Opt-in forms & affirmative consent

Marketing and non-essential processing should use granular, affirmative opt-in when consent is the lawful basis (Article 6(1)(a) & Article 7). Pair every live form with a Record of Processing (RoPA) entry and up-to-date privacy / fair processing notices—so purposes, retention, and withdrawal are transparent and provable.

Granular & affirmative opt-in

Consent must be a clear positive action—no pre-ticked boxes, no bundling unrelated purposes into one “I agree”.

Align with Article 7

Separate checkboxes (or equally clear controls) per purpose—e.g. marketing emails vs product tips vs third-party profiling.
Link the specific privacy notice that covers that processing before the user consents.
Name the controller and make withdrawal as easy as giving consent.
Version your forms and store proof in the consent register when users submit.

High risk patterns

Pre-ticked “yes” to marketing hidden below the fold.
Single checkbox covering terms of service and all marketing and “partner” sharing.
Consent as default for non-essential processing because the user created an account.
No RoPA row or privacy notice that matches what the form actually does.

Opt-in form implementation checklist

Saved in this browser only—use with your form design / legal review.

Purposes in this hub (match your forms)

Each row should correspond to a clear choice on your site (and to a lawful basis—consent for optional marketing/analytics where applicable).

Loading categories…

Purpose / category	Code	Basis (hub)	Typical opt-in	Records

Pair forms with RoPA & privacy notices

For each opt-in, you should be able to point to: (1) the processing activity in your RoPA, (2) the privacy / transparency information given at the time, and (3) the evidence of consent if Article 6(1)(a) applies.

Records of processing Map each form purpose to a RoPA activity. Policy library Privacy & cookie notices linked from forms. Legal basis register Show consent vs legitimate interests per purpose. Consent records Proof of who consented, when, and to what version.

Example: separate purposes (HTML pattern)

Adapt for your stack; wire submissions to your consent capture API and store evidence.

<fieldset>
  <legend class="font-semibold">Optional processing</legend>
  <p><a href="/privacy">Privacy notice</a> explains each purpose.</p>

  <label>
    <input type="checkbox" name="consent_marketing" value="yes" />
    Email me product updates and offers (marketing).
  </label>

  <label>
    <input type="checkbox" name="consent_analytics" value="yes" />
    Use analytics to improve this service (non-essential).
  </label>
</fieldset>

Do not pre-check these. Log affirmative choices with timestamp, notice version, and subject identifier in your consent register.

Additional references

Policy drafts & generator | Cookie preferences & banner | Public DSAR portal (UX reference)