Do you need to check that your forms are compliant with the European Union’s General Data Protection Regulation? The best way to ensure GDPR compliance for your specific site is always to consult legal counsel. In this guide, we’ll discuss general considerations for GDPR compliance in your WordPress forms.
Note: This article contains general information. However, in all circumstances we strongly recommend you consult directly with legal counsel familiar with the GDPR regulations to review your specific use of WPForms.
What is the GDPR?
The GDPR, or General Data Protection Regulation, is a set of data collection regulations in the EU (effective as of May 25, 2018). Requirements under GDPR include requiring explicit consent before collecting or storing user data, as well as allowing the user to request access to or deletion of that data.
For full details, please see this ultimate guide to WordPress and GDPR.
Best Practices for GDPR Compliance
While your specific site may require unique considerations that should be addressed through legal consultation, there are a couple adjustments most sites can make to improve compliance with GDPR.
WPForms makes it super easy to make your forms GDPR compliant. Not using WPForms? Click here to get started today!
Once you have WPForms installed, we recommend enabling the GDPR-enhancement features within WPForms. You can do this by going to WPForms » Settings.
On the General tab, you can scroll to the section titled GDPR and check the box labeled GDPR Enhancements.
Note: Once you’ve enabled GDPR Enhancements, user IP addresses will no longer be collected. This means that the Geolocation Addon will also not be able to work, as it requires IP address to determine a user’s location.
Once this box is checked, you’ll see two additional options appear: Disable User Cookies and Disable User Details.
Note: If you are using the WPForms Lite plugin, then the Disable User Cookies and Disable User Details options aren’t displayed. This is because within the Lite plugin user cookies are not used and the additional user details described below are not collected.
Disable User Cookies
WPForms will, by default, assign every user a UUID (Universally Unique Identifier). The UUID is a random number that does not contain any user information, and is stored in a cookie in the user’s browser.
The UUID cookie is required for the following features in WPForms:
- Related Entries (these are displayed on individual entry pages, and link to other entries submitted by the same user)
- Form Abandonment Addon
When the Disable User Cookies option is checked, these features (if in use) will be disabled and no cookies will be used by WPForms.
Disable User Details
WPForms will automatically collect some additional details when a form is submitted. Here are those details and what they include:
- IP Address: a unique identifier for any device that connects to the internet (more details)
- User Agent: the browser and operating system being used (as an example, you can view your own user agent here)
You can decide to disable this feature site-wide or on a form-by-form basis.
Disable Site-Wide: When the Disable User Details option is checked, none of these extra user details will be collected in any of your forms.
Disable on a Form-by-Form Basis: If you’d prefer, you can control whether user details are stored for each individual form. To do this, you’ll need to leave the site-wide option (described above) unchecked. Then, open the form builder and go to Settings » General.
Near the bottom of this settings screen, you’ll see a checkbox labeled Disable storing user details (IP address and user agent). Checking this box will prevent extra user information from being stored on this individual form.
Ask for Consent
Before collecting or storing user data under GDPR, you would need to request their explicit consent and explain why you need this information in plain language. The easiest way to do this is by adding a checkbox to your form.
When GDPR Enhancements are enabled, a new field will be available in your form builder to assist with this. To find it, you’ll need to create a new form or edit an existing form.
Under the Standard Fields section in the form builder, you’ll see a field named GDPR Agreement. Go ahead and add this field to your form.
There are specific features that make this field different from a standard checkbox agreement:
- Always required: This checkbox will always be required, and there is no setting option to remove the requirement
- No option to check by default: GDPR requires that a consent box can not be checked by default. Instead, the user must be allowed to choose whether to check the box.
- Only a single checkbox: There is no way to add additional checkbox options to this field.
Note: If you’d like to add a detailed disclaimer or terms of service text to your checkbox, be sure to check out our built-in option for special formatting.
Or you can also link to more detailed policies/terms if you’d prefer.
Be Prepared for Entry Data Requests
Under GDPR, users can request access to their entry data at any time. While your site may need to take additional considerations into account, one way to prepare for this is to provide an easy way for your users to submit these requests.
If you need to locate entries with a specific name, email, or other keyword(s), you can use the entries search option to quickly narrow down results.
To delete entries, go to WPForms » Entries and select the form you need. Then check the box for any entry you’d like to delete and, within the Bulk Actions dropdown, select Delete.
Note: Once you’ve deleted an entry, it will be completely erased from your site’s database.
If you’d instead prefer to delete all entries for a form at once, our Delete All option provides a quick and easy option.
For more details on entry management for your forms, please see our complete guide to form entries.
Frequently Asked Questions
Where is entry data stored?
Entry data is handled completely on your site where WPForms is installed. WPForms provides 100% privacy for your entries, and so we do not collect any entry data on our end.
If you’d like more technical details, please check out our tutorial about the storage of entries to your site’s WordPress database.
You can also choose to include entry details in automatic form notification emails.
Can I prevent entries from being stored to my site?
Yes, you can choose whether or not to store entries with all WPForms licenses. This option is set within each individual form, and entry storage is enabled by default.
To disable entry storage, you’ll need to open the form builder and go to Settings » General.
Towards the bottom of these settings, you’ll find a checkbox labeled Disable storing entry information in WordPress. Once this is checked and the form is saved, entries for this form will no longer be stored to your site.
Note: If you choose to disable entry storage, be sure to set up notification emails so that entry details can still be collected.
Can I access GDPR enhancements in both WPForms and WPForms Lite?
Absolutely, everyone has access to GDPR enhancements no matter which version of WPForms is used.
How can I be sure my site is GDPR compliant?
Compliance details will vary from site to site, and potentially even from one form to the next. This is why in all cases we recommend seeking legal counsel familiar with GDPR to review your specific site and form use.
That’s it! We hope this guide helped you to begin creating GDPR compliant forms for your WordPress site.
Next, would you like to customize your form’s emails? Be sure to check out our tutorial on setting up automatic form notification emails for all the details.