How to make privacy-friendly contact forms

You may have already heard of GDPR, the European data protection regulation that will be applicable as of May 25 this year. Although it is an EU law, you will be required to comply with GDPR as long as you are engaged in storing or processing personal data of EU citizens, even if you are not an EU citizen.

“Is Contact Form 7 compliant with GDPR?” We’ve been getting a lot of inquiries like this about GDPR, but unfortunately I don’t have a precise answer. Since I’m not a lawyer, I’m not in a position to say whether a WordPress plugin is compliant with specific legislation or not.

What I can tell you is that we always work to assist using Contact Form 7 in a privacy-friendly manner. We design Contact Form 7 carefully to allow you to make contact forms compliant with the current data protection standards, including GDPR.

The remainder of this post is my personal advice on making privacy-friendly contact forms. A lot of responsibility for making your contact forms GDPR-compliant still lies with you as the webmaster or contact form controller, but you should be able to accomplish it with this advice.

Don’t collect unnecessary data

A privacy-friendly contact form requires minimum information from the submitter.

If your contact form has ten or more input fields, you may find that there are some fields you can actually live without. Review your contact form and remove unnecessary fields.

The less personal data you collect, the less impact of possible data breaches. The golden rule is that, if you are not 100% sure that the data is necessary, just remove the field.

You should also avoid collecting sensitive personal data, such as information about ethnic origin, political opinions, religious or philosophical beliefs, or genetic or biometric data.

Obtaining clear and unambiguous consent in advance of collecting personal data is now considered essential in terms of protecting privacy rights.

Contact Form 7 provides the acceptance form-tag type to represent acceptance checkboxes that are dedicated to confirming the submitter’s consent for a specific condition.

Although an acceptance form-tag can include the default:on option that makes checkbox selection by default, using this option isn’t recommended because any consent that has been obtained by default isn’t considered adequate in current data protection standards.

Don’t try to hide the conditions for consent in your Terms and Conditions or Privacy Policy document and just confirm the submitter’s consent by a single checkbox for the whole content of the documents. Each condition for how the data will be treated must be described in an unambiguous fashion, and you need to obtain clear consent for each individual item.

When the data subject is a child, you may be required to obtain additional consent from a parent.

Privacy notices

Figure out how personal data collected through the contact form will be processed and stored, and explain the entire data flow in the privacy policy document.

At minimum, be clear on these points:

  • What types of personal data are collected through the contact form?
  • For what purposes those data necessary?
  • Who can access the data?
  • Are the data stored in some way? If so, where and for how long are they stored?
  • Are the data shared with third-party entities? If so, who are they?
  • In which country will the data be processed?
  • What security measures are taken to protect the data?
  • Can data subjects request exporting or deleting their data?

When someone makes a request to export or delete their personal data, and there is a good reason such as tangible privacy concerns, you’ll need to accede to the request.

The privacy policy should be written in plain language that the data subject can understand. Don’t write it like a legal document or a technical document that is difficult for laymen.

Security considerations

Protect the personal data you’ve collected with appropriate security measures according to current common sense.

For example, implementing HTTPS for the entire website and encrypting data flow between the client browser and web server is now considered to be a common practice. On the other hand, encrypting an email message itself is advisable, but is not yet very common practice.

Many people seem to have a misconception that storing data in the database is less secure than sending them via email. In most cases, the security level of email implementation isn’t that good. In fact, do you know exactly who can access the email? Are you sure that the email recipients don’t forward messages to other parties who you don’t know? What if their personal computers are not maintained securely and malware are installed? Do you know in which country mail servers exist? You may be able to make things clearer if you manage them in the database.

There are cases in which you can reduce the risk by stopping email and storing data only in the database. You can use the Flamingo plugin to store contact form submissions in the database, and Contact Form 7’s skip_mail setting lets the contact form skip the email sending process.

GDPR does not specify what particular security measures should be applied, so the decision is up to you.