Looking at yet another of those web registration forms that seems to collect more data than required, it occurred to me that there might be quite a neat way to meet the General Data Protection Regulation’s requirements for positive, recorded consent.
First step, as with anything under the GDPR, it to think about which information is really necessary to provide the service, rather than optional. Will the service actually break if I tell it I’m a seventeen-year-old wizard called Harry Potter? If not, that information isn’t necessary and consent is the right basis for processing it. The remaining fields should be documented, and processed, under one of the Regulation’s “necessary for…” clauses: most likely “necessary for the performance of a contract”.
For the other, optional, fields, where consent is the appropriate basis, the Regulation requires that this be a positive choice by the user, that providing the information not be a condition of providing the service, that the user’s choice be recorded, and that it be as easy for the user to withdraw consent as to provide it in the first place. Where a field is populated using a drop-down list, that could be as simple as providing a “prefer not to say” option and making that the default. If something else appears in the user’s submission, you know that’s a result of them having made a positive choice to change the default. Similarly for free-text entry, the form field should be empty by default, with the user allowed to leave it that way.