Hi folks. The GDPR "required consent" checkbox is already available in release X3.25.0
. I would like to mention however, after working with this plugin and studying the compliance requirements, I am even more opposed to using a "required consent" checkbox for contact forms. This "required checkbox" concept is a misinterpretation gone viral. Seems some just want to add plugins for everything because they exist.
1. The EU Isn’t Coming For You
Before anything else, let's summarize how this guide
elaborately puts it:
2. Where does the "required checkbox" come from?
GDPR primarily aims to regulate businesses that do a lot of data processing - and especially businesses that make their money from selling or “exploiting” the data they collect about people.
Think: data harvesting giants like Facebook or Google.
There is absolutely no rule or mention in any GDPR regulation
about requiring a checkbox in any way to require consent.
3. Why are you requiring consent just to send an email anyway?
A contact form in X3 is used strictly to SEND an email from visitor to YOU. X3 does not store anything. The website does not store anything. The server does not store anything. As long as you are not harvesting the emails into newsletters, you are not collecting data. What are you trying to require consent for? If this was required, then Gmail and Hotmail would have to include this checkbox into their online mail applications also.
4. Even if you were collecting data ...
Ok, let's pretend the form IS actually collecting
names and emails for a NEWSLETTER, and not just sending an email. If you explicitly make it clear by TEXT in the form what the visitor is committing to when "signing up", that is already acceptable as "explicit consent". Again, there is no mention of "required checkbox" in GDPR regulations ... The only regulation you need to comply to is:
5. Let's look at ALL consent conditions in layman terms:
The “tell me what’s going to happen” right: the citizen has the right to be told what will happen with personal data before it is submitted and the data shall only be used if explicit consent is given.
- The “tell me what’s going to happen” right: the citizen has the right to be told what will happen with personal data before it is submitted and the data shall only be used if explicit consent is given.
- The “show me my data” right: the citizen has the right to know what data is being collected about them, why it’s being collected and how it’s being used.
- The “I want to change that” right: the citizen has the right to have data modified or updated.
- The “forget about me” right: the citizen has the right to have their private data removed completely.
It is safe to say that #2, #3 and #4
do not apply when visitor is sending an email in contact form. Even if they were, it would not be difficult for you to satisfy those requirements on request. If you are paranoid, you could for example write "We do not store your email in any way, and it is only used to reply to your request".
6. It's really dumb
Considering the above, and that there is no mention of such "required checkbox" for contact forms, this is a really dumb solution. If the visitor fills email, name, writes a message, and clicks "SEND", then of course they want to send the email to you, and will expect a reply. What kinda logic would have it that they would fill the contact form, send, but refuse to allow you to reply? This is just another negative factor for the visitors user experience.
Also, there is another twist:
Ok, so what should I do?
Under GDPR, you are not allowed to disadvantage anyone because they don’t provide consent. That means in a form like this one, you can’t make the checkbox required.
- Nothing, unless you are categorically storing the users data for specific reason.
- If you are paranoid, you could write something like "We only use your data to reply to emails, and do not store emails for marketing or any other specific purpose".
- Are you adding incoming emails into newsletter or spamming emails with marketing? Then, YES you would have to make this clear up front, possibly by using checkboxes.
- Don't worry. Eu are not out to get you. Even if they were, you would simply need to prove the FOUR POINTS noted in #5 above.