Documentation, Reference Materials and Tutorials for WPForms
Do you need to check that your forms are compliant with the European Union’s General Data Protection Regulation? The best way to ensure GDPR compliance for your specific site is always to consult legal counsel. In this guide, we’ll discuss general considerations for GDPR compliance in your WordPress forms.
What is the GDPR?
The GDPR, or General Data Protection Regulation, is a set of data collection regulations in the EU (effective as of May 25, 2018). Requirements under GDPR include requiring explicit consent before collecting or storing user data, as well as allowing the user to request access to or deletion of that data.
For full details, please see this official guide to GDPR.
Best Practices for GDPR Compliance
While your specific site may require unique considerations that should be addressed through legal consultation, there are a couple adjustments most sites can make to improve compliance with GDPR.
To get started, we recommend enabling GDPR-specific features within WPForms. You can do this by going to WPForms » Settings.
On the General tab, you can scroll to the section titled GDPR and check the box labeled GDPR Enhancements.
Once this box is checked, you’ll see two additional options appear: Disable User Cookies and Disable User Details.
Disable User Cookies
WPForms will, by default, assign every user a UUID (Universally Unique Identifier). The UUID is a random number that does not contain any user information, and is stored in a cookie in the user’s browser.
The UUID cookie is required for several features in WPForms:
- Related Entries (these are displayed on individual entry pages, and link to other entries submitted by the same user)
- Geolocation Addon
- Form Abandonment Addon
When the Disable User Cookies option is checked, these features (if in use) will be disabled and no cookies will be used by WPForms.
Disable User Details
WPForms will automatically collect some additional details when a form is submitted. Here are those details and what they include:
- IP Address: a unique identifier for any device that connects to the internet (more details)
- User Agent: the browser and operating system being used (as an example, you can view your own user agent here)
You can decide to disable this feature site-wide or on a form-by-form basis.
Disable Site-Wide: When the Disable User Details option is checked, none of these extra user details will be collected in any of your forms.
Disable on a Form-by-Form Basis: If you’d prefer, you can control whether user details are stored for each individual form. To do this, you’ll need to leave the site-wide option (described above) unchecked. Then, open the form builder and go to Settings » General.
Near the bottom of this settings screen, you’ll see a checkbox labeled Disable storing user details (IP address and user agent). Checking this box will prevent extra user information from being stored on this individual form.
Ask for Consent
Before collecting or storing user data under GDPR, you would need to request their explicit consent and explain why you need this information in plain language. The easiest way to do this is by adding a checkbox to your form.
When GDPR Enhancements are enabled, a new field will be available in your form builder to assist with this. To find it, you’ll need to create a new form or edit an existing form.
Under the Standard Fields section in the form builder, you’ll see a field named GDPR Agreement. Go ahead and add this field to your form.
There are specific features that make this field different from a standard checkbox agreement:
- Always required: This checkbox will always be required, and there is no setting option to remove the requirement
- No option to check by default: GDPR requires that a consent box can not be checked by default. Instead, the user must be allowed to choose whether to check the box.
- Only a single checkbox: There is no way to add additional checkbox options to this field.
Or you can also link to more detailed policies/terms if you’d prefer.
Be Prepared for Entry Data Requests
Under GDPR, users can request access to their entry data at any time. While your site may need to take additional considerations into account, one way to prepare for this is to provide an easy way for your users to submit these requests.
If you need to locate entries with a specific name, email, or other keyword(s), you can use the entries search option to quickly narrow down results.
To delete entries, go to WPForms » Entries and select the form you need. Then check the box for any entry you’d like to delete and, within the Bulk Actions dropdown, select Delete.
If you’d instead prefer to delete all entries for a form at once, our Delete All option provides a quick and easy option.
For more details on entry management for your forms, please see our complete guide to form entries.
That’s it! We hope this guide helped you to begin creating GDPR compliant forms for your WordPress site.
Next, would you also like to customize your form’s notifications? Check out our tutorial on setting up automatic form notification emails for all the details.