GDPR Compliance
Configure your forms for the EU General Data Protection Regulation.
What is the GDPR?
The General Data Protection Regulation (GDPR) is the EU's data protection law, in effect since May 2018. It applies to any organization that collects personal data from people located in the EU or EEA — regardless of where the organization itself is based. A web form that collects a name, email address, or IP address from an EU visitor falls under the GDPR.
Why consent matters under the GDPR
The GDPR requires a lawful basis for processing personal data (Article 6). For most web forms, the two practical bases are:
- Consent (Article 6(1)(a)) — the person explicitly agrees to their data being collected. This is the default for contact forms, newsletter signups, and any form where you don't have a pre-existing contractual relationship.
- Legitimate interest (Article 6(1)(f)) — the processing is necessary for your business and doesn't override the person's rights. This can apply in some cases, but it requires a documented balancing test and is harder to defend if challenged.
For most FormBlade users, adding a consent checkbox is the simplest and safest approach. It gives you a clear, auditable record that the person agreed to their data being collected.
What the GDPR preset configures
When you select the GDPR preset in FormBlade, the following settings are applied:
| Setting | Value | Why |
|---|---|---|
| Consent checkbox | Required | Article 6(1)(a) requires clear, affirmative consent before processing personal data. |
| Consent message | "I agree to the processing of my personal data. See our privacy policy for details." | Article 7 requires consent to be specific and informed. The message links to your privacy policy if you provide a URL. |
| IP anonymization | Enabled | IP addresses are personal data under the GDPR (Recital 30). Anonymizing them reduces your data processing scope. |
| Data retention | 365 days | Article 5(1)(e) requires data to be kept only as long as necessary. One year is a reasonable default for most contact form use cases. |
| User-agent storage | Disabled | Browser fingerprint data can be considered personal data. Disabling it minimizes the data you collect. |
Step 1: Apply the GDPR preset
You can apply the preset at the account level (affects all new forms) or per form:
Account level
- Go to Account Settings in the sidebar.
- Scroll to Compliance.
- Select GDPR (EU) from the dropdown.
- Click Save.
All new forms will inherit these settings. Existing forms are not changed.
Per form
- Open the form in your dashboard.
- Go to Settings → Compliance.
- Toggle Override account defaults.
- Select GDPR (EU).
- Click Save.
Step 2: Add a privacy policy URL
GDPR Article 13 requires you to inform users about how their data will be processed at the time of collection. The best way to do this is to link your privacy policy from the consent checkbox.
- In the form's Settings tab, find the Privacy policy URL field.
- Enter the full URL to your privacy policy page (e.g.,
https://yoursite.com/privacy). - Click Save.
On hosted forms, the consent checkbox will display: "I agree to the processing of my personal data. See our privacy policy for details. Privacy Policy" — where the last part is a clickable link to your URL.
Step 3: Add consent to custom HTML forms
If you use a hosted form (/f/contact), the consent checkbox is added automatically. If you embed a custom HTML form, add the checkbox yourself:
<label> <input type="checkbox" name="_fb_consent" value="true" required> I agree to the processing of my personal data. <a href="https://yoursite.com/privacy">Privacy Policy</a> </label>
The field name must be _fb_consent. FormBlade validates this field server-side and rejects submissions where it is missing or falsy (false, 0, off) with a 422 response.
The required HTML attribute adds client-side validation so users see a browser-native prompt before submitting.
What the user sees
On a hosted form, the consent checkbox appears as the last field before the submit button. The label includes your custom message (or the GDPR default) and an optional link to your privacy policy. The checkbox must be checked before the form can be submitted.
If a submission arrives without consent (e.g., from a bot or a manually crafted request), FormBlade returns an error page explaining that consent is required, with a link to your privacy policy and a back button.
GDPR-specific considerations
Right to erasure (Article 17)
Data subjects have the right to request deletion of their personal data. FormBlade's data retention setting handles automatic deletion, but you should also be prepared to delete individual submissions on request. You can do this from the submissions table in the dashboard.
Right to access (Article 15)
Data subjects can request a copy of all personal data you hold about them. You can export individual submissions or all submissions from a form as CSV from the dashboard.
Data processing agreement
Under Article 28, you need a Data Processing Agreement (DPA) with any processor handling personal data on your behalf. FormBlade acts as a data processor when storing form submissions. Contact us if you need a signed DPA.
Consent is not stored
FormBlade validates the consent checkbox at submission time but does not store the consent value in the submission data. The _fb_consent field is stripped before storage. If your GDPR compliance process requires proof of consent (Article 7(1)), implement a separate consent log on your side that records when and how consent was given.