With data privacy concerns on the rise, it's more important than ever to ensure that your email and SMS marketing practices comply with regulations such as the General Data Protection Regulation (GDPR). The GDPR sets stringent standards for how businesses process (in particular, collect and store) personal data, including email addresses.
One critical aspect of GDPR compliance is the proper handling of email and SMS subscription forms. Whether you're running an e-commerce store, a blog, or any online platform, your subscription form plays a pivotal role in obtaining the consent of subscribers (also known as "data subjects" in GDPR terms) to process their personal data.
⚖️ What is GDPR?
The General Data Protection Regulation (GDPR) is a legal act created by the European Union (EU) that regulates when and how personal data should be processed. Its core principles, articulated in Article 5, and can be summarized as follows:
- Process personal data lawfully, fairly, and transparently.
- Gather personal data for clear, explicit, and legitimate purposes.
- Only collect data that is relevant, adequate, and necessary.
- Maintain the accuracy of personal data.
- Store personal data for the necessary duration, limiting identification possibilities.
- Handle personal data with measures ensuring its security.
As you can see, the data protection rules increase transparency and give data subjects a better understanding of what their personal data is used for.
Since 2018, all organizations with EU-based audiences must comply with the regulation. This means that even if your company is not located in the EU, you must adhere to the GDPR requirements if you process the personal data of data subjects in the EU.
What does GDPR state about consent?
Creating effective subscription forms under GDPR requires you to first understand what it actually says:
Article 4(11) states,
“Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Recital 32 further specifies,
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services, or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”
“Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
➡️ To learn more, you can download the Guidelines on Consent under Regulation published by the EU.
Why is it crucial to be GDPR-compliant?
Being GDPR compliant is crucial for several significant reasons: the potential for substantial fines due to non-compliance, the risk of losing your customers' trust and damaging your reputation, and the heightened importance of safeguarding personal data in today's digitally driven landscape, where control and oversight over data usage are limited.
📄 Create a GDPR-compliant subscription form
The procedure below highlights how to create a GDPR-compliant email subscription form. The process is the same for an SMS subscription form and can be easily adapted.
Step 1: Create separate contact lists for each specific purpose
If you need consent for one purpose only, such as receiving a newsletter, you can create a single master list where all subscribers (data subjects) will be stored.
To obtain consent from your subscribers (data subjects) for different purposes, such as receiving newsletter A and newsletter B, you should create separate contact lists for each of these purposes:
- A master list that will be linked to the form and that will contain all subscribers (data subjects) who have submitted the form. Here, we have called it the “All email subscribers” list.
- A list that will contain all contacts who have given their consent to receive newsletter A. Here, we have called it the “Newsletter A subscribers” list.
- A list that will contain all contacts who have given their consent to receive newsletter B. Here, we have called it the “Newsletter B subscribers” list.
To learn how to create contact lists, check our dedicated article Create lists and folders to organize your contacts.
Step 2: Create your subscription form
Create your subscription form by choosing the fields, text, or images you want to include and customize its design. We will explain how to make your form GDPR-compliant in Step 3: Make your subscription form GDPR-compliant.
➡️ To learn how to create a subscription form, check our dedicated article Create a subscription form .
Step 3: Make your subscription form GDPR-compliant
Enable the GDPR field and GDPR Declaration
Brevo provides two blocks that can be added to your subscription forms to enable you to properly collect and store the consent of subscribers (data subjects):
GDPR field |
The GDPR field allows subscribers (data subjects) to use a checkbox to consent to receiving your newsletters and accessing your data privacy policy, which should be linked to the form. You can and should amend the text according to your individual legal requirements. ❗️ Important
For SMS subscription forms, you should also amend the text to your individual legal requirements and clarify that you will be sending SMS messages, not email newsletters. Additionally, include instructions on how to unsubscribe from this communication channel.➡️ To learn more about the SMS unsubscribe options, check our dedicated article Include an unsubscribe option in your SMS messages. |
GDPR Declaration |
The GDPR Declaration notifies subscribers (data subjects) that you are using Brevo as your marketing tool and that the data they provide in the form will be transferred to Brevo. You can and should amend the text according to your individual legal requirements. |
To include the GDPR field and GDPR Declaration blocks in your subscription form, you have two options:
- Enable the Enable GDPR fields option at the Setup step of your subscription form, or
- Drag and drop the GDPR field and GDPR Declaration blocks in your subscription form design.
Enable the multi-list subscription option
If you want to obtain explicit consent from your subscribers (data subjects) for different purposes, you can drag and drop the multi-list subscription block in your subscription form to allow subscribers (data subjects) to choose the type of emails they want to receive. |
To enable the multi-list subscription option:
- Drag and drop the Multi-list subscription block from the left panel of the form editor to your form.
- From the Select your lists dropdown in the left panel, select the two lists you previously created that should be displayed in the form.
- Click Apply.
- Modify the Label name to a sentence that asks for the consent of subscribers (data subjects), such as “I agree to receive:” by changing the text directly within the form editor.
- Optional: modify the name of your lists by changing the text directly within the form editor.
- Make sure the Required field option is enabled so that your contact will have to check at least one box to submit the form.
Enable the double opt-in process
The double opt-in process is a two-step registration process that requires subscribers (data subjects) to confirm their subscription by verifying their email address. Brevo allows you to set up a double opt-in in a few simple steps.
Although double opt-in isn’t required by the GDPR, it does help you keep your mailing list clean and healthy. It’s also extra proof that your subscribers have expressly consented to the processing of their personal data and to receiving your emails.
To enable the double opt-in process for your subscription form:
- At the Settings step of your subscription form, select Double confirmation email.
- Click the Select a template dropdown menu and select one of the following options:
- Select the Default Template Double opt-in confirmation. You can modify the default template from Campaigns > Templates.
- Select a custom template you have already created.
❗️ ImportantIf you want to create your own custom template, make sure you follow the procedure in the dedicated article Create a custom double opt-in (DOI) confirmation template for Brevo subscription forms to include the mandatory fields. Otherwise, the template won't be displayed in the dropdown menu. - Optional: Add additional options to your double confirmation:
- Select the Confirmation page after submitting the form option if you want your subscriber to be redirected to a specific page (i.e., a confirmation page or your website homepage) after registering. You can use the default confirmation page or create one on your end and link it there.
- Select the Confirmation page after clicking the validation link in the email option if you want your subscriber to be redirected to a specific page (i.e., a confirmation page or your website homepage) after they click the validation link in the email. You can use the default confirmation page or create one on your end and link it there.
- Select the Final Confirmation Email option if you want your subscribers to receive a final confirmation email after they have completed the double opt-in process. The default template for the final confirmation email is called Default template - Final Confirmation and you can modify it from Campaigns > Templates.
Step 4: Select your master list
At the Lists step, select the master list you previously created that will store all the subscribers who submitted your subscription form.
✅ Checklist for a GDPR-compliant subscription form
To ensure that your subscription form complies with the GDPR, you can use the following checklist:
- Use clear, plain, and easy-to-understand language.
- Clearly state the type of data collected and the reason for its collection.
- Request consent separately for each specific purpose (e.g., informative or promotional).
- Ask users to actively give their consent.
- Do not use pre-ticked boxes.
- Inform individuals that they can unsubscribe at any time.
- Ensure there are simple and effective mechanisms in place for unsubscriptions.
- Include a link to your privacy policy that provides details on how data is processed.
⏩ What's next?
- Why use a double opt-in subscription form?
- How to reconfirm for your contacts’ consent to ensure GDPR compliance
🤔 Have a question?
If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.
If you’re looking for help with a project using Brevo, we can match you with the right certified Brevo expert partner.