GDPR Enhancements for WPForms

Introducing New GDPR Enhancement Features for Your WordPress Forms

Editorial Note: We may earn a commission when you visit links on our website.

Today we’re excited to announce the release of WPForms 1.4.6!

This is a big one since it relates to something that has been on everyone’s minds for a long time now – GDPR compliance.

In this release, we have updated WPForms to help you get on track with GDPR, so that you can continue to nurture leads and build your business, without all the extra worry.

So, let’s see what’s in store for you!

GDPR Enhancements

There’s been a lot of talk lately about GDPR and how it’ll affect your email marketing, lead generation, and WordPress forms in general moving forward.

That’s because come May 25th, new regulations will be in place that include major changes to data privacy and individual rights for people in the European Union (EU).

These changes are going to affect businesses all around the world, and it has caused quite a panic among users.

As always, at WPForms, we’re staying ahead of the curve and have got you covered.

In an effort to help you comply with GDPR, we have added a set of new features called GDPR enhancements.

GDPR Enhancements

The GDPR enhancement features will help prepare your website to comply with the new law. If you’re using the premium version of WPForms (Basic license or higher), then here’s how the new settings work:

  • With a click of a button, you can stop all cookie and geo-location tracking from WPForms.
  • We have also added the option to stop collecting and storing IP Addresses as well as User Agent information related to each form entry.

The great thing about these new GDPR enhancements is that they apply globally to all of your forms created with WPForms, meaning it’s a one and done deal once you enable the features.

WPForms Lite GDPR Enhancements

While there are no settings for GDPR enhancements in WPForms Lite, we have automatically removed user cookies entirely from the lite version.

The user cookies were not needed in WPForms Lite because the Lite version does not come with the ability to store form entries.

GDPR Form Field

Aside from the GDPR enhancements related to form entries, we have also added a new ‘GDPR Agreement’ field to make it easy for you to add a consent checkbox to your forms.

This field requires the website visitor to explicitly consent to you collecting and storing their contact information. This is specially handy if you are using your form to send data to your email marketing service or CRM.

GDPR Form Field

You can easily customize the ‘GDPR Agreement’ field to change the sample text to fit your needs.

Non-input Field Filter

As an added bonus to our GDPR enhancement features, we’ve also added something that several of you have been asking for: ability to add non-input fields in your form email notifications.

WPForms make it easy for you to create multi-step forms in WordPress perfect for when you are collecting a lot of information. Multi-step forms help reduce user fatigue.

But the problem is that any time you send out a form notification email from a multi-part form, the non-input fields like HTML, Section Dividers, and Page Breaks are invisible which makes it the notification email hard to read.

This results in a less than an ideal user experience.

That’s why we’ve created a filter that you can use to easily add non-input fields to your form notification emails.

Non-input Fields Notification Email Example

For more information about how to do this, check out our helpful documentation on how to include non-input form fields in your notification emails.

What’s Coming Next?

In this release, we also did major behind-the-scenes improvement to our marketing integration class. This will make it easy for us to quickly add new marketing integrations in the future.

We’re working on putting the final touches on our next email marketing integration, Drip. If you are using Drip as your email marketing service, which I know a lot of you are, then this will make it easy for you to integrate WPForms with Drip.

We also have several other features that will be coming as part of the next release.

That’s all for today. We hope you like the new features and find them helpful in complying with GDPR and providing a better user experience for your site visitors.

Don’t have a WPForms Pro license? Click here to Get started today and experience the WPForms difference.

As always, thank you for your continued support of WPForms. We look forward to bringing you more updates soon!

Syed and the WPForms team

Legal Disclaimer: These features are designed to automate some of the settings required to be in compliance with various EU laws. However due to the dynamic nature of WordPress websites, no single plugin can offer 100% legal compliance. Please consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.

** We are not lawyers and nothing on this website should be considered legal advice.


  1. Great to see the GDPR updates, could care less about drip.

    Still waiting almost 2 years later for PayPal pro support and Stripe subscriptions.

    1. Hi Jeff,

      Glad to hear the GDPR features will help you out! Both of the features you mentioned are still on our radar, and recurring payments for Stripe are something we’re looking to looking to tackle this year. It’ll be a super useful addition! 🙂

  2. Thanks for the GDPR enhancements, a good step forward!

    However: Isn’t it technically illegal under GDPR legislation to send personal data that is entered into a WP Form via (non-encrypted) email?

    I would suggest to just send a notification email that a new entry has been made, but store the full content only on the server. Which is of course a bit less convenient, but then, it’s the law, or isn’t it?

    1. Hey Chris,

      WPForms allow you to customize the notification email that is sent. You can choose to remove all entry content and replace it with a placeholder text.

      As always we let the user decide based on legal advice they’re getting from their attorneys to comply with the laws in their jurisdiction.

    1. Hi Tom, with the new marketing integration API, it should make it faster for us to tackle new integrations. ConvertKit definitely has a lot of user votes 🙂

    1. Hi Laura,

      We’ve made GDPR enhancements available to everyone, however not all are applicable in our free version (which works a bit differently from our paid version since it doesn’t store entries to your site). We’ve covered all of the details both in this post and in our GDPR doc.

      So essentially, applicable GDPR enhancements are to help everyone (regardless of free vs paid version) to more easily work towards compliance. However, it’s important to note that we aren’t lawyers and can’t guarantee compliance for your forms/site. We recommend consulting legal counsel to be certain your site is in full compliance.

      Hope this helps! 🙂

  3. I found when testing my contact form that if I failed to check the GDPR agreement box, the page refreshed losing the entered content. Please could you advise on how I could prevent this?

    1. Hi Morwenna,

      That’s definitely odd, and it sounds like something is preventing our validation from working properly. As an example, here’s a short screencast video showing how this validation should work. As you can see there, a validation error should appear if the required box isn’t checked — however, the form should not clear.

      We’d be happy to help you investigate this further! When you get a chance, please drop us a line in support so we can assist.

      If you have a WPForms license, you have access to our email support, so please submit a support ticket.

      Otherwise, we provide limited complimentary support in the WPForms Lite support forum.

      Thanks 🙂

  4. Hi,

    Besides the GDPR enhancement, do you have any formal DPA (Data processing agreement) in order to comply with the regulation?

    The possibility of storing, changing data and so forth as WPForms allow, makes a DPA mandatory I would argue.

    I make an argument here with reference to article 4(2) of the GDPR:

    “Processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

    So according to article 4(2) the definition of “processing” both entails non-automatic and automatic processes which either change, organize, adds to, etc. any personal data. I argue that any computation or piece of software will fall into this category if it acts on personal data, even though no data is stored or retained on the servers of the company that developed the software employed.

    Furthermore I argue, that any software developed by a company for processing of personal data that is employed by another company will mean that the developer company is an acting data processor for which the automatic operations will have to be determined by contractual agreements between the processor (employed) and the controller (employing company) according to GDPR article 28(3):

    “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor…”

    The need for a DPA arises for a number of reasons, as described in different parts of the GDPR.

    – Delegation of responsibility between a (plural number of) processer(s) and/or the data controller.

    – Agreements on how to act in case that end-users (Data subjects) wants to retrieve, delete, or change information etc.

    – Documentation purposes.

    Furthermore I would argue that the description of what sort of circumstances calls for a data controller-processer relationship in which the data controller specifies the means and ends of processing, reflects those of a situation in which a software is employed for processing data for specific purposes by a company that didn’t themselves develop the software. The software is employed to fulfill specific purposes and the company that employs the software has to decide which software will fulfill their intended purposes, as well as what means would accomplish it however a limited choice the employing company has regarding the means they can employ with the software. This is also the case even though no humans have been involved!

    What I am touching upon here is the distinction between a static product and a dynamic service. In either case the situation calls for documentation. Even though the software developer can’t actively change their means or purposes after the employing company has installed their software. The employing company will none the less be in need of contractual documentation for the sort of operations that the developers have implemented in the software. This they’ll have to in order to avoid any unnecessary data gathering and minimize risk.

    Besides from that I would argue that even though the data handling seems indirect, the data is being processed in accordance with a data processor-controller relationship if the software employed doesn’t handle the data in a way under which circumstances the data can’t be referred back to any particular individual. That is if it isn’t being handled in a database (or the like) where the data is completely anonymous.

    I’ll look forward to your answer, I haven’t been able to locate the DPA on your website.

    Kind regards


    1. Hi Daniel — does not have an DPA at this time. When using WPForms on your site, the need for a DPA will depend on how you are processing the data. When in doubt we recommend consulting an attorney.

      If you have any additional questions, please get in touch. Thanks! 🙂

  5. Nice to have the GDPR checkbox in the free version, however the text of the actual statement appears in grey against a dark background on my website, making it almost impossible to see that there is text at all – contrary to all other text in the same contact form which is in white and nicely legible.

    1. Hi Ralf,

      The good news is that this is a pretty quick fix with a bit of custom CSS — and we’d be happy to put together a snippet for you. When you get a chance, please drop us a line in support so we can assist.

      If you have a WPForms license, you have access to our email support, so please submit a support ticket.

      Otherwise, we provide limited complimentary support in the WPForms Lite support forum.

      Thanks 🙂

    1. Hey Marc – We currently don’t have the feature to change the _wpfuuid Cookie expiry duration. I do agree this would be great, and I’ll add this into our feature request tracker.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.