Explore our Digital Marketing Strategy and Planning Toolkit

GDPR: Example privacy policies and consent forms

Author's avatar By Dave Chaffey 09 May, 2018
Essential Essential topic

Examples of GDPR compliant privacy notices and email opt-in forms

We've now been covering the implications of the GDPR for marketers and their audiences since 2015 on Smart Insights with many articles contributed by guest experts specialising in privacy law for marketing.

Initially, there was a lot of speculation and it was difficult to provide practical examples since ultimately what businesses need to know is to how to update their forms for collecting email addresses and the copy explaining consent for communications in their privacy statement. As the Information Commissioners Office provided more guidance there were some simple sample examples provided in templates, but these didn't cover the range of situations where businesses in different sectors needed to implement them.

Today, as we fast approach the deadline, we can learn from the examples of larger companies who have implemented new forms and privacy notices. We don't know they are GDPR compliant in that they haven't been independtly assessed, but the examples we give here are large businesses who will have taken advice from specialist lawyers.

In this article, we don't explain the concepts of personal data, consent and legitimate interests, those are covered in our members guide and likely you are familiar with them already, so we'll concentrate on the examples. We will start with privacy statements and then look at forms and copy asking for consent.

Privacy policy examples

Your privacy Policy can no longer be something that only your lawyers will understand. The GDPR requires information to be transparent, simple to understand for the intended audience and accessible. You’ll need to consider both your layout and your language.

Here are our examples of good practice

Example 1:

AA Privacy notice

This example follows the structure of the GDPR and references features like 'legitimate interests'. We like it since it is clearly written for the end user, transparent about the data sources and use and clearly structured. However, it is long due to the importance of different types of data processing in insurance products.

Structure of AA privacy statement:

  • 1. Background
  • 2. What kinds of personal information about you do we process?
  • 3. What is the source of your personal information?
  • 4. What do we use your personal data for?
  • 5. What are the legal grounds for our processing of your personal information (including when we share it with others)?
  • 6. When do we share your personal information with other organisations?
  • 7. How and when can you withdraw your consent?
  • 8. Is your personal information transferred outside the UK or the EEA?
  • 9. How do we share your information with credit reference agencies?
  • 10. How do we share your information with Fraud Prevention Agencies?
  • 11. What should you do if your personal information changes?
  • 12. Do you have to provide your personal information to us?
  • 13. Do we do any monitoring involving processing of your personal information?
  • 14. What about other automated decision making?
  • 15. For how long is your personal information retained by us?
  • 16. What are your rights under data protection laws?
  • 17. Your right to object
  • 18. What are your marketing preferences and what do they mean?

Under legitimate interests, it covers marketing communications specifically:

i) For direct marketing communications and related profiling to help us to offer you relevant products and services, including deciding whether or not to offer you certain products and service. We will send marketing to you by SMS, email, phone, post and social media and digital channels (for example, using Facebook Custom Audiences and Google Custom Match.

It's interesting that it specifically mentions the options available from Facebook and Google to enable uploading of customer lists to find lookalike audiences and for retargeting based on email address.

Example 2:

Facebook Data Policy

You will know that Facebook has a strong need to be transparent about its privacy. We have chosen this example for the structure, similar to the A, which explains privacy in an easy to understand way.  It's very different from previous Data Protection Act notices from Facebook and others which were more legal in tone and near unintelligible.

Profiling form examples seeking consent

Example A. Lead generation / lead magnet example form


This example follows the requirements of the law closely since it doesn't require you to opt-in to future communications in order to receive the offer. It shows you don't have to use a tickbox instead using a radio button. Tests referenced by Tim Watson in his well-worth-a-read post giving example GDPR consent forms shows that radio buttons can perform better than the more traditional opt-in tick-box.

Example B. B2B Email newsletter sign-up

While this example illustrates compliance well, it is arguable whether it is needed if you  bundle additional resources or explain the range of communications will receive. The discussion on Tim's blog gives the example of his own opt-in at the foot of articles.

Example C. Retail.

Sainsbury Grocery

This example also includes an affirmative action based on selecting a radio button. It also follows good practice since it has a compelling description of what's available. Not simply 'Receive marketing communications', but detailing the types of offers and coupons available. Retailers are in a strong position since they can offer these incentives.

Note that it can be argued under the Privacy and Electronic Communications Regulations that opt-in is achieved 'during course or negotiations for sale' and this an additional tick-box is unnecessary. For example, at the time of writing Amazon UK doesn't give a choice. It would be interesting if the Information Commissioner went after Amazon for failing to give this guidance.

Example D. Retail, part of a larger group


Since Tesco Grocery may want to share customer data with other parts of the group which are not for 'similar products and services' in the words of the PECR, Tesco asks for sign-in to the Tesco Group. It has pre-ticked the box,  presumably on the basis that is during the course of negotiations for sale.

Example E. Publisher

Economist Free Email newsletter sign-up

This example is complex since the Economist wants to distinguish from signing up for the enewslettter and other communications. Both use a different implicit format to gain consent which isn't straightforward to understand since you have to opt-out in a different way. However, they are transparent about types of communications.

And that's our final example. I hope these have proved interesting and useful to benchmark against your approach. For further discussion do let us know on social media, especially our Facebook members' group.

Author's avatar

By Dave Chaffey

Digital strategist Dr Dave Chaffey is co-founder and Content Director of online marketing training platform and publisher Smart Insights. 'Dr Dave' is known for his strategic, but practical, data-driven advice. He has trained and consulted with many business of all sizes in most sectors. These include large international B2B and B2C brands including 3M, BP, Barclaycard, Dell, Confused.com, HSBC, Mercedes-Benz, Microsoft, M&G Investment, Rentokil Initial, O2, Royal Canin (Mars Group) plus many smaller businesses. Dave is editor of the templates, guides and courses in our digital marketing resource library used by our Business members to plan, manage and optimize their marketing. Free members can access our free sample templates here. Dave is also keynote speaker, trainer and consultant who is author of 5 bestselling books on digital marketing including Digital Marketing Excellence and Digital Marketing: Strategy, Implementation and Practice. In 2004 he was recognised by the Chartered Institute of Marketing as one of 50 marketing ‘gurus’ worldwide who have helped shape the future of marketing. My personal site, DaveChaffey.com, lists my latest Digital marketing and E-commerce books and support materials including a digital marketing glossary. Please connect on LinkedIn to receive updates or ask me a question.

This blog post has been tagged with:

Implications of the GDPR for marketing in UK and Europe

Recommended Blog Posts