How to Make Your Forms GDPR Compliant (Without Tanking Your Conversion Rates)

Mac Hasley
May 20, 2020 ·
How to Make Your Forms GDPR Compliant (Without Tanking Your Conversion Rates)

Marketers—it’s time to up your game (and your opt-in standards).

There’s a new set of privacy regulations in town. It’s called the GDPR. And if you’re like a terrifying amount of marketers, you might not quite be ready for it.

Trump’s press conference today (everyone, until May 18th, when GDPR swoops into effect).

So at Convert, we’re breaking the regulation down—piece by piece—so you can keep track of how to comply throughout your entire marketing funnel.

Today, we’re talking about forms.

But first things first. You might be thinking….

I’m not sure what GDPR is.

In a gist, it’s a huge undertaking of a law that’s overhauling the existing data protection legislation governing the EU. Its goal is to standardize data privacy legislation throughout Europe—and it’s raising the bar for how marketers collect and store data from their users.

But I’m an anarchist/not European/unafraid of fines/skeptical/lazy/etc…

A few clever things you should know about the GDPR.

  1. They’ve increased its legislative scope. So even if you’re not an EU citizen, and your business isn’t based in the EU, and you’ve never set your feet or IP address in Europe in your life…the second you collect the data from one EU citizen, your actions with their data, have to be up to code.
  2. Not complying with the law = big $$$ fines. We’re talking up to 4% of your annual global turnover, or 20 million euros—depending on which is greater.

Basically—no matter where you’re from, if your business interacts with the EU, your data collection should be GDPR compliant.

I get it, but why do I have to change my forms?

Well, you might not.

If your form is for….

  1. Something anonymous—like a quiz or survey—that doesn’t require personal information


  1. Moving prospects to the somewhere else on your site, without STORING their responses.

You’re good. Make no changes. You’re in the GDPR clear.

But if you collect any personal data from your users, and store it—you’ve got to collect consent in a way that complies with new laws.

Keep in mind…personal data personal data means any piece of information that can identify someone. So name, id number, location data, email, phone, address, company, ip-address, etc—all require that you ask for consent.

You’re probably already doing this. If you collect emails, your forms probably have a giant “subscribe” button, or a little checkable box that says “I consent to receive promotional emails.”

You might just have to do it a bit differently now.

The GDPR says:

“Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.”


Ask if you can have and use your visitors data before you collect it. And don’t muck up your wording or be a jerk about how you make that ask.

And this introduces the need for Consent Rate Optimization™ – or the discipline of creating opt-in forms that through design, verbiage, clarity and the general user experience (this includes the value of the gated asset as well), pre-dispose traffic to saying “yes” to your explicit and relevant ask.

It sounds tedious. It is not! Consent Rate Optimization™ goes beyond just updating your forms for GDPR. The good news is, it follows the same principles as transparent, human marketing.

So tell me the bad news. What do I have to change?

First, a quick overview.

Here are a few common things that you may be doing on your forms, which makes GDPR say “not so fast”:

1. Bundling

If you’re asking for consent to store and use someone’s data—you have to make that request clear, and independent of other terms. So consent isn’t a precondition to sign up for a service—giving it has to be an independent decision for your users.

Lumping consent to use personal data, with another term or offer, is called bundling. And it’s a big “nope” for GDPR compliance.

The most common example of this is a single checkbox, lumping data consent with something benign and mandatory—like your terms of service.

 lumping data consent with something benign and mandatory—like your terms of service

Now the above form is not GDPR compliant and you’ll need to change this to two separate boxes: one for data opting into an email list, one for your Terms of Use.

2. Negative opt-ins

This one’s pretty easy to get your head around.

Pre-checked boxes? No more.

Your “By checking this box, I want to receive emails” disclaimers have to remain blank, and be actively “checked” by users.

Or, you can set up a binary choice, in which both options have equal prominence, like the one below.

Negative opt-ins

3. Non-granular opt-ins

Are you going to be contacting consumers by text, and phone, and email? Then that needs to be clear.

The safest bet is to give options to consent separately for different types of communications

Non-granular opt-ins

The key is: ask yourself when you collect user data “what am I using this for?”

Then follow up with a quick: “is that clear to the user?”

If not—your consent-collecting process needs some work.

Now, I could use some good news. Hit me with that silver lining.

Lucky for all of us, the silver lining here is bright and shiny and exciting. GDPR regulations and CRO best practices, go, more or less, hand in hand.

At its core: GDPR is about transparency, privacy, and a commitment to keeping your user data safe.

And, it just so happens, that users like to hand their data over to companies they feel are transparent, private, and committed to keeping their data secure.

Here’s some of the ways adhering to CRO best practices, can help you stay GDPR compliant.

Form length…

CRO experts say….

We’ve all heard the big best practice on forms: ditch the fields you don’t need. Make the fields you do need as easy to fill out as possible. You’ll see a conversion rate uptick—heck, maybe one as high as 160%.

Of course, best practices aren’t to be taken as gospel, but there’s a decent chunk of evidence to suggest: the quicker you can fill out a form, the more likely you are to do so.

GDPR says…

Reduce your form fields? An A+ idea. GDPR discourages data processors from collecting any information that is unnecessary.

In fact, data minimization is a huge part of GDPR, and of privacy by design. Article 23 of the new law calls for data collectors to only hold and process data that’s necessary to complete their duties.

So basically: if it doesn’t serve the user, it shouldn’t be sitting in your database.

If you’re looking to email your subscribers information on how to grow their ecommerce business, you probably don’t need to know their age. Or their fax number. Or any other number of non-related pieces of data that it may seem “useful” to collect.

GDPR also requires that any data subject can request access to the data you have on file for them—and that they can request that you purge or modify all that data, at any point.

So keeping the data you collect to a minimum, and keeping that data easy to access, is essential.

“But what about these new consent rules?”—you may (fairly) ask. “Do I need to add on new form fields or bits of text or disclaimers? Isn’t that another step for my visitors?”

The key here, really, is just to stay clear and concise.

State what you’re going to be using their data for, and how you’re going to select it. Phrase it as an “I agree” statement—and add that easy-to-check box. As long as that consent language digestible, and sounds like an attempt at transparency—you’ll make GDPR, and your users, happy.

Sell them on it.

CRO experts say….

The folks over at ConversionXL have a few quick “best practice” checks for building out the “good” kind of email collecting form.

The best possible form is:

  1. Short
  2. Stating a clear value proposition.
  3. Mentioning a privacy policy

Basically: killing your form fields left and right won’t do you any good, if your users don’t remember why they want to give them your dang email anyways.

Write solid microcopy. Make sure your form headline, reminds people of what they’re getting when they part ways with their precious email address.

And opt for a link (to a pop up—not to leave the page) for your privacy policy—over the blind assurances that you “won’t spam.”

Because it turns out—if you wrote a decent landing page—no one was expecting you to spam.

(At least, not until now).

GDPR says…

Privacy policy you say? Having those accessible is a must.

Now have the legal right to transparency—to know how and where their collected data will be stored, and what it’ll be used for.

But beyond that, the principle of what is GDPR compliant here, and what is good for conversions, go hand and hand.

If you want to collect someone’s data—telling them why you need it, and how you’ll use it, might help your case.

Need an email to send a customer coupons? The “to send you coupons” part should live in your form microcopy.

Need a company size to better tailor your software offers to your prospects? Telling them that as they sign up, is a win for legal transparency, and potentially, your conversion rate.

Using Friction the Smart Way

CRO experts say….

So what if you don’t want just anyone’s email information? Just the email information from the folks who are really interested?

Well good for you. You’re building a list that loves you, then. One that’ll keep your open rates high, and your “report to spam” rates low (assuming, that you don’t, you know, spam them).

One way to do this was to ask more questions. The kind that qualify your prospects, help you lead score, and test the motivation of your form-fill-outers.

GDPR says…

Who do you think wants to hear from you more? The user who forgot to uncheck a box? Or the one who checked “content me!”—even when they didn’t have to.

Remember that binary consent option we talked about earlier.

binary consent option

There. Now you remember.

Ensuring that people consent actively—to handing over your email, and receiving your promotional messages—should be a good thing for your long run.

And if you really want to qualify your prospects, presenting them with the choice to do otherwise—to opt-out of your updates, or to sign up for the updates most relevant to them—should go a long way to ensuring that your emails aren’t falling on uninterested ears.

To sum it up:

Right now, GDPR might look like a headache. It’s going to take some time: to inventory your data, figure out how you’re collecting it, and making sure that you comply—every step of the way.

But in the end, the way GDPR mandates you ask for consent—can be a very good thing for your conversions, for the credibility of your organization, and for your marketing strategy moving forward.

Privacy Vendor List
Privacy Vendor List
Originally published May 20, 2020 - Updated April 01, 2024
Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Mac Hasley
Mac Hasley Mac is a content strategist at Convert, a copywriter across the webz, and an advocate for marketing that is humble and kind
Carmen Apostu
Carmen Apostu In her role as Head of Content at Convert, Carmen is dedicated to delivering top-notch content that people can’t help but read through. Connect with Carmen on LinkedIn for any inquiries or requests.

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!