You have your Privacy Policy ready and available to your users, but for it to be legally effective you need your customers to agree to it.

An "I Agree to Privacy Policy" checkbox is a simple, non-intrusive way to collect consent from all your site visitors. They offer information, require affirmative action, and are easy to deploy to all your users regardless of where they are on your site.

Why are checkboxes the gold standard in privacy consent? We'll show you why you should use checkboxes on your site and where they work best. Stick around for some examples of sites that make the most of this type of consent mechanism and see how you can do the same.


Consent is the hot topic of the day, and new laws like the General Data Protection Regulation (GDPR) now require data controllers and processors to have the consent of data subjects before they even collect certain types of data for processing.

Before 2018, consent was murky business in the digital world. A common way of getting consent was by relying on implied consent: "If you use my site, then you automatically agree to my rules." Implied consent doesn't work anymore.

The GDPR out of the EU created new and reinforced old rules about the way we accept consent to agreements, and consent mechanisms around the world have changed accordingly.

When it comes to consent, the GDPR continues to be precise in its wording:

If you want to meet the standards of valid consent, the consent data subjects provide needs to be:

  1. Freely-given
  2. Specific
  3. Informed and unambiguous
  4. Come in the form of a statement of clear affirmative action

Privacy laws require clear consent, and that means no more browsewrap.

Browsewrap was the previously traditional format of achieving consent. Using one meant linking to your Privacy Policy at the footer of your page and noting within your Privacy Policy (and/or Terms of Service) that users are bound by the agreement when they use the site.

Instead, clickwrap is the new standard. Clickwrap agreements require the user to participate in a clear and affirmative action when they agree to your Privacy Policy. They also allow the user to exit the agreement and deny consent for processing, which is their right under the GDPR.

Clickwrap not only keeps you compliant with privacy laws like the GDPR, but it's just better for business. Thanks to clear, specific, and informed consent, a clickwrap agreement is legally enforceable whereas a browsewrap one rarely holds up in a dispute.

How to Use Checkboxes Around Your Site

How to Use Checkboxes Around Your Site

Checkboxes offer an opportunity to comply with the law and ensure you only collect data from people who freely give their informed consent. Data provided happily by your visitors is far more valuable than what you might otherwise collect through less transparent means. Why? Visitors who freely hand over their data want something from you and offer more value to your data processing.

You can offer an opportunity to consent to your Privacy Policy almost anywhere on your site, but there are four places that work best:

  1. Account registration forms
  2. Checkout/payment processing pages
  3. Email signup forms
  4. Contact forms

Why do they work better than other places? These are all places where you're guaranteed to be collecting at least one piece of legally-protected information (such as an email address, name, or financial information), and thus obtaining consent here is contextually important.

Let's look at each of these places in greater detail.

Account Registration Forms

Account Registration Forms

If you allow customers to create a personal account on your site, you'll need them to comply both with your Privacy Policy and your Terms & Conditions. Account registration presents a great opportunity to ask for valid consent before you process any data.

Too Good To Go provides a helpful example of the checkbox on its account registration page. To sign up, you must check the "I agree" box for the Terms & Conditions and Privacy Policy and then the Sign Me Up button. That means all account holders took two actions before handing over their data for processing:

Too Good to Go app sign-up screen with checkbox to agree to Terms and Conditions and Privacy Policy

Snappa does the same thing on its account registration pop-up form.
New users can't create an account without first agreeing to the Privacy Policy and Terms and Conditions by actively checking a box:

Snappa Create Account form with checkbox to agree

Living Clean use multiple checkboxes on its form. The first allows users to opt-in to the newsletter, which is a very GDPR-friendly move given the law's focus on email marketing. The second checkbox links to the Privacy Policy and specifically mentions data handling.

Living Clean account register form with checkboxes

Checkout/Payment Processing Pages

Checkout - Payment Processing Pages

Even if you require an account and acceptance of your Privacy Policy and Terms & Conditions just to reach the checkout phase, it doesn't hurt to add a checkbox here, too.

Because you must update your Privacy Policy every time you make a substantive change to your data processing, some of your account holders will have accepted the previous Privacy Policy but may not have yet consented to the most recent updates.

By adding an evergreen link to your Privacy Policy and requiring consent before each new substantial transaction, you ensure that even your oldest customers accept your most recent Privacy Policy updates.

Ryanair adds a catch-all checkbox at the very end of its checkout process. In order to pay for their basket, customers must actively tick the box and accept Ryanair's terms including the Privacy Policy:

Ryanair checkout page with checkbox

In this case, the consent for the Privacy Policy is superfluous because you need to create an account to reach this point. However, it does provide a back-stop mechanism in the event that Ryanair updates its Privacy Policy because it users to accept the new terms each time they make a purchase.

HostGator also added a checkbox for users to agree to its Privacy Policy on its checkout page. It also links to both its Terms of Service and Cancellation policy, which is helpful given that it sells subscription services:

HostGator checkout now page with checkbox for legal agreements

Even retailer H&M added a checkbox to its checkout page. It acknowledges that H&M must process data in order to update your account and process your order, and linking to the Privacy Policy demonstrates how it intends to process that data:

H and M checkout page with Agree to Privacy Notice checkbox

Fintech firm Transferwise uses a similar approach when it processes a new transaction. Although you can only use Transferwise with a verified account, you must still accept the Privacy Policy and Terms of Use each time you make a transfer:

Transferwise Agree checkbox

Note that these companies link to their respective Privacy Policies for maximum transparency. Doing so gives users a chance to review on their own terms before completing a transaction.

Email Sign-up Forms

Email Sign-up Forms

You have a few options here.

You can add a checkbox asking new subscribers to agree to your Privacy Policy.

Alternatively, you can add multiple mechanisms, which you may find beneficial given the nature of email and email marketing.

Neil Patel, marketing extraordinaire, uses an "I agree to Privacy Policy" checkbox on a pop-up on his site. His use is unique because it is both part of a contest with prizes as well as part of his email marketing funnel that signs users up to his marketing list:

Neil Patel Spin to Win Pop-up: Email address field with checkbox to agree

His checkbox works because it's very transparent. It clearly declares that he needs emails to deliver prizes, but he is also transparent about using the contest to add to his email funnel. Plus, the checkbox needs to be ticked to enter the contest, so he won't capture any data he shouldn't have.

Additionally, he links to both his Privacy Policy and his Terms of Service for full transparency.

Neil takes the same approach in a different pop-up, breaking it down even further. He requests users check a box to agree to receive content and emails from him, as well as to show agreement to the Privacy Policy and other site terms:

Neil Patel sign-up form for email subscriptions with I Agree checkboxes

Breaking your checkboxes down in a granular way is a good idea and helps you stay in compliance with some strict privacy laws like the GDPR. It also gives your users more options, which of course they appreciate.

Contact Forms

Contact Forms

Contact forms are also helpful places to add checkboxes because you not only process data but you use it to contact the data subject directly. Even though a contact form in itself may seem like it provides consent, it is still helpful to add a Privacy Policy checkbox, particularly if you intend to store the data in any way.

The European Tourism Association uses a checkbox on its contact form. Using the "I agree" checkbox here not only legitimizes the contact form as a GDPR-compliant lead gathering tool, but it also forces the data subject to reckon with the idea that the ETOA will contact them if they submit the form:

ETOA contact form with clickwrap checkbox

In today's privacy conscience world, it's not enough to publish a Privacy Policy and base user agreement on their continued use of their site. You need informed and affirmative consent for your Privacy Policy to have any legal meaning.

Checkboxes require a positive action that causes your visitors to slow down, read the text, and check the box to agree to your Privacy Policy before you process data. Adding it at account sign-up, email collection, or before major transactions ensures that you confirm or reconfirm their consent before you process their data.

Remember, new data privacy rules come with hefty fines, so doubling up on consent mechanisms serves both your visitors and your bottom line.