Is it necessary to include a checkbox in my contact form?
No. A checkbox is not necessary. The 'Submit' button is enough.
If you are clear about the fact that the contact form is a contact form, then the action of clicking the "Submit" button already means that they are consenting to the processing of the data.
However, it is necessary to include a text next to the form, such as:
We will process your data to contact you and inform you about our products and services. You can revoke consent, exercise your rights of access, rectification, opposition, limitation of treatment, portability, and deletion by writing to us at [email address]. More information in the Privacy Policy of our Legal Hub.
Here's a more detailed explanation of why you don't need a checkbox in your contact form. There are two reasons for that.
1. Clicking the submit button is consenting
Yes, clicking the submit button of a contact form means consenting to the processing of data. Here's why:
Definition of 'consent' according to GDPR
The best place to start is by understanding what 'consent' means. Inside the General Data Protection Regulation, we must look at Article 4, which contains the definitions.
Article 4: Definitions (GDPR)
- ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
So, as you can see in Article 4 of the GDPR, consent may be achieved in two ways:
- A statement
- Clear affirmative action 👈
No need for the checkbox
One may too quickly conclude that 'Clear affirmative action' means a checkbox. Especially when reading Recital 32 of the GDPR:
Recital 32.2. (GDPR)
This could include ticking a box when visiting an internet website, choosing technical settings for information society services, or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
However, if you pay close attention, you will see that the text says:
(...) or conduct, in a certain context, also means giving consent.
A perfect example of this is pressing a 'Submit' button in the context of a contact form. It is universally clear to everyone that filling in a contact form with your information and submitting said information to a company means they will process your information.
2. You inform of the purposes of the data processing
There is just one small problem with the 'Submit' button:
Recital 32.5 (GDPR)
- Consent should cover all processing activities carried out for the same purpose or purposes
- When the processing has multiple purposes, consent should be given for all of them.
Indeed, the user must consent not only to the fact that you are processing their data. They must also consent to the purposes of data processing. And this is not achieved fully by clicking a button.
Legal text next to the form
To fulfill your information duties by simply pressing a button, you must include in the form a short text that informs of the purposes of processing the personal data.
We will process your data to contact you and inform you about our products and services. You can revoke consent, exercise your rights of access, rectification, opposition, limitation of treatment, portability, and deletion by writing to us at [email address]. More information in the Privacy Policy of our Legal Hub.
Layered information model
Many countries' national data protection authorities have guidelines on something called a "layered information model".
The Spanish Data Protection Agency (AEPD) has a Guide for compliance with the duty to inform, which states:
Layered information (AEPD)
- To make the greater demand for information introduced by the GDPR compatible with conciseness and comprehension, the Data Protection Authorities recommend adopting a model of information by layers or levels.
- The multilevel information approach consists of:
- Presenting basic information at a first level, in a summarised form, at the same time and in the same medium in which the data are collected.
- Referencing additional information at a second level, where the remaining information is presented in detail.
Make your life easier
GDPR is not stupid. GDPR is awesome. If you feel like it is unnecessarily complicated, you are doing it wrong. In fact, it can be easily achieved with the right tools and resources. All you need are the correct GDPR templates readily available online. Once you have these, simply make them accessible to your users in the appropriate places.
That's all it takes to comply with GDPR requirements. So don't let law consultants convince you that GDPR compliance is a complex and costly process - it's really not. With the right approach, GDPR compliance can be simple and affordable.