WordPress GDPR compliance with Contact Form 7 and Flamingo — what I’ve found so far…

GDPR with Contact Form 7 and Flamingo

One of the hottest topics at the moment, GDPR or General Data Protection Regulation, comes into effect on 25th May 2018 and will see changes to the way in which businesses and organisations handle and process our personal data.

WordPress and Plugins

I’ve been looking into GDPR and how this will affect the way in which we capture and store data on websites that have been built to specifically for this purpose.

Two WordPress plugins that work well together are Takayuki Miyoshi’s Contact Form 7 (CF7) (for generating custom frontend forms) and Flamingo (for storing the form submissions). Discussions around how GDPR will affect the use of these plugins has been cropping up for a few months on forums and there’s not been much in the way of information available.

I’ve so far found a few of options that hopefully go some way to ensuring GDPR compliance whilst using Contact Form 7 and Flamingo. The tutorial below talks through these methods, although I’d be really interested to know how you’re approaching this subject – let me know.

Disclaimer: this is by no means legal advice and is based entirely on my findings of this subject so far. It’s likely that many things could change regarding the law or that plugins could become updated. Please seek proper legal advice on the subject if required and remember to check for the latest WordPress updates.

Preparing for GDPR

Option 1: Email Only

The obvious option here is to not store the submissions on the server and rely on Contact Form 7 to email responses to you without using Flamingo. However, email’s known to not always be 100% reliable as there are multiple points at which an email could be blocked or at which delivery fails. If receiving form responses is critical to your project or business, this may not be the most appropriate option for you. There are additional plugins available for WordPress (which I haven’t tested yet), that help to secure email delivery, such as WP PGP Encrypted Emails.

Option 2: Contact Form 7 Acceptance Checkbox

The acceptance checkbox in CF7 has been around for a few versions now, but made it into the latest changelog for version 5. A condition of GDPR is that you must gain a user’s consent whenever gathering data. This must be their explicit consent, it must be opt-in (rather than a pre-ticked checkbox), it must be separate from any other terms and conditions and make it clear as to why we want the data and what we’re going to do with it.

The acceptance checkbox can be added to forms, showing a link to your privacy policy in the label and the user must tick the checkbox in order to submit the form. Here’s an example of the acceptance checkbox set up and how it can be used in practice.

Adding the acceptance checkbox in the Contact Form 7 settings

 

Demonstrating how the checkbox must be ticked to submit the form

 

As a note, the latest version of Flamingo, 1.8, now has a section within each inbound message where it stores the message of consent that’s been accepted. It looks as though both CF7 and Flamingo are being actively updated in preparation for GDPR, so it’s worth keeping an eye out for any further updates that will help with your GDPR compliance.

Demonstrating how Flamingo stores the acceptance checkbox

Option 3: Giving the user an option to opt-out of having their data stored

If you’re using Flamingo as your CF7 database and you’re happy to only store some form submissions, another option is to allow users to explicitly opt into having their data stored.

This can be achieved by using a default CF7 checkbox alongside the CF7 before_send_mail hook and Flamingo’s do_no_store setting.

Here’s the code that will need to be added to your WordPress theme’s functions.php, we’re using a checkbox named “opt-in”, if it’s checked we trigger the do_not_store=false setting, otherwise we run do_not_store=true and bypass Flamingo.

One thing to note is that I’m manually setting the Flamingo Subject in the CF7 settings rather than passing it through using a form field. When we hook into the additional settings, it doesn’t appear to carry this through by default, so here I’m passing through the form title again.

You may wish to use this method in conjunction with the acceptance checkbox from Option 2 or in addition to a statement linking to your privacy policy, outlining what you will do with the data once it has been submitted.

GDPR talks about using encryption as a measure to maintain security and mitigate risks. As above, the before_send_mail hook could be used to manipulate the submitted data for such a purpose — this is a further discussion point and I hope to pick this up in a later blog post.

Further Reading

These are some links to blogs and WordPress plugin developers that provide some insight into how they are approaching GDPR;

This is a brief round up of the options that I’ve discovered so far and I hope that the examples are useful. I’d be really interested to know how you’re approaching this subject, let me know.