I am not a lawyer, but I have helped about 15 of my customers with those subjects do far, all of the them in the EU. Here is what I am now sure of: It depends on how the opt-in is labelled. People tend 2 forget that there in fact are 2 opt-ins you need to get from some when you capture their information: Opt-in to store their data, in accordance with your privacy policy (that should be provided, usually on separate web page) Opt-in to send them communications, for a list of communication/ processes that should be detailed, usually in a separate page The difficulty with the first one is that if the person does not opt-in, you cannot even capture the data. So for this one, making checking the box mandatory to fill out the form is OK. But many (if not most, I have not compiled stats) companies have chose to remove this opt-in box and just add a mention somewhere in the form (usually below or just above the button). Regarding the opt-in to receive communication, it's not compliant to force the opt-in, unless you really need it for the service that the person requests by filling out the form. For instance, if the person registers to an event, you cannot force them to receive any communications. Furthermore, the registration by it-self authorizes you to send confirmation or reminder emails. But if someone registers to receive a newsletter, you can force the opt-in to receive the newsletter... -Greg
... View more