Web Design

WordPress GDPR compliance with Contact Form 7 and Flamingo — what I’ve found so far…

Screen-Shot-2018-02-21-at-17.56.25

One of the hottest topics at the moment, GDPR or General Data Protection Regulation, comes into effect on 25th May 2018 and will see changes to the way in which businesses and organisations handle and process our personal data.

WordPress and Plugins

I’ve been looking into GDPR and how this will affect the way in which we capture and store data on websites that have been built to specifically for this purpose.

Two WordPress plugins that work well together are Takayuki Miyoshi’s Contact Form 7 (CF7) (for generating custom frontend forms) and Flamingo (for storing the form submissions). Discussions around how GDPR will affect the use of these plugins has been cropping up for a few months on forums and there’s not been much in the way of information available.

I’ve so far found a few of options that hopefully go some way to ensuring GDPR compliance whilst using Contact Form 7 and Flamingo. The tutorial below talks through these methods, although I’d be really interested to know how you’re approaching this subject – let me know.

Disclaimer: this is by no means legal advice and is based entirely on my findings of this subject so far. It’s likely that many things could change regarding the law or that plugins could become updated. Please seek proper legal advice on the subject if required and remember to check for the latest WordPress updates.

Preparing for GDPR

Option 1: Email Only

The obvious option here is to not store the submissions on the server and rely on Contact Form 7 to email responses to you without using Flamingo. However, email’s known to not always be 100% reliable as there are multiple points at which an email could be blocked or at which delivery fails. If receiving form responses is critical to your project or business, this may not be the most appropriate option for you. There are additional plugins available for WordPress (which I haven’t tested yet), that help to secure email delivery, such as WP PGP Encrypted Emails.

Option 2: Contact Form 7 Acceptance Checkbox

The acceptance checkbox in CF7 has been around for a few versions now, but made it into the latest changelog for version 5. A condition of GDPR is that you must gain a user’s consent whenever gathering data. This must be their explicit consent, it must be opt-in (rather than a pre-ticked checkbox), it must be separate from any other terms and conditions and make it clear as to why we want the data and what we’re going to do with it.

The acceptance checkbox can be added to forms, showing a link to your privacy policy in the label and the user must tick the checkbox in order to submit the form. Here’s an example of the acceptance checkbox set up and how it can be used in practice.

Adding the acceptance checkbox in the Contact Form 7 settings

 

Demonstrating how the checkbox must be ticked to submit the form

 

As a note, the latest version of Flamingo, 1.8, now has a section within each inbound message where it stores the message of consent that’s been accepted. It looks as though both CF7 and Flamingo are being actively updated in preparation for GDPR, so it’s worth keeping an eye out for any further updates that will help with your GDPR compliance.

Demonstrating how Flamingo stores the acceptance checkbox

Option 3: Giving the user an option to opt-out of having their data stored

If you’re using Flamingo as your CF7 database and you’re happy to only store some form submissions, another option is to allow users to explicitly opt into having their data stored.

This can be achieved by using a default CF7 checkbox alongside the CF7 before_send_mail hook and Flamingo’s do_no_store setting.

Here’s the code that will need to be added to your WordPress theme’s functions.php, we’re using a checkbox named “opt-in”, if it’s checked we trigger the do_not_store=false setting, otherwise we run do_not_store=true and bypass Flamingo.

One thing to note is that I’m manually setting the Flamingo Subject in the CF7 settings rather than passing it through using a form field. When we hook into the additional settings, it doesn’t appear to carry this through by default, so here I’m passing through the form title again.

You may wish to use this method in conjunction with the acceptance checkbox from Option 2 or in addition to a statement linking to your privacy policy, outlining what you will do with the data once it has been submitted.

GDPR talks about using encryption as a measure to maintain security and mitigate risks. As above, the before_send_mail hook could be used to manipulate the submitted data for such a purpose — this is a further discussion point and I hope to pick this up in a later blog post.

Further Reading

These are some links to blogs and WordPress plugin developers that provide some insight into how they are approaching GDPR;

 

This is a brief round up of the options that I’ve discovered so far and I hope that the examples are useful. I’d be really interested to know how you’re approaching this subject, let me know.

WordPress GDPR compliance with Contact Form 7 and Flamingo — what I’ve found so far…

We don’t want briefs.
We want problems.
That’s where the magic happens.

StrategiQ Full Awards List
2024
UK Search Awards
Best use of AI in Search
UK Search Awards
Best low budget campaign (SEO): Large
UK Search Awards
Best use of search – Travel / Leisure (PPC): Large
Dotdigital Partner Awards
Retail Service Partner of the Year
DevelopHER Awards
Inspiration Award
UK Dev Awards
Rising Star
UK Dev Awards
Fintech Website
UK Dev Awards
Third Sector Website
Campaign Best Places to Work
26/100
UK Dev Awards
Retail/Ecommerce Website
UK Company Culture Awards
Best HR Tool
Sunday Times' 100 Best Places to Work
Small Organisations Category
2023
DevelopHER Awards
Digital Marketer of the Year
UK Dev Awards
Best Third Sector Website
UK Dev Awards
UX Award for StrategiQ
UK Paid Media Awards
Best Use of Linkedin Ads
UK Paid Media Awards
Paid Media Agency Led Campaign Of The Year
European Paid Media Awards
Best Use of Linkedin Ads
UK Agency Awards
Best Culture Transformation Initiative
UK Search Awards
Best Use of Search (Travel)
Social Media Awards
Best Use of Instagram
Social Media Awards
Best Use of Linkedin
Social Media Awards
Best Audience Engagement Campaign
DevelopHER Awards
Emerging Talent
UK Search Awards
Best Use of Search
2022
Dotties Awards
Marketer of the Year
Elite Agency
Campaign Best Places to Work
Winner Top 50
UK Dev Awards
Project of the Year
UK Dev Awards
Travel Website of the Year
UK Dev Awards
Best Site Migration
UK Dev Awards
B2B Website of the Year
UK Paid Media Awards
Local Campaign of the Year
UK Paid Media Awards
Best Use of Attribution
UK Search Awards
Best Local Campaign (PPC) (LARGE)
UK Search Awards
Travel / Leisure (PPC) (LARGE)
UK Search Awards
Retail / Ecommerce (SEO) (LARGE)
The Drum Awards
Best Business Development Initiative
2021
UK Dev Awards
Best Migration
Campaign Best Places to Work
Winner Top 50
UK Agency Awards
Covid Response (Silver)
UK Agency Awards
Campaign Effectiveness Award (Silver)
UK Search Awards
Best Use of Search Third Sector (Silver)
UK Search Awards
Best Use of Content Marketing (Silver)
UK Search Awards
Best Large SEO Campaign
2020
Campaign Best Places to Work
Winner Top 50
Suffolk Business Awards
Business of the Year
Suffolk Business Awards
Small & Medium Business of the Year
2019
DXA Awards
Best PPC Strategy with Powertool World
Suffolk Business Awards
Best Employer
2018
Best Employers Eastern Region
Best Digital & Technology Business
UK Search Awards
Best Small Integrated Search Agency
2016
EADT Business Awards
One To Watch Award
Read
Play
Hover