There are a lot of resources on the web which state that if you have a form on your website, you must add a checkbox which specifically asks for the user’s consent to process and store their data.
But the ICO’s guidance on consent actually says the following (amongst other things):
- The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
- Avoid making consent to processing a precondition of a service.
My deduction is that for general contact/enquiry forms, where you are processing and storing information to allow you to respond to an enquiry, consent would be a precondition of service – you can’t respond to an enquiry unless you have the person’s name/email address/enquiry! Consent is therefore pretty meaningless in this situation, and one of the other legal bases for processing data would be more appropriate:
- 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
If any of these apply, it follows that you don’t need a consent checkbox on your form.
This doesn’t exempt you from the requirements of GDPR more generally. Specifically:
- You should link to your Privacy Information Notice, and let people know that by completing the form, their data will be processed and stored in accordance with that notice.
- You need to have a way to collate/correct/delete that data on request (see below).
So when is consent required?
As I understand it, positive opt-in consent WOULD be required if, for example, you are signing people up to a marketing newsletter, as part of another process.
Imagine you have a contact form. It would be unlawful to simply add people to a marketing list simply by virtue of the fact they have completed your contact form. In this instance, you must have an explicit checkbox, unchecked by default, specifically asking people whether they consent to receiving marketing emails. It should be separate from any terms and conditions checkbox.
Question: is a consent checkbox required in an email marketing signup form? Most people would say yes. But if the only purpose of the form is to sign people up to your marketing list, and you make people are aware that that is the case, presumably a consent checkbox would be a precondition of service, and therefore rather meaningless. Common sense would argue that it’s unnecessary.
Establish the legal basis for any contact forms you have & ensure this is documented.
Many WordPress forms plugins store form entries in the website database, as well as emailing them to the nominated administrator. This is useful in the event that email notification fails. However, under GDPR, it is difficult to justify storing these entries in the website database indefinitely.
There are several ways around this:
- We may see the big forms plugins players (Gravity Forms for example) introduce plugin options which allow us to deal with data retention more effectively
- Alternatively, it would be relatively simple to code a solution to either 1) stop Gravity Forms storing entries in a database or 2) delete entries automatically after 30 days. There is already a plugin which stops Gravity Forms storing entries on the database.
- As a last resort, one could introduce a manual process whereby form entries were manually deleted every 30 days.
The information above deals specifically with Gravity Forms, but applies in principle to other plugins too. This analysis of how and where popular WordPress contact forms plugins store data may be useful.
Establish how long you will be storing forms information, and document this.
Where necessary, establish a process and/or systems for deleting data when it is no longer required.
Responding to requests for access/rectification/erasure
How you handle this will be dependant on the forms plugin you use, and where you store form submissions.
If you use Gravity Forms, the plugin has an Export facility which allows you to pull out entries by email address, and export to CSV file.
Likewise, you have the ability to search for entries by email address, and bulk delete.
Note: it’s therefore generally a good idea to ask for an email address in any forms on your website – so that you have a unique handle by which to pull out users’ data should they request it.
Check that you have a process for easily finding form submission data relating to an individual.
Check you have a process in place to correct, delete, or export the data (normally to a CSV file). Consider doing a dummy run.
Ensure this process is documented in your internal data security policy (this is also a good place to list all the places where you hold data (not just your website) – so if an individual requests access/rectification/erasure, you know where to look.