Featured Add-Ons -

Web Forms: What to Include in a Privacy Policy

the Gravity Forms community By the Gravity Forms community Published November 8, 2023

What to include in your Privacy Policy when using forms on your website

Written by the Editorial team at Termageddon…

Forms are a crucial part of most modern websites. They allow you to learn more about your website visitors’ interests, get valuable leads, and offer better support and services to your customers. This is because forms are great at collecting information from users interested in your services, subscribing to your newsletters, registering an account, or even placing an order right through your website.

In fact, they’re so good at collecting this information, that lawmakers around the globe are starting to take action to ensure businesses are transparent about why and how they’re collecting this information.

Many privacy laws refer to the information often collected by forms as Personally Identifiable Information (PII). Things like names, email addresses, physical addresses, phone numbers, and IP addresses are all forms of PII, and privacy laws across the globe are designed to govern the collection, use, and sharing of PII. If you’re collecting personal information through your website via a contact form, this article will help you understand the privacy implications and some legal requirements you may now have due to these regulations.

Considering one of the primary goals of privacy laws is to protect people’s PII, it’s important for website owners that use forms to learn which privacy laws apply to them, ensure their website policies have all the correct disclosures required by those laws, and then keep their policies up-to-date as privacy laws change. Otherwise, they could face fines or lawsuits for not complying with these laws.

And we’re not talking about small fines, either. Fines for privacy law non-compliance start at $2,500 per website visitor whose rights you’ve infringed upon. So, it’s important that website owners take privacy seriously – not just to avoid fines, but also to respect their website visitors’ personal information.

This article is intended to be informational, but should not be considered legal advice. Contact your attorney and ask them what you specifically need for legal compliance as it relates to your wesite.

Note: Termageddon is a third-party community solution. Gravity Forms does not offer support for this platform, nor is this article intended to be a Gravity Forms endorsement of this platform, its developers, or quality of support. As always, we recommend you extensively evaluate all plugins to ensure their suitability for your purpose.

What to include in your Privacy Policy when using forms

A Privacy Policy is a statement regarding what information your website collects, what you do with that information, and a description of your privacy practices. Every website is different and therefore every Privacy Policy needs to be unique to each business.

Even close competitors can have very different Privacy Policies depending on how they collect, use, and share the information they collect and based on what laws apply to them. The days of copying and pasting another company’s legal privacy practices have come to an end; website owners need to embrace privacy regulations to not only avoid potential non-compliance fines or lawsuits, but to also ensure they’re respecting the privacy rights of their website visitors.

That being said, most privacy laws require your Privacy Policy to address the following questions in some fashion – especially if you’ve got forms collecting people’s information..

What information are you collecting?

Be upfront and honest about what information you’re collecting. There’s nothing wrong with collecting people’s information (especially when they are submitting it themselves), but it’s important to be transparent about this data collection. Here are some examples of common website forms and the PII they usually collect:

Contact forms:

Contact forms typically ask people to submit their name and email. They may also collect additional pieces of personal information like people’s phone numbers, their interests, their address, or other details you need to help service them. Behind the scenes, your form may collect IP address for security purposes as well.

Payment forms:

Forms where people submit payment may collect names, emails, phone numbers, credit card information and more. Additionally, for security purposes, IP addresses may be collected behind the scenes when a user submits a payment.

Subscription forms:
Subscription forms allow users to sign up to your email newsletters or to receive special offers. Typically these forms collect names and email addresses, but also IP Address may be collected behind the scenes for security purposes.

What is the source of this information?

This may seem like an easy question to address at first. For PII typed out and submitted through forms, the answer is that this is ‘information submitted by the consumer’, right?

For things like names and emails, yes, website owners get this information when it is typed out and submitted by the user, however behind the scenes, forms often collect IP Address and potentially additional data, for both analytics and security purposes. Unlike ‘names’ and ‘email addresses’, which are collected by users submitting their data, PII such as “IP Address” are collected behind the scenes through the use of cookies.

Why are you collecting information?

Most website users not only have the right to see what PII is being collected and how but also why.

Are you collecting their PII to offer them a service like a newsletter or product? Do you need it to contact them as they requested? Is their PII being collected for marketing purposes? Maybe their PII is being collected for the sole reason to turn around and sell it. Whatever the reason, it needs to be addressed within a website’s Privacy Policy.

Are you sharing the information? If so, with whom?

Many website owners ignore this part because they think it doesn’t apply to them. That’s because ‘sharing’ data is often confused with ‘selling’ data. Unlike selling data, sharing data is very common with websites using forms.

Some examples:

Contact forms, when submitted, typically trigger an email that gets sent to the website owner’s email inbox, which means the website owner is ‘sharing’ data with their ‘email service provider’, whether that be Gmail, G-suite, Outlook, Microsoft 365 or any other third party email system.

Newsletter subscription forms might share a person’s email address (a type of PII) to a third-party Email Marketing Service like Constant Contact, ActiveCampaign, or Mailchimp.

Third party security tools, such as reCaptcha, also collect PII (like IP address), for security purposes and to try and prevent spammers from bulk submitting spam. This is a good example where you are sharing PII with Security and Fraud Prevention Tools.

Using analytics tools to track user behavior means you’re also sharing their data with Data Analytics Providers. If you have a Facebook pixel fire on a confirmation page after a user submits data, you may be sharing that data with Facebook (aka Social Networks for Advertising Purposes).

Third-party Payment Processing Tools like Stripe or PayPal will require you to share data with them as well, making it another disclosure as well.

It’s actually quite difficult to run a business online without sharing at least some data with other parties. This isn’t a bad thing, as this oftentimes allows your website users to have a better, more convenient experience. It’s just important to let them know that their data may be shared with these other parties which you should address within your Privacy Policy

What’s your legal basis for processing the PII you’ve collected?

Privacy laws like GDPR and the UK Data Protection Act explicitly prohibit the processing of personal data – meaning you can’t collect, process, or share PII unless you first establish a legal basis for doing so. There are several ways to do this, but one of the more common ways is through gathering consent.

Processing of personal data is allowed when the data subject has given consent to such processing for one or more specific purposes. Consent must be given by a clear and affirmative action and must be freely given, specific, and unambiguous. For forms on websites, checkboxes are commonly used. However, pre-ticked checkboxes cannot be used to establish consent.

Gaining consent under laws like GDPR has ties to your Privacy Policy as well. Any declaration of consent should be provided in an intelligible and easily accessible form, using plain and clear language that does not contain any unfair terms. Your Privacy Policy plays a large part in the “informed” portion of consent as for consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the data is intended. If you do not provide these disclosures, then a user of your website cannot properly provide consent, making your processing of their data unlawful.

The best way to get consent is to have a checkbox on your contact form, which states “I agree to the Privacy Policy”, with the Privacy Policy being hyperlinked to your respective Privacy Policy page. The checkbox should be unchecked by default and have it set as a required field. That way, you are only getting people’s data if they agree to your Privacy Policy prior to submitting their data.

How can I ensure my Privacy Policy has all this, as needed?

If creating a compliant Privacy Policy and keeping it updated over time with changing laws sounds like a total pain in the rear, it’s because… it is. Or at least it can be.

For a website owner to do this themselves, it would require they sit down, figure out what privacy laws apply to them based on their website/business, find out what specific disclosures each of those privacy laws require, write them all out, and then regularly do this all over again as privacy laws change or are added.

Yeah, no thanks.

The best option for website owners is actually to get a privacy attorney to draft and manage a Privacy Policy for them. Attorneys can offer legal advice – something a Privacy Policy Generator cannot do. The International Association of Privacy Professionals, iapp.org, provides resources on how to locate a privacy attorney in your area. When connecting with an attorney, ask them what their process is for not only drafting a Privacy Policy but keeping it up to date over time. You’ll want to do this to ensure the attorney understands the ever-changing nature of privacy laws and that continual updates need to be applied over time.

That being said, it’s no surprise to any business owner that attorneys can get expensive. That’s why Privacy Policy Generators like Termageddon exist. Termageddon is a Privacy Policy Generator that helps you generate comprehensive policies that help you comply with today’s privacy laws, and then they notify you when new laws go into effect, if any new questions need to be answered, and can even push automatic updates to your policy pages whenever privacy laws change or new ones go into effect. Website policy generators tend to be a far more affordable option, however, they are not legal service providers.

With an attorney, you get legal advice but it’s a lot more expensive. With a policy generator, you get comprehensive policies, and a good generator will auto-update your policies over time. Whichever route you go, do your research and ensure you’re selecting a top notch provider to help you address your legal needs.

In Conclusion

If you’re utilizing forms on your website and enjoying all the benefits they have to offer, that’s great!

Just remember that forms are helpful because they’re really good at collecting information and that this information belongs to the website visitor. Acknowledging this on your website with a compliant Privacy Policy will not only help you stay compliant and protected from potential fines and lawsuits, but it also helps you gain the trust of your website visitors.

What you should provide in your Privacy Policy:

This is privacy law dependent. So you first need to find the laws that apply to you. From there you may be required to provide:

  1. All personally identifiable information (PII) your website collects through forms. Don’t forget things like IP addresses get collected behind the scenes.
  2. Sources. For forms, this is usually ‘information submitted by the consumer’, but remember that information like IP address may be collected behind the scenes as well.
  3. Who you share the information with. It is common for data to be shared after a form is submitted! Acknowledge you share information with ‘email service providers’ (like Gmail, GSuite, Outlook, etc) or ‘email marketing providers’ (like MailChimp, Constant Contact, etc) or any other third-party companies that are applicable to your business operations.
  4. Legal basis. Offer an “I agree to the Privacy Policy” checkbox, where Privacy Policy is hyperlinked to your Privacy Policy page. Make it unchecked by default, and a required field. This helps ensure you are receiving clear consent from the user prior to you collecting/processing their data.

Drafting a compliant Privacy Policy and keeping it up to date with changing legislation can be a lot of work. Consider contacting a privacy attorney (iapp is a great resource) or using an auto-updating Privacy Policy generator to help you get compliant and remain compliant! Your website visitors will appreciate your respect for their privacy rights!

Learn more about Termageddon.