GDPR Compliant Form Builder for WordPress

General Data Protection Regulation (GDPR) is everywhere these days. For a lot of WordPress folks, that topic came at a bad timing. Getting your WordPress form GDPR compliant is just the very first step.


Disclaimer: I’m not a lawyer and the following recommendations are based on my own experience. In this text, I can’t cover every topic and I can’t give you legal consulting. That said, we recommend to get professional support on all the GDPR topic.

GDPR Compliance BadgeSince the beginning of BuddyForms, our goal is it to build tools, where you can own your own data. With all the rise of social media platforms and data-driven business models, we need to ask us the question, if we are still in control of our data.

Sure we are kind of aware, that Facebook & co. are making money with our personal data and therefore they can provide their service for free. The following quote describes best, what now is happening:


“GDPR is long-term good for the internet and its helping fuel a much needed global conversation around data privacy.”

Quote from Siraj Raval


This article doesn’t only cover our new updates about data privacy as a form builder. No, we’ll also talk about the ambition and steps other big form builders are doing, like:

  • WPForms
  • GravityForms
  • Ninja Forms
  • Formidable and lastly
  • BuddyForms

I believe that we need to be aware, of which tool uses, which data. In GDPR terms these are called sub-processor, but sorry! I’m getting ahead of myself ;-).

What you can expect from this article

If you are in a rush and want to jump to the topic you are interested, here is a shortcut for you:

  1. What does GDPR mean for website admin and users?
  2. What are form builders doing for you to become GDPR compliant
  3. What is BuddyForms doing for you to become GDPR Compliant? (incl. 🎥 Video)

The GDPR requirements are active from the 25.05. Anyway, most website owners are still working on to be compliant. Before we jump into best practices of some form builder, let us clarify what GDPR actually means for website admins and users.

“It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”


For website users that means, they have much more rights to their personal data. The requirements of the GDPR is best described in the following video:

GDPR regulations as a Tech Company

From the vide0 you’ve just watched, we’ve extracted the most interesting regulations for yours. As a website admin, you should consider the following:

  • Consent – To obtain a consent for data use, users need to have easy access to the terms and conditions. Furthermore, it must be easy to withdraw consent as it is to give it.
  • Breach Notification – In the event of a data breach, data processors have to notify their controllers and customers of any risk within 72 hours.
  • Right to Access – Data subjects have the right to obtain confirmation from data controller of whether their personal data are being processed.
  • Right to be forgotten – When data is no longer relevant to its original purpose, data subjects can have the data controller to erase their personal data.
  • Data Portability – Allows individuals to obtain and reuse their personal data for their own purposes by transferring it to different IT environments.
  • Privacy by Design – Calls for the inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.
    Data Protection Officers – Professionally qualified officers must be appointed in organizations that engage in large scale.

Puh, this is quite a lot you think, you might find yourself in the following situation:


Don’t get frustrated. A lot of form builders are working to make life easy for you. Though, the times of blindly collecting user data (as a required field) are already over. You should think in a sustainable way with the data you want to collect.

What are form builders doing to become GDPR compliant

Other form builders are working since quite a while on the GDPR requirements. Let me introduce you the most important and how they take action.


WpForms made a really good job. Within the backend, they make it super clear how to become GDPR compliant. For example, they offer a

  1. Consent Checkbox – GDPR Agreement form elementGDPR Agreement in WP Forms
  2. Really easy way to disable User Details – For example IP addresses and user agentsDisable IP storing with a single click
  3. Preparation for Entry Data Requests – Data handling is easy as well. You can bulk select data right from the dashboardDelete all the entries in WPForm


In WPForms Support area you’ll find all the information about how to create GDPR compliant forms.

Gravity Forms GDPR

Gravity Forms has the most 3rd party apps, where data can be shared with. They have a pretty detailed documentation article on that. With 3rd party plugins, you can make Gravity Forms seamlessly GDPR compliant. Keep in mind that all depends on your tracking structure. The biggest drawback is, that you need to make changes in your code, in order to not track the IP address. That’s for some people probably a big barrier:

Gravity Forms IP filter PHP Code

NinjaForms GDPR

NinjaForms is another big player in the form builder game. It has over 1 million active installs (according to the WordPress repository stats). They have a pretty long article on the GDPR updates and the good news is: users don’t need to install a new plugin.

In fact, you see that they really put a lot of thoughts into their product. In this article, they describe a lot of good reasons why to implement GDPR Compliant forms and how to think in a different more data sustainable way. My favorite quote from this article is the following:


“For the GDPR, the biggest thing we have to change isn’t our website or our plugin… it’s how we think about and treat personal data.”
Quote from NinjaForms


Within the new WordPress update, NinjaForms made also use of the Data Handling settings. Users can access those settings for data entries right inside the dashboard.

NinjaForms GDPR Compliant Settings


What is BuddyForms doing to become GDPR Compliant?

Since data protection was already quite a big thing for us (most of the team lives within the EU), we’ve covered data privacy from the beginning. All post or user data is stored on your WordPress hoster. That means you were always in control of your user’s data.

Anyway, we used the time to make some leap forward and made several updates:

  1. New GDPR Form Element – It’ll be easy to integrate a new GDPR compliance checkbox in any form. You’re able to include any HTML text inside the description. That makes it super easy to get a straightforward consent of your users.
  2. New Settings – We’ve changed the logic so that user sensitive data like IP address, location or browser information are not stored by default. You’re still able to collect this data, but you need to enable it for each form in BuddyForms. By default, we only store the form elements you have added to your form
  3. New WordPress Integration – We’re deeply integrated with the new WordPress core. With the WordPress 4.9.6 update, a major Privacy and Maintenance Release has been pushed in order to fulfill the GDPR regulations. Especially, the data handling gets way easier. Admins can now export or erase data, which gives the right to your users about data access, right to be forgotten and data portability. Any data submitted to your BuddyForms will be covered by the default WordPress data handling settings:
    • Personal Data Exporter
    • Personal Data Eraser
  4. New Shortcode – The list doesn’t end here. We’ve added a new shortcode to delete users account and all data. This is a deep integration of (hook) of the “Personal Data Eraser” feature. That means your users are 100% in control of their data.
  5. Frontend User Control – BuddyForms users can already edit and also delete submissions if the form is setup this way. If you provide a user dashboard or login, you’ll be able to give access to your user’s data. This was already possible, but I think it was worth it to mention here.

To summarize, BuddyForms was always concerned about data protection. We don’t share any data with 3rd party plugins. All is stored on your WordPress hoster. Therefore you should consider checking out, how aware your provider is on this topic.

Secure WordPress Hosting

If you are still struggling, where are some WordPress hoster we can blindly recommend to you are:

  • WPEnginge (commission link) – WP Engine provides managed WordPress hosting for mission-critical sites around the world. They have amazing support, work on an enterprise-class level and are fully optimized for WordPress. Most of our projects are hosted on WPEngine. They are fully GDPR compliant and you can get a Data Processing Addendum, right from your dashboard.
  • Siteground (commission link) – This web hosting service is crafted for top speed, unmatched security, and expert support. They are located in the EU (Bulgaria), which means they will fully pay attention to what’s going on with GDPR. Hence, they provide full GDPR compliance already. Read more on their blog post.
  • Flywheel (commission link) – Flywheel is also a managed WordPress hosting platform. The focus more on designers and creative agencies. Though, they have built in also high standards to become GDPR compliant. Read their article on GDPR here (there are still in the process).

You see, getting a GDPR compliant form builder is not that hard. With the right hosting solution, you will be in a pretty safe place.

How is your process going on with GDPR? Let me know where you stand with your projects in the comments. And until next time ✌🏼

Thanks for reading ❤️

Say Hello on our other channels:

YouTube | Facebook | Twitter

NOTE: In this article we have used commission links – also called affiliate links – and marked them with”(commission link)”. If an order is placed via these links, Themekraft receives a commission from the seller; no additional costs arise for the customer.

What Do You Think?