[GDPR III] Obtaining Informed Consent
This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with your own legal counsel if you have questions about your obligations under the GDPR.
Among the different bases for lawful data collection under the GDPR, obtaining informed consent is perhaps the best approach to ensure compliance and build trust with your respondents. The operating word here is informed. A person must understand what she’s agreeing to when entering her personal information into a form, and it’s the responsibility of the form creator (the data controller) to provide sufficient information and record consent appropriately.
What Is Informed Consent?
Informed consent starts with disclosing the right information about your data collection, in clear and plain language, and at the point of data collection. For more on this, refer to our previous blog post: “Rights of the Data Subject: Transparent Information”.
For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended – (Recital 42 – https://gdpr-info.eu/recitals/no-42/)
The law is pretty clear, uninformed consent is not consent at all.
Additionally, you must be able to demonstrate that consent was obtained under the proper conditions (Art. 7 – https://gdpr-info.eu/art-7-gdpr/).
How to Obtain Consent
1. The request for consent must be a clear affirmative act.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her […]. This could include ticking a box when visiting an internet website, […] (Recital 32 – https://gdpr-info.eu/recitals/no-32/)
Practically, this would take the form of a checkbox, with some wording starting with “I agree to ….” followed by a short description of the data processing.
 I agree to the processing of my personal information by FormAssembly for the purpose of contacting me and sending me information about the FormAssembly solution.
2. The request for consent must be clearly distinguishable from other matters.
Request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. (Art 7.2 – https://gdpr-info.eu/art-7-gdpr/)
Practically, this means that the request for consent (as a checkbox or otherwise) should be clearly separated from the rest of of the form and other content on the page. As a best practice, place the request in a easily identifiable section of your form, just before the submit button.
3. Consent should be granular.
Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. (Recital 32 – https://gdpr-info.eu/recitals/no-32/)
You may need multiple checkboxes to record consent for different data processing activities; or instance, a consent to data being used to process a registration for an event, and a separate checkbox to record consent for marketing processing.
 I agree to the processing of my personal information by FormAssembly for the purpose of
registering me for this event.
 I agree to the processing of my personal information by FormAssembly for the purpose of sending me further information about the FormAssembly solution.
4. Sensitive data requires a stricter form of consent.
The GDPR defines special categories of sensitive personal data (such as ethnic origin, political opinions, religious beliefs, etc.) that are subject to additional restrictions. (Art 9. https://gdpr-info.eu/art-9-gdpr/). Assuming you have a legitimate need to collect such data, you should consider meeting a higher standard for explicit consent.
Instead of using a simple checkbox, you may instead request the respondent to type in a free text field the statement of consent, “I agree to …. “ followed with a short description of what the person is agreeing to.
[example] I agree to participate in this study and provide personal information about my …
You may also consider, as an alternative, a two stage opt-in where respondent must complete a first form to indicate their consent, then click on a link in the auto-responder email to go to a second form to enter the personal information. The email and each form should each provide the necessary disclosures and consent language.
What Not to Do
1. Opt-out mechanisms are off limits.
Consent should be given by a clear affirmative act […]. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. (Recital 32 – https://gdpr-info.eu/recitals/no-32/)
You cannot require respondents to take a specific action in order to opt-out from your data processing. Opting out must be the default and instead, an action must be taken to opt-in. This means that,
- Your consent checkbox must not be checked by default.
- Your cannot use non-affirmative language (for instance “check the box if you do not agree to the processing of this personal data”).
2. Consider carefully if consent should be required in order to submit the form.
As long as informed consent is your legal basis for data processing, you should have a required field to record consent. The question arises, however, when you must request consent for multiple forms of data processing.
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. (Recital 42 – https://gdpr-info.eu/recitals/no-42/)
For instance, it’s pretty common to let event attendees sign up for promotional emails as they fill out an event registration form. Signing up for emails unrelated to the event should not be mandatory. Since the respondent would not be able to withhold consent without giving up attending the event, it would not be considered a freely given consent under the GDPR.
You can refer to recital 43 for further information about can be considered detrimental to a freely-given consent.
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance. (Recital 43 – https://gdpr-info.eu/recitals/no-43/)
Once a form is submitted, the question capturing consent is stored along with the rest of the data. FormAssembly additionally captures the respondent’s IP address and timestamp. You can review this data for each submitted response on the report page.
Learn more about the GDPR and submit your questions on our GDPR FAQ page.