Short answer
No. A checkbox is not necessary. The ‘Submit’ button is enough.
If you are clear about the fact that the contact form is a contact form, then the action of clicking the “Submit” button already means that they are consenting to the processing of the data.
However, it is necessary to include a text next to the form, such as:
We will process your data to contact you and inform you about our products and services. You can revoke consent, exercise your rights of access, rectification, opposition, limitation of treatment, portability, and deletion by writing to us at [email address]. More information in the Privacy Policy of our Legal Hub.
Footer for contact form | template gallery at GDPR.Direct
Long answer
You don’t need a checkbox, and there are two reasons for that.
1. Clicking the submit button is consenting
Yes, clicking the submit button of a contact form means consenting to the processing of data. Here’s why:
Definition of ‘consent’ according to GDPR
The best place to start is by understanding what ‘consent’ means. Inside the General Data Protection Regulation, we must look at Article 4, which contains the definitions. One such definition is the concept of ‘consent’.
Article 4: Definitions (GDPR)
11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
So, as you can see in Article 4 of the GDPR, consent may be achieved in two ways:
- A statement
- Clear affirmative action
No need for the checkbox
One may too quickly conclude that ‘Clear affirmative action’ means a checkbox. Especially when reading Recital 32 of the GDPR:
Recital 32.2. (GDPR)
2. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
However, if you pay close attention, you will see that the text says:
(…) or conduct which clearly indicates in this context the data subject’s acceptance.
Thus, conduct, in a certain context, also means giving consent. A perfect example of this is pressing a ‘Submit’ button in the context of a contact form. It is universally clear to everyone that filling in a contact form with your information and submitting said information to a company, means they will process your information.
It is unambiguous given the fact that the contact form on your website has a specific purpose and that said purpose is clearly stated in the form. Also, given the fact that the text on the button says ‘Submit’, ‘Send’ or any other text informing what the button does.
This is why clicking the ‘Submit’ button means consenting, through a conduct, in the context of a contact form. So there is no need for a checkbox. However, there is a second condition that you must meet:
2. You inform of the purposes of the data processing
There is just one small problem with the ‘Submit’ button:
Recital 32.5 (GDPR)
4. Consent should cover all processing activities carried out for the same purpose or purposes
5. When the processing has multiple purposes, consent should be given for all of them.
Indeed, the user must consent not only to the fact that you are processing their data. They must also consent to the purposes of data processing. And this is not achieved fully by clicking a button.
This is easily fixed with a legal text next to the form:
Legal text next to the form
To fulfill your information duties by simply pressing a button, you must include in the form a short text that informs of the purposes of processing the personal data.
We will process your data to contact you and inform you about our products and services. You can revoke consent, exercise your rights of access, rectification, opposition, limitation of treatment, portability, and deletion by writing to us at [email address]. More information in the Privacy Policy of our Legal Hub.
Footer for contact form | template gallery at GDPR.Direct
This sort of text is usually referred to as a ‘First layer of information’.
The people who wrote the GDPR were very smart and knew that you can’t show all the legal text with all the information everywhere. This is expressly written in Recital 32:
Recital 32.6. (GDPR)
6. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
For that reason, it offers a solution: you can include some basic information in the same place where data is captured and a link to additional information regarding the processing.
Layered information model
Many countries’ national data protection authorities have guidelines on something called a “layered information model“.
The Spanish Data Protection Agency (AEPD) has a Guide for compliance with the duty to inform, which states:
Layered information (AEPD)
- To make the greater demand for information introduced by the GDPR compatible with the conciseness and comprehension in the way it is presented, the Data Protection Authorities recommend adopting a model of information by layers or levels.
- The multilevel information approach consists of the following:
- presenting basic information at a first level, in a summarised form, at the same time and in the same medium in which the data are collected,
- refer to additional information at a second level, where the remaining information is presented in detail, in a medium more suitable for presentation, comprehension and, if desired, archiving.
What does this mean? In summary, it means that you can show some basic information about data processing in the form, and include a link to the full privacy policy.
Make your life easier
GDPR is not stupid. GDPR is awesome. If you feel like it is unnecessarily complicated, you are doing it wrong. In fact, it can be easily achieved with the right tools and resources. All you need are the correct GDPR templates readily available online. Once you have these, simply make them accessible to your users in the appropriate places. That’s all it takes to comply with GDPR requirements. So don’t let law consultants convince you that GDPR compliance is a complex and costly process – it’s really not. With the right approach, GDPR compliance can be simple and affordable