Do you need to check that your forms are compliant with the European Union’s General Data Protection Regulation? The best way to ensure GDPR compliance for your specific site is to always consult legal guidance.
In this guide, we’ll discuss general considerations for GDPR compliance in your WordPress forms.
- What is the GDPR?
- Best Practices for GDPR Compliance
- Frequently Asked Questions
Note: This article contains general information. However, in all circumstances, we strongly recommend you consult directly with legal counsel familiar with the GDPR regulations to review your specific use of WPForms.
What is the GDPR?
The GDPR, or General Data Protection Regulation, is a set of data collection regulations in the EU (effective as of May 25, 2018). Requirements under GDPR include requiring explicit consent before collecting or storing user data, as well as allowing the user to request access to or deletion of that data.
For full details, please see WPBeginner’s ultimate guide to WordPress and GDPR.
Why Use GDPR Compliant Forms?
GDPR compliance is required if you are collecting personal information from anyone residing within the European Union.
Best Practices for GDPR Compliance
While your specific site may require unique considerations that should be addressed through legal consultation, there are a couple of adjustments most sites can make to improve compliance with GDPR.
Note: WPForms makes it super easy to make your forms GDPR compliant. Not using WPForms? Click here to get started today!
Then, we recommend enabling the GDPR enhancement features within WPForms. You can do this by going to WPForms » Settings and opening up the General tab.
Then, scroll to the section titled GDPR and check the box labeled GDPR Enhancements.
Once this box is checked, you’ll see two additional options appear: Disabling User Cookies and Disable User Details.
Note: If you are using the WPForms Lite plugin, then the Disable User Cookies and Disable User Details options aren’t displayed. In WPForms Lite, user cookies are not used and the additional user details described below are not collected.
We’ll go over each of these options below.
Disabling User Cookies
WPForms will, by default, assign every user a UUID (Universally Unique Identifier). The UUID is a random number that does not contain any user information and is stored in a cookie in the user’s browser.
The UUID cookie is required for several features in WPForms:
- Related Entries (these are displayed on individual entry pages, and link to other entries submitted by the same user)
- Geolocation addon
- Form Abandonment addon
When the Disable User Cookies option is checked, these features (if in use) will be disabled and no cookies will be used by WPForms.
Disabling User Details
WPForms will automatically collect some additional details when a form is submitted. Here are those details and what they include:
- IP Address: a unique identifier for any device that connects to the internet (more details)
- User Agent: the browser and operating system being used (as an example, you can view your own user agent here)
If you’d like, you can decide to disable this feature site-wide or on a form-by-form basis.
Disabling User Details Site-Wide
When the Disable User Details option is checked, none of these extra user details will be collected in any of your forms.
Disabling User Details on a Form-by-Form Basis
If you’d prefer, you can control whether or not user details are stored for each individual form. To do this, you’ll need to leave the Disable User Details option unchecked.
Then, open the form builder and go to Settings » General.
Scroll to the Advanced section, and you’ll see an option labeled Disable storing user details (IP address and user agent). Selecting this option will prevent extra user information from being stored on this individual form.
Asking for Consent
Before collecting or storing user data under GDPR, you would need to request the user’s explicit consent and explain why you need this information in plain language. The easiest way to do this is by adding an agreement checkbox to your form.
When GDPR Enhancements are enabled, the GDPR Agreement field will become available in your form builder to assist with this. To use this field, you’ll need to create a new form or edit an existing form.
Then, under the Standard Fields section in the form builder, click the GDPR Agreement field to add it to your form.
There are specific features that make this field different from a standard checkbox agreement. We’ll go over the differences below:
- Always required: This checkbox will always be required, and there is no setting option to remove the requirement.
- No default option to check the checkbox: GDPR requires that a consent box can not be checked by default. Instead, the user must be allowed to choose whether to check the box or not.
- Only a single checkbox: There is no way to add additional checkbox options to this field.
Here is an example of how your GDPR compliant form might look on the frontend:
Note: If you’d like to add a detailed disclaimer, terms of service text, or link to an external document, be sure to check out our tutorial on adding a terms of service checkbox to a form.
Preparing for Entry Data Requests
Under GDPR, users can request access to their entry data at any time. While your site may need to take additional considerations into account, one way to prepare for this is to provide an easy way for your users to submit these requests.
If you need to locate entries with a specific name, email, or other keywords, you can use the entries search and filter options to quickly narrow down results.
If you need to delete entries, go to WPForms » Entries and select the form you need. From here, check the box next to any entry you’d like to delete and, within the Bulk Actions dropdown, select Delete. Then, click the Apply button to delete the entry.
Note: Once you’ve deleted an entry, it will be completely erased from your site’s database.
If you’d prefer to delete all entries for a form at once, our Delete All option provides a quick and easy solution.
For more details on entry management for your forms, please see our complete guide to form entries.
Frequently Asked Questions
Where is entry data stored?
Entry data is handled completely on your site where WPForms is installed. WPForms provides 100% privacy for your entries, so we do not collect any entry data on our end.
If you’d like more technical details, please check out our tutorial on storing entries in your site’s WordPress database.
You can also choose to include entry details in automatic form notification emails.
Can I prevent entries from being stored to my site?
Yes, with all WPForms license levels, you can choose whether or not to store entries. This option is set within each individual form, and entry storage is enabled by default.
To disable entry storage, you’ll need to open the form builder and go to Settings » General.
Then, scroll to the Advanced section and select the Disable storing entry information in WordPress option. Once this option is selected and the form is saved, entries for this form will no longer be stored in your site.
Note: If you choose to disable entry storage, be sure to set up notification emails so that entry details can still be collected.
Can I access GDPR enhancements in both WPForms and WPForms Lite?
Absolutely, everyone has access to GDPR enhancements no matter which version of WPForms is used.
How can I be sure my site is GDPR compliant?
Compliance details will vary from site to site, and potentially even from one form to the next. This is why in all cases we recommend seeking legal counsel familiar with GDPR to review your specific site and form use.
That’s it! We hope this guide helped you to begin creating GDPR compliant forms for your WordPress site.
Next, would you like to customize your form’s emails? Be sure to check out our tutorial on setting up automatic form notification emails for all the details.