A contact form is key to any website that brings in new business - it’s how customers can inquire about your products or services, ask you questions, engage with your brand, and more. Individuals usually input some personal data into contact forms such as their name, email, phone number or address to allow you to contact them.
This provision of data may trigger the application of the General Data Protection Regulation (GDPR). If GDPR applies to you, it will place some restrictions on how you can collect, use and disclose personal data. In this article, we will discuss the requirements that GDPR places on websites that use contact forms, including:
- Obtaining consent;
- Having a compliant Privacy Policy; and
- Data subject rights.
Obtaining consent
GDPR is unique in the sense that it prohibits the collection, use and disclosure of personal data by default. However, GDPR allows for the processing of personal data if certain exceptions, otherwise called legal bases, apply. One of these legal bases is consent, or the data subject voluntarily agreeing to you collecting, using or disclosing their data. Usually, contact form submissions are processed under the consent legal basis as the individual is agreeing to giving you their data. While consent may seem like an easy requirement to meet, that is unfortunately not the case as GDPR has certain requirements for what it means for consent to be valid.
GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.” You may find the following tips helpful when deciding how you will obtain consent for the submission of personal data through your contact form:
- The individual must have a real choice as to whether or not to allow the processing of their personal data. Individuals should not feel compelled to consent and they should not endure negative consequences if they fail to consent;
- You must not bundle consent with Terms of Service, a contract, or the provision of a service, if consent is not necessary to perform that contract or service;
- You must obtain consent for each purpose that you will use the data for and your Privacy Policy must disclose such purposes;
- The individual must know what he or she is actually agreeing to, meaning that you must ensure that your Privacy Policy makes all of the required disclosures (discussed above);
- Since the individual has to consent via an affirmative action, you must be able to show that this affirmative action actually happened. This means that silence, inactivity or pre-checked boxes are not sufficient to show that an individual consented to the processing of their personal data. You will need to make sure that your contact form has an appropriate way to capture consent, which can include a checkbox, as long as it is not pre-checked.
If you have determined that you will use consent as the legal basis for processing personal data, you are responsible for ensuring that you meet all of the requirements outlined above and that your contact form adequately captures consent. If you fail to meet the requirements, your processing of data would be considered and lawful and you could lose access to the data or even be fined for violating GDPR.
Privacy Policy requirements
GDPR provides individuals with the right to transparency regarding the collection, use and disclosure of their personal data online. This means that your website needs to have a Privacy Policy that makes specific disclosures to meet the transparency and informed consent requirements. For consent to be informed, your Privacy Policy must make the following disclosures:
- Your identity;
- The purpose of each of the processing operations for which you seek consent;
- What personal data you will collect and use;
- The existence of the right to withdraw consent at any time;
- Whether you will use the personal data for automated decision-making. If you plan on using data for such a purpose, you will need to include additional disclosures;
- Whether you plan on transferring data to other countries or international organizations. If you do plan to transfer data, you will also need to provide information on the possible risks of data transfers to countries without an adequacy decision and of appropriate safeguards.
While the above information needs to be disclosed in your Privacy Policy to obtain informed consent, GDPR also requires your Privacy Policy to make the following disclosures to meet the transparency requirement:
- Your contact details and the contact details of your representative, where applicable;
- The contact details of your Data Protection Officer, where applicable;
- The legal basis for data processing;
- Where processing is necessary for the purposes of the legitimate interests pursued by you or by a third party, a description of those legitimate interests;
- The recipients or categories of recipients of the personal data, if any;
- The period for which you will store the personal data, or if that is not possible, the criteria used to determine that period;
- A list of the privacy rights provided to individuals under GDPR;
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into the contract, as well as whether the individual is obliged to provide the data and of the possible consequences of failure to provide the data.
It is imperative that the information outlined above is included in your Privacy Policy and that your Privacy Policy is easily accessible and understandable to individuals prior to them filling out your contact form.
Rights provided to individuals
GDPR protects the personal data of residents of the European Union by providing them with a set of privacy rights that give individuals more control over their data. The following is a list of privacy rights that are the most relevant to those using contact forms:
- The right to withdraw consent - if you are processing data under the legal basis of consent, individuals have the right to withdraw that consent at any time. In fact, GDPR guidance states that withdrawing consent should be as easy as giving it. If an individual withdraws his or her consent, you must stop all processing activities of their data;
- The right to access - individuals have the right to access the data that you hold about them, including data that you’ve collected via contact forms;
- The right to erasure - an individual can ask you to erase the data that you hold about them, including data that you’ve collected via contact forms.
- The right to rectification - an individual can ask you to correct any personal data that you hold about them that is incorrect.
If you have a contact form on your website, it is imperative that you obtain proper consent for the collection of that data, have a Privacy Policy that makes all of the required disclosures and respect the rights that are provided to individuals under GDPR.