Is it necessary to include a checkbox in my contact form?
No. A checkbox is not necessary. The ‘Submit’ button is enough.
If you are clear about the fact that the contact form is a contact form, then the action of clicking the “Submit” button already means they are consenting to the processing of the data.
However, it is necessary to include a text next to the form, such as:
We will process your data to contact you and inform you about our products and services. You can revoke consent, exercise your rights of access, rectification, opposition, limitation of treatment, portability, and deletion by writing to us at [email address]. More information in the Privacy Policy of our Legal Hub.
Here’s a more detailed explanation of why you don’t need a checkbox in your contact form. There are two reasons for that.
1. Clicking the submit button is consenting
Yes, clicking the submit button of a contact form constitutes a clear affirmative action (the GDPR’s actual terminology). Here’s why:
Definition of ‘consent’ according to GDPR
The best place to start is by understanding what ‘consent’ means. Inside the General Data Protection Regulation, we must look at Article 4, which contains the definitions.
Article 4: Definitions (GDPR)
- ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
So, as you can see in Article 4 of the GDPR, consent may be achieved in two ways:
- A statement
- Clear affirmative action (this is what clicking “Submit” is)
No need for the checkbox
One may too quickly conclude that ‘Clear affirmative action’ means a checkbox. Especially when reading Recital 32 of the GDPR:
Recital 32.2. (GDPR)
This could include ticking a box when visiting an internet website, choosing technical settings for information society services, or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
However, if you pay close attention, you will see that the text says:
(…) or conduct, in a certain context, also means giving consent.
A perfect example of this is pressing a ‘Submit’ button in the context of a contact form. It is universally clear to everyone that filling in a contact form with your information and submitting said information to a company means they will process your information.
2. You inform of the purposes of the data processing
There is just one small problem with the ‘Submit’ button:
Recital 32.5 (GDPR)
- Consent should cover all processing activities carried out for the same purpose or purposes
- When the processing has multiple purposes, consent should be given for all of them.
Indeed, the user must consent not only to the fact that you are processing their data. They must also consent to the purposes of data processing. And this is not achieved fully by clicking a button.
Legal text next to the form
To fulfill your information duties by simply pressing a button, you must include in the form a short text that informs of the purposes of processing the personal data.
We will process your data to contact you and inform you about our products and services. You can revoke consent, exercise your rights of access, rectification, opposition, limitation of treatment, portability, and deletion by writing to us at [email address]. More information in the Privacy Policy of our Legal Hub.
Layered information model
Many countries’ national data protection authorities have guidelines on something called a “layered information model”.
The Spanish Data Protection Agency (AEPD) has a Guide for compliance with the duty to inform, which states:
Layered information (AEPD)
- To make the greater demand for information introduced by the GDPR compatible with conciseness and comprehension, the Data Protection Authorities recommend adopting a model of information by layers or levels.
- The multilevel information approach consists of:
- Presenting basic information at a first level, in a summarised form, at the same time and in the same medium in which the data are collected.
- Referencing additional information at a second level, where the remaining information is presented in detail.
When DO you need a checkbox?
You must include a separate checkbox if:
1. Marketing purposes
If you want to add contact form submitters to a marketing list or newsletter, you need explicit, freely given consent:
☐ Yes, I'd like to receive marketing emails about your products and services.This checkbox must be:
- Optional (not required to submit the form)
- Unchecked by default
- Clear and specific about what they’re consenting to
2. Sharing data with third parties
If you’ll share their data with third parties (beyond necessary service providers like email hosting), you need explicit consent.
3. Processing special category data
If you’re collecting sensitive information (health data, political opinions, etc.), you need explicit, separate consent.
Example: Compliant contact form
Here’s what a GDPR-compliant contact form might look like:
<form>
<label for="name">Name *</label>
<input type="text" id="name" required>
<label for="email">Email *</label>
<input type="email" id="email" required>
<label for="message">Message *</label>
<textarea id="message" required></textarea>
<!-- Optional marketing consent checkbox -->
<label>
<input type="checkbox" name="marketing">
I'd like to receive updates about your products and services
</label>
<button type="submit">Submit</button>
<p class="privacy-notice">
We will process your data to contact you and inform you about
our products and services. You can revoke consent at any time.
Read our <a href="/privacy">Privacy Policy</a> for more information.
</p>
</form>Common misconceptions about GDPR and contact forms
Misconception 1: “I need consent for everything”
Reality: GDPR provides six lawful bases for processing data, not just consent. For contact forms, the clear affirmative action of submitting the form (combined with proper information) provides valid consent.
Misconception 2: “Pre-checked boxes are okay if mentioned in the privacy policy”
Reality: For marketing consent, checkboxes must be unchecked by default. Pre-checked boxes do not constitute valid consent under GDPR.
Misconception 3: “‘Submit’ button = implicit consent”
Reality: The GDPR uses the term “clear affirmative action,” not “implicit consent.” Clicking Submit is an explicit, affirmative action when the context (a contact form) makes the purpose clear.
Make your life easier
GDPR is not stupid. GDPR is awesome. If you feel like it is unnecessarily complicated, you are doing it wrong. In fact, compliance can be easily achieved with the right tools and resources. All you need are the correct GDPR templates readily available online. Once you have these, simply make them accessible to your users in the appropriate places.
That’s all it takes to comply with GDPR requirements. So don’t let law consultants convince you that GDPR compliance is a complex and costly process - it’s really not. With the right approach, GDPR compliance can be simple and affordable.
Create your free Privacy Policy with GDPR.Direct →
Conclusion
You do not need a separate consent checkbox for basic contact form submissions. The act of submitting the form provides a clear affirmative action (GDPR’s terminology) for you to process the data to respond to the inquiry.
However, if you want to use the data for additional purposes (like marketing), you must obtain separate, explicit consent through an optional, unchecked checkbox.
Focus on transparency and clarity rather than unnecessary checkboxes that frustrate users and reduce form completion rates.