WPForms Documentation

Documentation, Reference Materials and Tutorials for WPForms

How to Create GDPR Compliant Forms

Do you need to check that your forms are compliant with the European Union’s General Data Protection Regulation? The best way to ensure GDPR compliance for your specific site is always to consult legal counsel. In this guide, we’ll discuss general considerations for GDPR compliance in your WordPress forms.

Note: This article contains general information. However, in all circumstances we strongly recommend you consult directly with legal counsel familiar with the GDPR regulations to review your specific use of WPForms.

What is the GDPR?

The GDPR, or General Data Protection Regulation, is a set of data collection regulations in the EU (effective as of May 25, 2018). Requirements under GDPR include requiring explicit consent before collecting or storing user data, as well as allowing the user to request access to or deletion of that data.

For full details, please see this official guide to GDPR.

Best Practices for GDPR Compliance

While your specific site may require unique considerations that should be addressed through legal consultation, there are a couple adjustments most sites can make to improve compliance with GDPR.

To get started, we recommend enabling GDPR-specific features within WPForms. You can do this by going to WPForms » Settings.

On the General tab, you can scroll to the section titled GDPR and check the box labeled GDPR Enhancements.

Check the GDPR enhancements box in WPForms Settings

Once this box is checked, you’ll see two additional options appear: Disable User Cookies and Disable User Details.

GDPR enhancement options in WPForms

Note: If using WPForms Lite, the Disable User Cookies and Disable User Details aren’t displayed. This is because within the Lite plugin user cookies are not used and the additional user details described below are not collected.

Disable User Cookies

WPForms will, by default, assign every user a UUID (Universally Unique Identifier). The UUID is a random number that does not contain any user information, and is stored in a cookie in the user’s browser.

The UUID cookie is required for several features in WPForms:

When the Disable User Cookies option is checked, these features (if in use) will be disabled and no cookies will be used by WPForms.

Disable User Details

WPForms will automatically collect some additional details when a form is submitted. Here are those details and what they include:

You can decide to disable this feature site-wide or on a form-by-form basis.

Disable Site-Wide: When the Disable User Details option is checked, none of these extra user details will be collected in any of your forms.

Disable on a Form-by-Form Basis: If you’d prefer, you can control whether user details are stored for each individual form. To do this, you’ll need to leave the site-wide option (described above) unchecked. Then, open the form builder and go to Settings » General.

Near the bottom of this settings screen, you’ll see a checkbox labeled Disable storing user details (IP address and user agent). Checking this box will prevent extra user information from being stored on this individual form.

Disable storing user details within an individual form

Ask for Consent

Before collecting or storing user data under GDPR, you would need to request their explicit consent and explain why you need this information in plain language. The easiest way to do this is by adding a checkbox to your form.

When GDPR Enhancements are enabled, a new field will be available in your form builder to assist with this. To find it, you’ll need to create a new form or edit an existing form.

Under the Standard Fields section in the form builder, you’ll see a field named GDPR Agreement. Go ahead and add this field to your form.

GDPR Agreement field in WPForms form builder

There are specific features that make this field different from a standard checkbox agreement:

  1. Always required: This checkbox will always be required, and there is no setting option to remove the requirement
  2. No option to check by default: GDPR requires that a consent box can not be checked by default. Instead, the user must be allowed to choose whether to check the box.
  3. Only a single checkbox: There is no way to add additional checkbox options to this field.

GDPR Agreement field in WPForms

Note: If you’d like to add a detailed disclaimer or terms of service text to your checkbox, be sure to check out our built-in option for special formatting.

Or you can also link to more detailed policies/terms if you’d prefer.

Be Prepared for Entry Data Requests

Under GDPR, users can request access to their entry data at any time. While your site may need to take additional considerations into account, one way to prepare for this is to provide an easy way for your users to submit these requests.

For example, you may consider adding a data request form to your site’s privacy policy page. Or, you might add this option within your site’s contact form.

If you need to locate entries with a specific name, email, or other keyword(s), you can use the entries search option to quickly narrow down results.

To delete entries, go to WPForms » Entries and select the form you need. Then check the box for any entry you’d like to delete and, within the Bulk Actions dropdown, select Delete.

Delete entries from your site

Note: Once you’ve deleted an entry, it will be completely erased from your site’s database.

If you’d instead prefer to delete all entries for a form at once, our Delete All option provides a quick and easy option.

For more details on entry management for your forms, please see our complete guide to form entries.

That’s it! We hope this guide helped you to begin creating GDPR compliant forms for your WordPress site.

Next, would you also like to customize your form’s notifications? Check out our tutorial on setting up automatic form notification emails for all the details.