When it comes to GDPR compliance for websites, making sure your contact forms are compliant is critical. Contact forms—essential for site-user interaction—collect personal data and must meet GDPR requirements. Here’s how to make sure they conform.
Contrary to popular belief, a privacy acceptance checkbox isn't always mandatory. If the form serves only to respond to user queries (with no marketing involved), a checkbox can be replaced with an informational sentence like:
"By submitting this form, I declare that I have read the privacy policy and authorize the Controller to respond to me as expressed in point a and b of the privacy policy."
This statement (with “privacy policy” linked) tells users that their data is processed only to fulfil their specific request. If you do not plan marketing (e.g. newsletters, SMS, WhatsApp, telemarketing) with the data collected, this solution is sufficient.
If you plan to use collected contacts for marketing, you must include an optional, not-preselected checkbox with this text:
"I give consent to receive promotional materials as stated in point c of the privacy policy."
Again, “privacy policy” should link to your full privacy statement.
For a hands-on guide to adding this checkbox, see this article.
In addition to adding the checkbox to your forms, you also need to make sure you’ve selected the option for newsletters and marketing communications in the Policy Assistant. Go to My Agile Privacy > Policy Assistant, and proceed to the Site Features step
Here, make sure to tick the Newsletter option, which will enable point c mentioned earlier in the policies.
Important note: Once you enable the Newsletter option, a second option will appear:
“I keep data for a maximum of 24 months from the last meaningful interaction.”
But what does “last meaningful interaction” mean?
It refers to the last time a user interacted with one of your communications or a form on your site. For example, opening an email, clicking a link within an email, or submitting a contact request through a form on your site.
You must select this additional option only if the data is actually stored for a maximum of 24 months. Otherwise, do not check it and simply proceed.
It’s important to keep a record of users’ consent. Regulations do not specify a required retention method; you can save each submission in your site’s database or keep the administrator’s notification email. Alternatively, you can implement a double opt-in mechanism, which involves sending an additional verification email to the user to confirm the email address and the user’s consent.
Another key GDPR requirement for contact forms is handling Google ReCaptcha. While useful against spam, ReCaptcha installs cookies and performs fingerprinting, so must be blocked until consent is granted.
However, blocking ReCaptcha without notice may disable your form input unexpectedly. To avoid this, add this code near your contact form—it displays a warning if the ReCaptcha cookie isn’t accepted. The warning disappears automatically if the user consents.
<div class="map_custom_notify map_api_key_google_recaptcha showConsentAgain mapShowItem">
Warning: Your Cookie choices may not allow the form to be sent. Click here to review your preferences.
</div>Here’s how the message will appear:
Want to show custom warning messages if cookies are not accepted? Follow the guide How to customise the My Agile Privacy cookie banner.
Following these steps ensures your contact form is both functional and GDPR compliant.
Privacy Settings
This website uses cookies to improve your experience while you navigate through the website.
