6 GDPR Checks For Every Web Form Before You Go Live

Check 1: Is the Consent Checkbox Unchecked by Default?

Any checkbox requesting consent for marketing communications must be unchecked by default. Pre-ticked boxes are explicitly invalid under GDPR — they don't constitute a "clear affirmative action."

This applies to marketing consent specifically. For legal bases other than consent (like a terms of service agreement required to complete a purchase), the rules are different — though even there, pre-ticked boxes for non-essential elements are problematic.

Note that contact forms and enquiry forms collecting data to respond to someone's question don't necessarily need a consent checkbox — you have a legitimate interest or contractual basis for processing a reply. You do need a privacy policy link. The consent checkbox is specifically for adding people to marketing communications.

Check 2: Is the Purpose Stated Clearly and Honestly?

The form should make clear what happens when someone submits it. "Send message" is honest if you're going to respond and not add them to a list. "Subscribe" is honest if you're going to send a newsletter. "Get a quote" that then triggers a 12-email nurture sequence is not what the user expected. These kinds of UI tactics fall into the category of dark patterns that regulators are actively fining.

Purpose limitation (Article 5(1)(b)) means you can only use the data for the purpose you stated. Collecting an email via a contact form and then adding it to your marketing list without separate consent is a violation.

Check 3: Is There a Privacy Policy Link?

Every form that collects personal data must link to your privacy policy. GDPR Article 13 requires that individuals are informed at the time of collection about how their data will be used. The privacy policy link in your footer doesn't satisfy this — it needs to be near the form.

A simple "By submitting this form, you agree to our [Privacy Policy]" line near the submit button handles this. The link must be clickable and lead to an actual, current privacy policy.

Check 4: Are You Collecting Only Necessary Data?

Data minimisation (Article 5(1)(c)) requires that only data which is adequate, relevant, and limited to what's necessary is collected. Go through every field in your form and ask: why do we need this?

Common over-collection on forms: asking for a phone number on a newsletter signup when you'll never call. Asking for company name and job title on a free download form. Asking for date of birth when you only need age verification. Asking for full address when you just need country.

If you can't articulate why you need a specific field, remove it. This also improves conversion rates — shorter forms convert better.

Check 5: Is Data Encrypted in Transit and at Rest?

GDPR Article 32 requires appropriate technical security measures. For web forms, the minimum is:

• →HTTPS: All form submissions must go over TLS. HTTP forms transmit data in plain text. Any form on an HTTP page is a GDPR violation waiting to happen.
• →Database encryption at rest: If you're storing form submissions, the database should have encryption at rest. Most managed database services (AWS RDS, Neon, Supabase) enable this by default.
• →Email notifications: If form submissions are emailed to you, remember email is not encrypted end-to-end. Don't send sensitive personal data via plain email notifications.

Check 6: Is There a Deletion Mechanism?

Whatever data your forms collect, you need a way to delete it when someone requests it. This is more practical than it sounds: if your contact form submissions go into a database, you need admin tooling to find and delete a specific person's record. If they go into a spreadsheet, you need to know which sheet and how to remove a row.

The mechanism doesn't need to be automated for low-volume forms — a manual process is fine. But it must exist, and someone must be responsible for it. Your privacy policy should describe how people can request deletion of their form submission data.