How to make a GDPR Compliant Contact Form.
This post is more for my own future reference than anything else, so I can use it when I need to make a GDPR Compliant Contact Form, but it might be of some help to others too.
I’m sure by now, almost everyone in the web industry will have heard about GDPR, so it’s not something I’m going to explain here. If you’re dealing with a more complex type of form then there’s many other things that will need to be considered, but that’s beyond the scope of this post.
I’ve read a lot about making forms GDPR compliant, which changes depending on what purpose the form in question does.
In most cases, what I was looking for was a simple reference for what do you need to do to make a simple contact form GDPR compliant.
Disclaimer: this is by no means legal advice and is based entirely on my findings of this subject so far. It’s likely that many things could change regarding the law or that plugins could become updated. Please seek proper legal advice on the subject if required and remember to check for the latest WordPress updates.
Acceptance Checkbox
In an effort to keep this super simple, for most basic contact forms to be GDPR compliant, you’re going to need to include an acceptance checkbox.
A condition of GDPR is that you must gain a user’s consent whenever gathering data. This must be their explicit consent, which means it has to be opt-in (rather than a pre-ticked checkbox), it must be separate from any other terms and conditions and make it clear as to why you want the data and what you’re going to do with it.
It could also be argued that it is reasonable to assume that if someone willingly provides you with their contact details that they are okay with you storing their data and for you to contact them based on this request, but at no point have they agreed to receiving marketing emails like newsletters or promotional offers. If you’re taking that attitude then no acceptance checkbox is needed as long as you never send them newsletters or such like.
Email or Database submissions?
The big question is how you’re handling the form submissions. If they’re not being stored on the server and relying entirely on email responses then you probably don’t need to let users know that you’re storing their data (because you won’t be). However, I personally think that an acceptance box is best practice as you’ll still potentially be dealing with data and storing it for a certain period of time via email anyway, so gaining a user’s explicit opt-in and linking to your privacy policy would still be good practice.
Examples
Below are a few examples of contact form acceptance checkboxes with wording that I like to use.
Hopefully this has helped to give a brief overview of what’s needed on a simple GDPR compliant contact form.