GDPR Consent Examples: 8 Real-World Forms and Checkboxes

Getting consent right under GDPR is not optional. It is a legal requirement. But many websites still get it wrong, often without realizing it.

This guide walks through 8 real-world examples of consent forms and checkboxes. Some are compliant. Some are not. For each one, you will see exactly what works, what fails, and why.

If you are collecting personal data from visitors in the EU - through forms, cookies, email signups, or anything else - these examples will help you understand what the law actually requires.

What GDPR Says About Consent

Before looking at the examples, it helps to understand the legal standard. GDPR Article 7 sets out the conditions for consent. The key requirements are:

• Consent must be freely given. The user cannot be forced or pressured into agreeing.
• Consent must be specific. A single checkbox cannot cover multiple unrelated purposes.
• Consent must be informed. The user must know what they are agreeing to before they agree.
• Consent must be unambiguous. There must be a clear affirmative action, like ticking a box.
• Consent must be withdrawable. It must be as easy to withdraw consent as it was to give it.

Pre-ticked boxes do not count. Silence does not count. Bundled consent - where agreeing to terms also means agreeing to marketing - does not count.

With that framework in mind, here are the examples.

Example 1: The Pre-Ticked Marketing Checkbox (Non-Compliant)

This is one of the most common violations. A signup form includes a checkbox for marketing emails, and the checkbox is already ticked when the page loads.

What it looks like:

A registration form with a checkbox at the bottom that reads: "I would like to receive marketing emails and special offers." The box is checked by default.

Why it fails:

GDPR requires an affirmative action from the user. A pre-ticked box is not an affirmative action. The user did not choose to opt in - they simply failed to opt out. The European Court of Justice confirmed this in the Planet49 ruling (Case C-673/17). Pre-ticked boxes are not valid consent under any reading of the regulation.

How to fix it:

Leave the checkbox unticked by default. Let the user actively choose to tick it. That is all it takes.

Example 2: A Clear, Unticked Opt-In Checkbox (Compliant)

This is the corrected version of Example 1.

What it looks like:

The same registration form, but the marketing checkbox is unticked by default. The label reads: "Yes, I want to receive weekly tips and product updates by email. You can unsubscribe at any time."

Why it works:

The user makes a deliberate choice. The purpose is specific - weekly tips and product updates. The method is stated - email. And the user is told they can withdraw consent later. This hits every requirement in Article 7.

Key Takeaway for Checkbox Consent

Always start with an empty checkbox. State the purpose clearly. Tell the user how to opt out later.

Example 3: Bundled Consent in Terms of Service (Non-Compliant)

Some websites bury marketing consent inside their terms of service. A single checkbox reads: "I agree to the Terms of Service and Privacy Policy and consent to receive promotional communications."

What it looks like:

A checkout form with one checkbox that covers terms, privacy, and marketing all at once.

Why it fails:

Consent must be specific to each purpose. Agreeing to terms of service is a contractual necessity. Marketing emails are a separate purpose entirely. Bundling them together means the user cannot agree to one without the other. That is not freely given consent.

The European Data Protection Board (EDPB) guidelines on consent are clear: when consent is bundled with acceptance of terms, it is presumed not to be freely given.

How to fix it:

Use separate checkboxes. One for terms of service (which can be required). One for marketing (which must be optional).

Example 4: Granular Consent With Separate Checkboxes (Compliant)

This is how a well-designed form handles multiple consent purposes.

What it looks like:

A signup form with three separate, unticked checkboxes:

• "I agree to the Terms of Service and Privacy Policy" (required)
• "Send me product updates by email" (optional)
• "Send me third-party offers from our partners" (optional)

Each checkbox has its own clear label. The required one is marked as such. The optional ones are clearly optional.

Why it works:

Each purpose gets its own consent mechanism. The user can agree to terms without opting into marketing. They can choose product updates without receiving third-party offers. This is granular, specific, and freely given.

Check if your consent forms are compliant with a free scan.

Example 5: A Cookie Banner With Only an "Accept" Button (Non-Compliant)

This is still extremely common. A cookie banner appears at the bottom of the screen with a message like "We use cookies to improve your experience" and a single button that says "Accept."

What it looks like:

A slim banner at the bottom of the page. One line of text. One button. No way to decline or configure preferences.

Why it fails:

There are two problems. First, there is no way to reject cookies. The user can only accept or ignore the banner. Ignoring the banner is not consent - it is the absence of a decision. Second, the description is too vague. "Improve your experience" does not tell the user what cookies are being set or for what purpose.

If your cookie banner looks like this, it is almost certainly non-compliant. For a deeper look at cookie banners specifically, see our guide on GDPR banner examples with 12 real cookie consent banners.

How to fix it:

Add a "Reject All" button that is equally prominent. Add a "Manage Preferences" option. List the categories of cookies you use.

Example 6: A Cookie Banner With Accept, Reject, and Preferences (Compliant)

This is the standard that regulators expect.

What it looks like:

A banner with:

• A brief explanation: "We use cookies for analytics, personalization, and advertising."
• Three buttons: "Accept All," "Reject All," and "Manage Preferences"
• The Reject All button is the same size and color as Accept All

When the user clicks "Manage Preferences," they see toggle switches for each cookie category: Necessary (always on), Analytics, Personalization, and Advertising.

Why it works:

The user has a genuine choice. They can accept everything, reject everything, or pick and choose. The reject option is not hidden or made harder to find. Cookie categories are explained. This meets the standard set by multiple EU data protection authorities, including the French CNIL and the Irish DPC.

Example 7: Email Signup With No Privacy Information (Non-Compliant)

A website has a simple email capture form in the footer. It says "Enter your email" with a "Subscribe" button. There is no mention of what the email will be used for, no link to a privacy policy, and no information about how to unsubscribe.

What it looks like:

A minimal email input field and a button. Nothing else.

Why it fails:

Consent must be informed. The user has no idea what they are signing up for. Will they get a weekly newsletter? Daily promotions? Will their email be shared with third parties? Without this information, the consent is not valid.

There is also no link to a privacy policy, which is a separate but related requirement. For more on privacy policy requirements, see our GDPR compliance checklist for small businesses.

How to fix it:

Add a brief description of what the user will receive. Link to your privacy policy. Include information about how to unsubscribe. For example: "Get our weekly privacy tips. Read our Privacy Policy. Unsubscribe anytime."

Example 8: A Well-Designed Email Signup Form (Compliant)

This is the corrected version of Example 7.

What it looks like:

An email signup form that includes:

• A clear heading: "Get weekly privacy tips for your business"
• An email input field
• A "Subscribe" button
• A note below: "We send one email per week. No spam. Unsubscribe anytime. See our Privacy Policy."
• The Privacy Policy text is a link to the full policy

Why it works:

The user knows exactly what they are signing up for: one email per week with privacy tips. They know they can unsubscribe. They can read the full privacy policy before deciding. The purpose is specific and clearly stated.

What Makes This Form Stand Out

It does not try to be clever. It does not use dark patterns. It simply tells the user what will happen and lets them decide. That is all GDPR asks for.

Common Mistakes That Make Consent Invalid

Looking across all eight examples, a few patterns emerge. These are the mistakes that come up again and again:

Pre-ticked checkboxes

Any checkbox that starts in a ticked state is not valid consent. This applies to marketing checkboxes, cookie preferences, and any other consent mechanism.

Vague language

Phrases like "improve your experience" or "for our legitimate purposes" do not meet the informed consent standard. Be specific about what data you collect and why.

No way to refuse

If the only option is "Accept," that is not a choice. Every consent mechanism must include an equally accessible way to say no.

Bundled purposes

One checkbox should cover one purpose. If you need consent for marketing and analytics, those are two separate checkboxes.

Hidden withdrawal mechanisms

If opting in takes one click, opting out should take one click too. Do not make users send an email or call a phone number to withdraw consent.

How to Audit Your Own Consent Forms

Here is a quick self-assessment you can run on every form and consent mechanism on your website:

1. Is the checkbox unticked by default?
2. Is the purpose stated in plain language?
3. Is each purpose covered by its own checkbox?
4. Can the user easily say no?
5. Is there a link to the privacy policy?
6. Is it clear how to withdraw consent later?
7. Are you keeping a record of when and how consent was given?

If you answered "no" to any of these, that form needs attention.

You do not have to do this manually. Scanibly can check your website for consent compliance issues in seconds.

GDPR Consent Requirements: A Quick Reference

Here is a summary of what the regulation requires, mapped to the examples above:

Freely given - The user must have a real choice. No bundling, no penalties for refusing. (Examples 3 vs 4)

Specific - Each purpose needs its own consent. Marketing is separate from analytics is separate from third-party sharing. (Examples 1 vs 2)

Informed - The user must know what they are agreeing to before they agree. State the purpose, the data collected, and who will process it. (Examples 7 vs 8)

Unambiguous - There must be a clear action like ticking a box or clicking a button. Silence or inactivity is not consent. (Examples 5 vs 6)

Withdrawable - Opting out must be as easy as opting in. Include unsubscribe links and make cookie preferences accessible at any time.

What Happens If Your Consent Is Non-Compliant

The consequences are real. Data protection authorities across Europe have issued fines for consent violations. Some notable examples:

• Google was fined 150 million euros by the French CNIL in 2022 for making cookie rejection harder than acceptance.
• Amazon received a 746 million euro fine from Luxembourg's CNPD, partly related to consent and transparency failures.
• Smaller businesses have received fines in the tens of thousands of euros for pre-ticked boxes and missing consent mechanisms.

Beyond fines, non-compliant consent means any data collected under that consent is unlawfully processed. That can trigger data deletion requirements and complaints to regulators.

Next Steps for Your Website

Getting consent right is one of the most visible parts of GDPR compliance. Your visitors see your forms and banners every day. Regulators check them during audits. And competitors who get it right build more trust with their audience.

Start by reviewing the forms on your website against the examples above. Check your cookie banner. Check your email signup. Check every form that collects personal data.

If you want an automated check, run a free compliance scan on your website. Scanibly checks your consent mechanisms, cookie usage, privacy policy, and more - and gives you a clear report on what needs to be fixed.