Lead generation is the core of most EU performance marketing programmes — and one of the most frequently misconfigured GDPR scenarios. The gap between a form that converts and a form that is compliant is usually not a major redesign. It's one or two sentences in the copy, and a checkbox.
This guide explains what GDPR actually requires in lead generation copy and forms, which lawful basis applies in different lead-gen scenarios, and where the most common gaps are.
Why lead generation is a GDPR flashpoint
Lead generation involves collecting personal data (email, name, phone, company) from individuals who are identified or identifiable — the core definition of personal data processing under GDPR. Every lead form is a data collection point that triggers:
- Article 13 — information obligations at the point of collection
- Article 5 — purpose limitation (the data can only be used for what you said)
- Article 7 — consent requirements if consent is your lawful basis
- ePrivacy Directive — consent for electronic marketing in most EU countries
The transparency requirements of Article 13 alone require that, at the point of collection, you disclose the identity of the data controller, the processing purpose, the legal basis, the retention period, and the user's data subject rights. Most lead forms bury this in a link to a privacy policy. That's not the same as disclosing it.
1. Choosing the right lawful basis for lead gen
Consent is appropriate when:
- You're collecting data specifically for marketing and the user has no prior relationship with you
- You're sending electronic direct marketing to individuals (required under ePrivacy in most EU countries)
- The data collected is sensitive or unexpected
Valid consent for lead gen requires an unticked checkbox (or equivalent active action), specific language about the processing purpose, and the ability to withdraw consent easily. "By submitting you agree to our privacy policy" is not consent — it's notification.
Legitimate interest is appropriate when:
- You're doing B2B outreach to professional email addresses of people with a clear relevant role
- You're following up on a clear commercial interaction (quote request, demo booking, free trial sign-up) where follow-up communication is expected
- You can document the balancing test showing your interest outweighs the individual's privacy rights
Legitimate interest is not a fallback when consent is hard to get. The balancing test is a genuine analysis, and individuals retain the right to object to legitimate interest processing at any time.
2. What a compliant lead form must include
At minimum, a GDPR-compliant lead form must:
- Name the data controller — the legal entity that will hold and process the data, not just a brand name
- State the specific purpose — "We'll email you a quote and add you to our monthly newsletter" not "we'll be in touch"
- Reference the lawful basis — "We process your data under legitimate interest / with your consent (tick the box)"
- Provide a retention statement — "We retain your data for 24 months or until you unsubscribe"
- Link to the full privacy policy — a link is required, but it doesn't replace on-form disclosure
- Give an unsubscribe path — users must be able to opt out of marketing as easily as they opted in
This doesn't have to be a wall of text. A two-sentence disclosure under the submit button and an unticked consent checkbox covers most B2C scenarios:
Legalify will use your email to send the quote you requested and occasional product updates. You can unsubscribe at any time. [Privacy policy]
☐ I'd also like to receive GDPR compliance tips and product updates (optional)
3. Gated content: the legitimate interest alternative
Gating content (whitepapers, reports, checklists) behind an email form is a standard lead-gen tactic that creates a specific GDPR problem: if the email is required to access the content, any marketing consent given at that point is arguably not freely given under Article 7(4) — it's conditional on access.
The common workaround is legitimate interest:
- Provide the content freely (or gate lightly with a landing page description)
- Collect emails with transparent disclosure that follow-up communication is for commercial purposes
- Document the legitimate interest balancing test
- Make opt-out easy in every email
This approach typically performs similarly to hard gating but carries far less legal risk. The tradeoff is slightly lower email volume for better data quality and a defensible lawful basis.
4. B2B lead generation and GDPR
Business-to-business lead generation to work email addresses of company employees sits in a different regulatory space in several EU countries. The ePrivacy rules that require consent for electronic marketing typically apply to natural persons (individuals). In many EU jurisdictions, the individual protection doesn't extend to B2B emails sent to professional roles.
However:
- GDPR still applies to the personal data of employees (their name, title, work email)
- You must still have a lawful basis (legitimate interest is most common)
- You must still provide opt-out rights and honor them
- You must not mix B2B and B2C data without separate records of processing activities
The practical rule: B2B outreach is more flexible on the consent requirement, but GDPR data rights (access, erasure, rectification) still apply to every individual in your CRM, including business contacts.
5. The most common lead gen copy violations
Bundled consent: "By clicking submit you agree to our terms of service, privacy policy, and marketing communications." Three separate consents bundled into one click. Article 7(4) requires them to be separable.
Vague purpose: "We'll use your information to improve your experience." Not a processing purpose — it's a marketing phrase. GDPR requires a specific, honest statement of what will happen with the data.
Implied consent from submission: No consent checkbox, no disclosure, just a submit button. Treating form submission as consent is explicitly invalid under GDPR Article 4(11).
Inadequate controller identification: "Contact Brand X" when the controller is actually "X Marketing Ltd, registered in Estonia." Users have a right to know who holds their data.
Hidden opt-out: Marketing consent checkbox is ticked by default, or the opt-out is buried in the form below the fold. Consent must be an active choice, not an action required to refuse.
Scan your lead-gen copy before launch
The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.