Does your website use third-party services? Get GDPR compliant in minutes.

Contact Form 7

What does Contact Form 7 do?

Contact Form 7 is a free open source WordPress plugin maintained by Takayuki Miyoshi in Japan. It is one of the most widely installed WordPress plugins, used by millions of websites to render contact forms, quote requests and signup forms. Contact Form 7 runs entirely on the operator's WordPress server and does not set tracking cookies. Form submissions are stored on the WordPress backend and typically forwarded by e mail.

What Contact Form 7 is and how it sits in a website

Contact Form 7 (often abbreviated CF7) is one of the most installed WordPress plugins, with more than ten million active installations. The plugin lets the operator create and customise multiple forms (contact, quote, signup, application) using a shortcode based syntax. The form is rendered as HTML and submitted via wp-admin/admin-ajax.php to the WordPress backend, which then validates, stores and forwards the message by e mail. Contact Form 7 is open source, free and developed by Takayuki Miyoshi.

What data Contact Form 7 processes

The plugin processes the form data the visitor submits (name, e mail, message, attachments and any custom field defined by the operator). Submissions are stored on the WordPress server and typically forwarded by e mail. Contact Form 7 does not set cookies on the visitor browser. If reCAPTCHA, Akismet or third party add ons (Flamingo storage, CRM connectors) are enabled, those modules add their own data flows that must be assessed separately.

GDPR and ePrivacy implications

Contact Form 7 does not set cookies, so it does not trigger the ePrivacy consent rule. The legal basis for processing the data submitted in the form depends on the form purpose: performance of a contract under Article 6(1)(b) GDPR for a service or quote request, consent under Article 6(1)(a) GDPR for a marketing opt in or newsletter, legal obligation under Article 6(1)(c) GDPR for regulated submissions. The pairing of CF7 with reCAPTCHA v3, however, brings Google as a sub processor and requires consent in most EU member states.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

International data transfers

The Contact Form 7 plugin itself does not transfer any data to third countries. Form submissions stay on the WordPress server controlled by the operator. International transfers only occur if the operator chooses to integrate sub processors that are not in the EU: reCAPTCHA (Google, USA), Akismet (Automattic, USA), CRM connectors (HubSpot, Salesforce, Pipedrive), e mail providers (Amazon SES, Postmark, SendGrid) or notification platforms (Slack, Zapier).

Practical compliance steps

Add a clear consent checkbox tied to the form purpose, replace reCAPTCHA v3 with hCaptcha (EU friendly) or Cloudflare Turnstile if you want to avoid US transfers, configure the e mail forwarding through an EU mail provider, store submissions in Flamingo only for the necessary retention period and document Contact Form 7 in your record of processing activities as an internal technical processor.

GDPR consent category

Analytics

Websites using Contact Form 7 must obtain user consent under GDPR regulations.

Legal basisPerformance of a contract (Art. 6(1)(b) GDPR) when the form is the entry point of a service request; consent (Art. 6(1)(a) GDPR) when the form is a newsletter signup or marketing opt in; legitimate interest (Art. 6(1)(f) GDPR) for spam filtering

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive (Cookie Law)

DPIA considerations

A DPIA is not required for the standard Contact Form 7 plugin. A DPIA may be considered when CF7 powers forms that collect health, financial or other sensitive data at scale, or when it is paired with reCAPTCHA v3 which captures cross site behavioural data from Google.

Sample consent text

Our contact form is powered by Contact Form 7, an open source WordPress plugin. The form submission is processed on our own WordPress server and forwarded by e mail to our team. No tracking cookie is set by Contact Form 7. The data you provide is used to handle your request and is kept for a defined retention period as described in our privacy notice.

Technical details

Tracking methodWordPress plugin that runs entirely on the merchant's own server; forms render as HTML and submissions are processed via WordPress wp-admin/admin-ajax.php

Server locationSelf hosted on the WordPress operator's server; the plugin is maintained as open source software by Takayuki Miyoshi (Japan)

Cookieless tracking availableYes

Third-party domains contacted

contactform7.comwordpress.org

Contact Form 7 collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Does Contact Form 7 set cookies on visitor devices?

No. The Contact Form 7 plugin does not set any tracking, analytics or marketing cookies. The form is rendered as HTML and submitted via Ajax to the WordPress backend without any cookie being created on the visitor browser.

Is consent required for Contact Form 7 under GDPR and ePrivacy?

No consent is required by Contact Form 7 itself. Consent or another legal basis is required for the data submitted in the form, depending on the form purpose. If reCAPTCHA v3 is enabled on top of Contact Form 7, that companion service does require consent in most EU member states.

What is the legal basis for processing data through Contact Form 7?

Performance of a contract under Article 6(1)(b) GDPR for service or quote requests. Consent under Article 6(1)(a) GDPR for newsletter signups and marketing opt ins. Legitimate interest under Article 6(1)(f) GDPR for spam filtering and minimal logging. Legal obligation under Article 6(1)(c) GDPR for regulated submissions.

Are there international data transfers with Contact Form 7?

The plugin itself does not transfer data outside the EU. International transfers occur only if the operator chooses to integrate reCAPTCHA (Google, USA), Akismet (Automattic, USA), an external CRM or an e mail delivery service hosted outside the EU. These sub processors must be assessed independently.

Is a DPIA required for Contact Form 7?

No DPIA is required for the standard plugin. A DPIA may be considered when CF7 powers forms that systematically collect sensitive data (health, financial, biometric) at scale, when reCAPTCHA v3 is paired with CF7 to profile interactions or when forms target EU minors.

How do I implement Contact Form 7 in a GDPR compliant way?

Add explicit consent checkboxes tied to the form purpose, swap reCAPTCHA v3 for hCaptcha or Cloudflare Turnstile if you want to avoid US transfers, route notifications through an EU e mail provider, set retention rules for Flamingo storage and document Contact Form 7 as an internal technical processor in your record of processing activities.

What are the alternatives to Contact Form 7?

Alternative WordPress form plugins include Forminator (US), WPForms (US, with EU compliance features), Gravity Forms (US), Fluent Forms (Bangladesh), Ninja Forms (US) and Formidable Forms (US). For maximum GDPR friendliness, pair any of them with a self hosted CAPTCHA solution and an EU e mail provider.

How do I update the cookie policy when using Contact Form 7?

No specific cookie entry is required because Contact Form 7 does not set cookies. Mention Contact Form 7 only if you want to be transparent about the technical component handling submissions. If reCAPTCHA, Akismet or an external CRM is enabled, list those processors and their international transfer mechanisms.

Get compliant — Try FlowConsent free

Free plan · 10-min setup