GDPR Compatibility and Contact Form 7

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

There are altogether 3 options to make Contact Form 7 GDPR compatible:

Option 1: Use Email Only

One of the easiest option is to not store the submissions on the server and rely on Contact Form 7 to email responses to you without using Flamingo (for storing the form submissions). However, email’s known to not always be 100% reliable as there are multiple points at which an email could be blocked or at which delivery fails. If receiving form responses is critical to your project or business, this may not be the most appropriate option for you.

Option 2: Use Contact Form 7 Acceptance Checkbox

The acceptance checkbox in CF7 has been around for a few versions now, but made it into the latest changelog for version 5. A condition of GDPR is that you must gain a user’s consent whenever gathering data. This must be their explicit consent, it must be opt-in (rather than a pre-ticked checkbox), it must be separate from any other terms and conditions and make it clear as to why we want the data and what we’re going to do with it.

The acceptance checkbox can be added to forms, showing a link to your privacy policy in the label and the user must tick the checkbox in order to submit the form. Here’s an example of the acceptance checkbox set up and how it can be used in practice.

Demonstrating how the checkbox must be ticked to submit the form
As a note, the latest version of Flamingo, 1.8, now has a section within each inbound message where it stores the message of consent that’s been accepted. It looks as though both CF7 and Flamingo are being actively updated in preparation for GDPR, so it’s worth keeping an eye out for any further updates that will help with your GDPR compliance.

Option 3: Give the user an option to opt-out of having their data stored

If you’re using Flamingo as your CF7 database and you’re happy to only store some form submissions, another option is to allow users to explicitly opt into having their data stored.

This can be achieved by using a default CF7 checkbox alongside the CF7 before_send_mail hook and Flamingo’s do_no_store setting.

Here’s the code that will need to be added to your WordPress theme’s functions.php, we’re using a checkbox named “opt-in”, if it’s checked we trigger the do_not_store=false setting, otherwise we run do_not_store=true and bypass Flamingo.

One thing to note is that I’m manually setting the Flamingo Subject in the CF7 settings rather than passing it through using a form field. When we hook into the additional settings, it doesn’t appear to carry this through by default, so here I’m passing through the form title again.

* CF7 opt-in to storing data in Flamingo

add_action( 'wpcf7_before_send_mail', 'gdpr_wpcf7_submit', 10, 2 );

function gdpr_wpcf7_submit( $form ) {

$wpcf7 = WPCF7_ContactForm::get_current();
$submission = WPCF7_Submission::get_instance();

if ( $submission ) {

$posted_data = $submission->get_posted_data();

// CF7 checkbox named opt-in
$optIn = $posted_data['opt-in'][0];

if ( $optIn ) {

$formTitle = sanitize_text_field( $wpcf7->title() );

$wpcf7->set_properties( array (
'additional_settings' => 'do_not_store: false\nflamingo_subject: "'.$formTitle.'"'

} else {

'additional_settings' => 'do_not_store: true',
return $form;

You may wish to use this method in conjunction with the acceptance checkbox from Option 2 or in addition to a statement linking to your privacy policy, outlining what you will do with the data once it has been submitted.

Leave comment

Your email address will not be published. Required fields are marked with *.