Contact forms and data protection: What should I bear in mind?

Many websites offer a contact form to make it easier for visitors to communicate or to receive messages in a more structured and targeted manner. How much information is mandatory? Should the user be asked to confirm the data protection information? These and other questions are answered in this article to ensure legal certainty when using contact forms.

Introduction

Contact forms regularly provide conversation topics because data protection issues arise from them. In reality, it's quite simple to offer a contact form, or even several, if a few basic rules are followed.

As with any kind of data processing, there are also small risks associated with contact forms, which can be minimized. Ultimately, the risk is manageable and not higher than in communication via an email address offered on the website.

Contact forms offer better opportunities to avoid spam than pure e-mail communication. However, anyone using Google reCAPTCHA here is in a bad legal position.

The following recommendations help quickly create secure contact forms and know the legal questions. By the way, this is not about newsletter forms, for which your own rules apply. Most of the mentioned hints are also transferable to forms with which interested parties can subscribe to your information in your newsletter.

Recommendations for contact forms

Each individual recommendation provides more legal security when taken into account. At the end you have a website with as many forms as needed. The data protection rules prescribed by the GDPR are complied with.

As always in legal matters, there is no absolutely correct procedure, but only an increase in legal certainty. Even if you do everything right (whoever decides that), someone can send you a warning or sue you. The only problem is that your opponent will be left holding the bag and will be left with the costs.

The general contact form

One form for everything is possible and permitted. However, you should only use this central point of contact as a first point of contact. This form should not mutate into a one-size-fits-all tool in which all the data in the world is requested. Here is my recommendation for the information that should be requested in a collective form:

• Message: That's what the contact form is for.
• Mail address: This is the only way you can reply.
• Name or pseudonym: Often you do not need the real name of a person. But often the name is also important to know. Use common sense to decide whether you need the real name or not. On my website, for example, I don't need the real names of people who send me feedback on my posts by e-mail and don't use the comment function. Of course, I can also write a reply to Hasemaus47 if I feel like it (whether I reply is up to me if there is no obligation; I always reply if the letter is serious and deserves a reply).
• Telephone number: Only if useful and often needed. Mark as optional if necessary.

I would not ask for more data in a general form. It depends on the focus of your website or activity whether you need other general information. However, most companies will be able to live very well with the above. Medical practices, daycare centers or car repair shops may also need a person's telephone number.

Required fields and optional fields

For every statement you ask in the form, you should think whether the statement is necessary or not. Necessary statements are obviously always the message text and the email address of the writer, so that someone can be reached for a response.

The name of the person writing is often not important. Even for general newsletters that are not sent to your customers, the name of the subscriber does not need to be known. See my Newsletter. For the newsletter subscription I only ask for the email address. Everything else interests me not. If someone wants to tell me something, then I will be written by mail. In this mail is often the name of the person mentioned who wants to tell me something. And that's because this person voluntarily mentions their name.

The more specific a contact form is, the more information can be marked as obligatory. In each individual case, it should be checked which information you would like to have and which you consider absolutely necessary. In some cases, certain information may be very desirable for you. For example, the operator of a kindergarten told me that you need the phone number because almost every inquiry is aimed at asking about a kindergarten place and therefore follow-up questions are necessary. In such cases, it should be checked how often you need the relevant information and make it a mandatory field if necessary.

The purpose of your form

Ask yourself the following question: Why do you need a form? Define the purpose or purposes. If you have only identified one purpose, then you obviously only need one form (or none).

Purposes for forms can be, for example:

• General contact: So you don't know ad hoc why you want to write to someone. After all, you offer goods or services or provide information. The contact will therefore probably ask you a question about your product or have a question about your explanations. Or the person writing would like to make a criticism, whatever.
• Making appointments: This is often the case with doctors or car dealerships.
• Callback request: Would you prefer to call and not send emails back and forth? Then offer this option and ask the interested party for their telephone number and a suitable time slot for a callback.
• Praise and criticism.
• Making contact in the customer area: Someone is a customer of yours and has logged into their customer account. With insurance companies, customers can place orders, request forms or give notice of termination, for example.
• Comment on an article. See below this article or on journalistic sites where readers can give their feedback.

If you have identified several purposes for which you would like to offer a form, then check which information is required in the form for each purpose. Purposes that have a lot of similarities in the required data and are also thematically close can be bundled together in one form.

Everything else belongs in different forms, unless you decide to offer a general contact form.

Provide information on data protection

Please specify briefly, what you will use the requested information for. Then link to your website's privacy policy. It can look something like this and be located below the form fields and above the submit button:

We use your information to answer your request. Further information can be found in our Data Protection Guidelines.

Make sure the link is set up so that it opens in a new window. Nothing is more annoying than having a form submission lost because you want to take a quick look at the privacy policy. If you want to make it really comfortable, use an HTML anchor. This way you can set up the link so that it directly calls up the passage for contact forms in your privacy policy. Here's how:

Define anchors in your privacy policy:

In WordPress, the anchor can be defined by positioning the cursor in the editor on the desired text and clicking on "Advanced" in the right-hand area:

Use an anchor in your link:

<a href="https://dr-dsgvo.de/datenschutz/#formular>Data protection information for contact forms</a>

Write the hashtag in front of the anchor name so that the code works correctly.

This is what the link looks like. If you click on it, the reading pane jumps directly to where the form details are located:

Data protection information for contact forms

Since there are no forms on my page except for the newsletter, I have placed the anchor "formular" as a demonstration in the section for newsletters. Tip from practice: Set the anchor a few lines higher than where it actually belongs. Because depending on the browser, it can be that the text is displayed too far up and cut off.

As you can see, I have made my data protection guidelines more accessible, so that they are barrier-free. Maybe you should think about it too? How this works, you can learn from the article linked above.

Data protection texts:

Explain "simply" what is happening. For example, like this:

Contact forms

If you send us inquiries via contact form, we will collect your request data including the contact details from the inquiry form in order to process the request and in case of follow-up questions with us stored and processed. Your data will be used exclusively for the purpose of answering and processing your question. The data processing takes place here according to Art. 6 Sec. 1 lit. f GDPR on the basis of a legitimate interest.

In the event of fraud detection or to detect misuse, for example to uncover hacker attacks, we reserve the right to store your network data for a short period of time and only for this purpose, not exceeding 30 days, unless a longer retention period is justified.

Sample data protection text for contact forms.

Important: Only information, not confirmation

Now comes almost the most important thing: just acknowledge the aforementioned data protection notices. Do not ask for confirmation or consent. You must not confirm that someone has read your data protection notices. Whether a visitor to your website reads them or not is their business, and it should not be prescribed by you. A data protection statement is no contract. See e.g. the judgment of the KG Berlin (27.12.2018 – 23 U 196/13).

It is your legitimate interest (Art. 6 Abs. 1 lit. f GDPR), to use the information of the person who writes to you, in order to answer or process the request. Elsewhere, you should only very sparingly use the legitimate interest as a legal basis, since it is mostly not given.

Spam check

Use no Google plugins, unless you want to risk trouble with data protection. Any Google plugin may only be used after consent has been given. This is my opinion, for which you will find numerous justifications in this blog (Google collecting data without rest, also for behavior manipulation; the data can be misused by American intelligence agencies; Google collects more data than necessary etc.). Even the LG Köln agrees with me on this point (judgment of March 23, 2023 – 33 O 376/22).

Use instead a Captcha like Contact Form 7 Image Captcha (for WordPress forms). Or use an input field where the result of a simple arithmetic problem is requested. Example: How much are 17 less than 5. Write the answer in lowercase words.

Personally, I believe that contact forms do not generate significantly more spam than the direct collection of e-mail addresses from imprint pages. Good spam filters help a lot. Spam can never be completely avoided. Honeypots are also a good measure.

You may have the option of checking whether the message text is a certain length. If it has not reached the minimum length, the form should not be able to be sent at all. A filter for certain unwanted terms could also be integrated.

If you use a plugin for spam checking, make sure that the global anti-spam database is disabled or does not receive any data. As useful as this feature may be: If you forward the network address (IP address) of your website visitors to "unknown", that's not good. An example of such a plugin is Antispam Bee for WordPress.

Here you can see three options of the plugin mentioned. The first option can be activated because a local database does not pass on data to third parties. The other two options should be deactivated to avoid legal problems. After all, the plugin itself already points out that special data protection notices must be observed for the critical options.

Reply to the sender

The sender of a message probably expects an answer from you. You should also give one if you think it's sensible. However, there are Bösewichte. It is very easy to enter a foreign email address into a contact form. Either because someone has malicious intentions or because a typo has crept in.

If a message seems suspicious, don't respond unless you're sure. Check the email address. A disposable address (byom.de, trashmail.net etc.) has the lowest credibility. Neither are free mailer (gmx.de, web.de etc.) highly regarded, although they are widely used. The most transparent addresses are those of individuals or companies with their own email domain. A dedicated domain like dr-dsgvo.de is an example_

If necessary and possible, briefly research the message and any name given (in the message or in the name field) in order to reconcile them. If you have many doubts, write to the supposed sender of the message in as non-promotional a manner as possible and ask whether a message was sent from their email address via your contact form. The non-promotional approach is important to avoid the appearance of (unauthorized) advertising. Non-promotional also means that it is best to remove all advertising slogans or website details from your signature to be on the safe side.

Further suggestions

Use a custom form and not off-the-shelf solutions like Microsoft Forms. Third-party offers regularly raise legal issues. For instance, I have often missed an imprint with MS Forms. Furthermore, there is the question of whether data transfer with US ties does not pose a legal problem for companies like Microsoft. Yes, says the LG Köln (see above), yes says the EU Court of Justice ("Schrems II").

I consider it permissible, when making contact, to save the sender's IP address in order to have something in hand for legal problems. Here is a justified reason for this. I have thoroughly examined this in an article on server logs. The corresponding passage is included in the aforementioned template text for your data protection declaration.

Incidentally, I would prefer to refer to the privacy policy as a data protection notice or data protection information. This further defuses the impression that it could be a contract (see the aforementioned judgment).

The data you receive via a contact form is treated in exactly the same way as if you had received an e-mail with this data. There is no significant difference here. Required data is retained, data that is no longer required is deleted with a delay. As a rule, you should not delete data immediately because someone may want to cause you trouble. In this case, it would be nice to have something in hand to make the course of events plausible.

SSL-Certificate

Instead of a form, you can simply provide the link to your email address. You don't have to offer a form. To give the link to an email address, enter it like a normal website address (URL), but prefix it with "mailto:"_

The HTML code for such a link then looks like this:

<a href="mailto:mail@dr-dsgvo.de">Write to me</a>

The whole thing then looks like this on the website:

Write to me

If you have an editor like WordPress offers, then simply define a link and use mailto: followed by your email address as the link address.

Important: Use forms, then you should definitely use an SSL certificate for your website. Your website will then only be accessible via https and no longer via http. Make sure that the redirection (Redirect) from http to https is set up. Check it by calling your website once with http:// (type in your browser: http://meine-webseite-0815.de instead of just like usual meine-webseite-0815.de).

If the lock appears in the browser to the left of your website address, the SSL certificate is available. To check other features of your SSL certificate, such as the encryption depth or the credibility of the certificate provider, you can use my online website check:

Conclusion

Contact forms should ask for as little data as possible and as much data as necessary.

Different forms should be offered for different purposes with different amounts of required data.

If you do not want to offer a form, then do not offer one. It is important that your e-mail address is stated in the imprint of your homepage. For legal reasons, avoid naming the e-mail address in the form of an image. Some website operators name their e-mail address in the form of a graphic that represents text in order to avoid spam. This certainly reduces spam, but I don't think it's allowed. A person should be able to contact you easily. This also means that the e-mail address simply has to be clicked on in order to write to you. At least a copy & paste should be possible.

The less data you ask for in the form, the less you have to pay attention to. For data that you do not have, you do not have to fulfill any obligations. As a keyword, only the right to information of concerned persons is mentioned. Data that you did not request are initially uncritical for you. If someone wants to tell you their tax number or height by form, although you have not given any reason in the form or on the website, then treat these statements as carefully as all other data. In case of doubt, delete unsolicited sensitive information and ignore the message (or ask for another way of contact), if it has no legal relevance.

For the sake of many people's peace of mind, it should be said that no data protection problem is usually constructed from a contact form alone. I am only aware of one case where the missing SSL certificate was problematic. Or, but the data received through the form were mishandled, as they say so nicely. The latter then had nothing more to do with the core theme, the form.