where notice or opt-out rules work differently.

A practical 2026 check before you publish a form

Before a new form goes live, ask five blunt questions:

  • Can the person refuse without losing something unrelated?
  • Is each purpose specific enough to explain in one sentence?
  • Is the opt-in action unmistakable?
  • Can you prove what the person saw and chose?
  • Can they withdraw as easily as they agreed?

If you cannot answer yes to all five, pause and fix the flow first.

The takeaway

A strong GDPR consent form is shorter than most teams expect and stricter than most teams design for. The hard part is not adding more legal copy. It is making the choice genuine, documenting it cleanly, and using consent only where it actually fits.

That is still the standard in 2026.

Sources

  • EUR-Lex
  • European Data Protection Board
  • Information Commissioner’s Office
  • CNIL
DataShyre Platform

Ready to fix your privacy program?

Join 3,500+ businesses using DataShyre to automate consent management, DSR fulfillment, and compliance — without the complexity.