Yesterday, I blogged about the new GDPR rules that will go into force on May 25. I covered what I consider the first step—creating your Privacy Policy.
Today, I’ll talk about what I consider the next step on the road to GDPR-compliance—revising your Contact forms.
Once again, the standard disclaimer: I am not a lawyer, and nothing I say here should be considered legal advice. I’m blogging about my own journey to get my websites GDPR-compliant. If that helps you on your own journey, very good, but you should consult a lawyer versed in GDPR if you want legal advice.
Contact Forms
You probably have a Contact page on your website that lets people send you an email using a Contact form. A Contact form has fields for a site visitor to type in their name and email address and their message. It’s a lot more primitive than a regular email program. Why do most websites have such primitive Contact forms? That calls for a little history…
In the old days, a Contact page usually had a simple email link in a format called “mailto,” which contained the email address of the website owner. When a website visitor clicked on a mailto link, their email program popped up, loaded with the email address of the website owner and ready to type in the email message. That was very convenient.
But the problem was that spammers could send out bots looking at Contact pages to read those mailto links. Then the spammers had the email address of the website owner, and they sent him tons of spam.
That’s why most websites these days have a Contact form instead of a bare mailto link. It’s protection for website owners from the spammers.
But here’s the problem for GDPR compliance: A Contact form usually puts the website visitor’s name and email address into the website database. There are good, sensible reasons for this. But now the website is storing personal information of any site visitor who uses the Contact form. And GDPR is all about letting website visitors control their personal data.
Please note that it’s possible to use a Contact form that saves no personal information to the website database. In that case, you don’t have to worry about letting your website visitors control this particular information, because there’s nothing to control.
On my website, I have Contact forms created using a WordPress plugin called Gravity Forms. I checked and found that Gravity Forms does save information to the site database. It saves the site visitor’s name, email address, and the message they sent.
While this might seem pretty innocuous, it is personal data. And therefore GDPR covers it. GDPR says that this personal data can’t be collected without consent.
So our next step is to get the website visitor to give consent before the Contact form collects that personal data.
Getting Informed Consent
As I understand it, the website visitor must voluntarily give informed consent. That means you need to tell them what you’re doing, and then they need to freely take some positive action to consent to it, and then you need to keep evidence that they gave consent. And they must have the option later on to revoke consent.
That all sounds complicated, no? How is this supposed to work out in practice?
First of all, you should already have your Privacy Policy available in the standard location on every page of your website. That Privacy Policy spells out in fair detail what you’re doing with their personal data. So there’ll be a section in your Privacy Policy that says what information you collect on your Contact form and what you do with it. (Presumably you at least store it, but your site may do other things with it than simply storing it.)
If your Privacy Policy is well-written, then your website visitor has been informed (or at least has the option to have been informed).
Now how do they give consent?
They give consent in the Contact form itself. There needs to be a checkbox in the Contact form that makes clear they are giving consent to have their personal information used. The checkbox should start out unchecked. The site visitor then checks that box. If they don’t check the box, then the Contact form refuses to send their email to you.
What I Did To Make This Work
Today I went to all the Contact pages on my site. In each form, I added a checkbox with wording something like this: “You consent for your name and email to be stored electronically.”
The checkbox is a “required field” which means that the user can’t send the email unless the checkbox has been clicked.
And the checkbox starts out unchecked, which ensures that the user has to take positive action to give consent.
As I understand it, this takes care of the requirement that I get informed consent.
Yes, this is a bit of a hassle. Yes, it seems like bureaucratic rigamarole. But it only needs to be done once, and it’s done.
If you’re not techie, this may seem like a lot of work. But if you’re not techie, you probably had a webmaster create your Contact form to begin with, and I expect they could revise it pretty quickly, if you tell them what to do.
You should of course do your own legal homework to choose wording that you believe meets the GDPR requirements. You shouldn’t assume that I got the wording right. Remember, I’m not a lawyer. I’ve done my best, but I can only be responsible for my own site.
There’s More, But We’ll Leave That For Later
GDPR also requires that your users should later be able to find out what personal information you’ve stored that originally came from your Contact form. They should be able to get the information in electronic format. They should be able to make you delete it from your system.
How do you make that happen?
I’m going to leave that for another day. WordPress will be releasing the new version of WordPress (version 4.9.6) on Thursday, May 17. As I understand it, the new release will have tools needed to handle these particular GDPR requirements. So I’m going to hold off talking about that until I’ve seen the new release. If the new release doesn’t do the trick, there are some plugins that might handle it. More on that in a few days.