Do I Need a GDPR Contact Form Checkbox?
A lot of UK small business sites, especially ones built on Wix or Squarespace, add a GDPR contact form checkbox to every form just to be safe. Others leave it out entirely. Both can be off the mark, it really depends on how you plan to use the data.
Here’s how to tell when you need a checkbox, and what to put on your form if you don’t. This is where a lot of people overcomplicate things.
Do I need consent to process enquiries from a contact form?
For a standard enquiry form where you are only using the data to reply, you do not need consent, and a checkbox is not required.
Under UK GDPR, you need a lawful basis to process personal data. When someone contacts you with a question and you respond, ‘legitimate interests’ applies. If someone fills in your form asking for a quote or more information, replying to them is just part of running your business. You do not need to ask permission for that. What you do need is a short privacy notice near the form and a link to your full privacy policy.
The broader picture, what GDPR requires across your whole website, is covered in How to Make Your Small Business Website GDPR Compliant.
What wording should I use near my contact form?
In most cases, all you need is a simple line next to the button explaining what you’ll do with their details, nothing complicated.
For example: ‘We’ll use your details to reply to your enquiry. See our privacy policy.’ You’ll see this type of wording on a lot of well-set-up small business sites. That’s usually enough, it explains what happens to their data and points to the full policy if they want more detail, most people won’t even click it, but it needs to be there. One sentence and a link is all you need for a basic enquiry form.
Avoid writing ‘by submitting this form you agree to our terms and conditions.’ That is not a valid consent mechanism and does not meet the transparency requirement properly.
When do I need a GDPR contact form checkbox?
You need a checkbox if you’re planning to do more than reply, usually this means adding someone to a mailing list or sending marketing emails later.
If you’re planning to follow up with newsletters, offers, or any kind of marketing after the initial enquiry, you’ll need explicit consent. For example, sending a quote is fine, but adding that person to your monthly email list isn’t unless they’ve opted in. A checkbox saying ‘Tick here if you’d like to receive marketing emails from us’, unticked by default and separate from the main submission, is the correct mechanism. Keep the checkbox focused on marketing only, separate from your terms. Make sure people actively choose it, it shouldn’t be bundled in or pre-selected.
If you are unsure about using contact form leads for your mailing list, Can I Add Contact Form Leads to My Mailing List? UK GDPR covers that question in full.
Does a pre-ticked box count as consent?
No, a pre-ticked box is not valid consent under UK GDPR.
The ICO has been pretty clear about this in its guidance. Consent requires a positive opt-in: the person must actively choose it. If a box is pre-ticked and someone just leaves it as-is, that doesn’t count as a real choice. Marketing emails sent on the basis of a pre-ticked consent are sent without a valid lawful basis. This catches a lot of people out, especially on older website templates. If the ICO received a complaint about your mailing practices, a pre-ticked box would not protect you.
The fix is simple: if you have a consent checkbox, make sure it starts unticked.
What about booking forms and callback requests?
The same logic applies to booking forms and callback requests. Legitimate interests cover the actual booking or callback, but not follow-up marketing.
If someone books an appointment, you can process that data to manage the booking and send a confirmation. You cannot send them a promotional newsletter unless they specifically opted in. Adding a separate optional marketing checkbox to a booking form is the cleanest approach. It keeps the two uses visibly separate, which protects you if questions arise later.
Need to check whether your contact forms and privacy policy are set up correctly right now? Run your website through our free compliance checker.
Contact forms set up correctly from day one
Duport builds professional websites for UK small businesses. Every site includes legal pages drafted for your business, privacy policy, cookie notice, and terms and conditions, and a contact form set up properly from the start.
Duport’s website build starts from £360. Mention this article when you get in touch and we’ll honour the £144 rate.
FAQs
-
Can I add a generic ‘I agree to the privacy policy’ checkbox instead of a specific consent checkbox?
That helps with transparency, but it doesn’t give you permission to send marketing emails. A general agreement isn’t enough, you need a specific, standalone opt-in.
-
Does legitimate interests mean I never need consent?
Not for everything. Legitimate interests covers replying to enquiries, but it does not cover sending marketing. For marketing, you need explicit consent via a specific opt-in.
-
What if someone verbally asks to be added to my mailing list?
A clear verbal or written request can count as consent, but keep a record of it and be specific about what they are consenting to. A checkbox on your form is cleaner and easier to document.
-
Is my Wix or Squarespace website legally compliant in the UK?
Not automatically. UK law requires your website to include a privacy policy, a cookie notice, clear terms and conditions, and specific business information, such as your registered company name and number if you’re a limited company. Most website builders include template pages for some of these, but they don’t check whether your content is accurate or complete. Use our free website compliance checker to see what your site has and what it’s missing.
