GDPR and GravityView

What you need to know about GDPR relating to Gravity Forms and GravityView

Written by Kiefer Szurszewski

Categories How-To

Tags ,

GDPR

Note: This post does not constitute legal advice.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union regulation designed to protect private Personally Identifiable Information (PII) for all European Union citizens. In short, it is designed to protect users from unauthorized data collection from the websites they use. To do this, the GDPR requires that users give explicit consent to having their data collected.

The GDPR affects all companies that have users from the European Union, not only companies based in the E.U. If you have an online business or website, chances are that you will be affected by GDPR. Companies must be compliant by May 25, 2018.

You can read more about the specifics of the GDPR on the official website.

What is Personally Identifiable Information (PII)?

Personally Identifiable Information is any information that can be used to identify a specific individual. This includes (but is not limited to):

  • Name
  • Address
  • ID Numbers
  • Web data such as:
    • Location
    • IP Address
    • Cookie data
    • RFID data
  • Biometric data
  • Racial, ethnic, or other demographic information
  • Political views and opinions
  • Sexual orientation and gender identity

Gravity Forms and Personally Identifiable Information

Any Gravity Forms field can potentially be used to gather the information listed above. Some information that can be considered sensitive and personally-identifiable (i.e. can tie the entry to a specific person) is gathered implicitly:

  • gf_entry.ip – A person’s IP address
  • gf_entry.user_agent – The type of browser being used
  • gf_entry.transaction_id – If making a purchase with the form, this is the payment ID connected to the payment processor
  • gf_entry.created_by – The WordPress user ID of the person

As such, if you are using Gravity Forms, you should be sure to make your website compliant!

GDPR and WordPress

The WordPress community is hard at work on some tools that help WordPress users get GDPR-compliant:

How to Be GDPR Compliant with Gravity Forms

First, give this guide on the Gravity Forms site a read. In short, Gravity Forms recommends adding a required checkbox to any forms that need to be GDPR-compliant. This checkbox should make it absolutely clear that the user’s data is being collected.

The easiest way to comply would be to add a required checkbox to any forms that need to be compliant. Adding a simple checkbox field that states something along the lines of “I consent to my submitted data being collected and stored” will usually do the trick.
Be sure to make it a required field, and the first part is done. This way, you’ll know that every submission is compliant because without providing consent, the submission would not complete.

As noted in the article, it’s very important to make this checkbox a required field. If your field is not required, any submitted entries that have not consented to data collection can be considered violations of GDPR.

User Data Requests and GravityView

Another part of GDPR-compliance requires that users are able to request and receive all of their personal information.

While the regulation merely requires that businesses provide the data “within a month”, we recommend simply setting up a View in GravityView that allows logged-in users to view, edit and delete the data themselves.

To do this, you’ll want to limit search results to only show entries submitted by the currently-logged-in user. Read this Knowledge Base article for instructions on setting this up.

Other Questions?

If your usage of user data is unique or doesn’t fall under the cases mentioned above, we recommend contacting a lawyer directly.