Integrate Contact Form 7 with Google reCAPTCHA (GDPR-compliant)

reCAPTCHA Contact Form 7 GDPR

You want to integrate a contact form into your WordPress website and protect yourself from spam bots at the same time? Then the combination of Contact Form 7 and Google reCAPTCHA might be the combination you’ve been looking for!

However, the use of both services together is only compliant with the GDPR under certain conditions. In this article, we will tell you exactly how you can integrate Google reCAPTCHA in conjunction with Contact Form 7 into your website in accordance with data protection.

We must point out that the following statements do not constitute legal advice. Therefore, we can only give you evaluations from our intensive experience with the EU legal regulations in practice and a technical assessment of the situation.

What is Contact Form 7?

Contact Form 7 is a product from the Japanese company Rock Lobster, LLC. that helps you create and manage contact forms. The Contact Form 7 plugin is free and with several million downloads for WordPress websites, it is anything but unpopular.

To support the security of the contact forms, Contact Form 7 offers you a reCAPTCHA function as well as Ajax-supported sending and spam filtering.

Contact Form 7 and data protection – are contact forms GDPR-compliant?

In our opinion, the collection and processing of personal data within the framework of a contact form is permitted if the user has given explicit consent. Furthermore, this may only be done in the context of processing the customer’s request. Accordingly, you may not store the data, pass it on to third parties or use it for other purposes.

You therefore need an opt-in consent. This little tick with which you agree to the data processing in almost every contact form. In the case of a newsletter subscription, you also need a double opt-in consent.

It would mainly be problematic if you – or the provider of your contact form – were based in the USA. The reason for this is that since the end of the Privacy Shield – a data agreement between the EU and the USA – the USA is considered an unsafe third country with an inadequate level of data protection.

However, this is not the case with Contact Form 7, as the plugin is completely installed in your WordPress and the data processing takes place exclusively on your own server (web hosting).

✅ Opt-in consent via checkbox

In order to be allowed to process the personal data of the enquirer, you must include an additional checkbox at the end of your contact form in which the sender actively confirms that he/she agrees to your data protection provisions and, if applicable, terms of use as well as to the processing of his/her data within the scope of processing the request.

📝 Privacy policy

You should also address the use of the contact form in the privacy policy of your website. This means that, among other things, you should again specifically explain the purpose of the use as well as the collection, processing and storage of the collected data.

What is Google reCAPTCHA?

But wait, there were still the spam bots that want to use your contact form 🤖 Google reCAPTCHA is a solution for detecting bots, e.g. when entering data in online forms, and for preventing spam.

Captchas come in a variety of forms. The most common ones, which you have probably already encountered, are distorted letters and numbers, upside-down objects or the all-time classic: the object search.

However, many bots are now able to solve these puzzles, which is why Google has developed its reCAPTCHA tool. Google reCAPTCHA works in the background, analysing the visitor’s behaviour on the website in order to recognise whether it is a machine or a human being on the basis of this.

Google reCAPTCHA and data protection

Unlike Contact Form 7, the use of Google reCAPTCHA is far more critical in the eyes of data protectionists. This is because Google reCAPTCHA is a service from Google. As you probably know, Google is a US company.

Data transfer to the USA is problematic. We have already explained why this is the case.

In addition, Google uses the data collected about the visitor to your website not only for you, but also makes it available, for example, to other website operators who use Google reCAPTCHA.

It is therefore essential to obtain opt-in consent for the use of Google reCAPTCHA! The easiest way to do this without any programming knowledge is to use a cookie consent plugin like Real Cookie Banner. We’ll show you exactly how in the following.

In addition, reCAPTCHA sets cookies that are used to identify the user within Google’s already about the user and to classify the maliciousness of the user. This collected data can be linked to data from users who have logged into their Google accounts on or a localised version of Google.

🤝 Order processing contract

For the use of Google reCAPTCHA, we believe that you should definitely conclude an order processing contract (AV contract). Why? Whenever you commission an external company to transfer personal data, you must conclude such a contract based on Article 28 of the GDPR. This contract regulates the correct handling of this data in accordance with data protection regulations. You need an AV contract, for example, when using Google Analytics – but also for Google reCAPTCHA.

📝 Privacy policy

Zusätzlich zur AV-Vereinbarung müssen Sie Google reCAPTCHA getrennt von Contact Form 7 in Ihrer Datenschutzrichtlinie aufführen. Wie bei Contact Form 7 müssen Sie auch hier den Zweck der Verwendung von Google reCAPTCHA erklären.

Set up Google reCAPTCHA for Contact Form 7

To integrate spam protection into your Contact Form 7 forms, the Contact Form 7 plugin offers you the corresponding compatibility. However, since Google reCAPTCHA is a Google product (surprise 😉), you must first register your WordPress website with Google.

  1. Open
  2. Select reCAPTCHA, version 3.
reCAPTCHA Registrierung
  1. Enter your domain in the corresponding field.
  2. Click on the send button below.
  3. Now you will see your Site Key and Secret Key.
  4. Go back to your WordPress backend.
  5. After installing the Contact Form 7 plugin, navigate to Forms > Integration > reCAPTCHA in the menu on the left.
  6. Click on Configure Integration.
  7. Enter your site key and your secret key here.
  8. Save your change.

Done! Now you have successfully linked Google reCAPTCHA with Contact Form 7 to keep bots away from your forms on your WordPress website.

Integrate Contact Form 7 with Google reCAPTCHA into your WordPress website in a GDPR-compliant manner

To round off the article, we’ll show you how to use the Google reCAPTCHA integration in Contact Form 7 in compliance with the GDPR. Because just setting it up, as in the previous section, is not enough!

  1. Open your WordPress backend.
  2. Go to Plugins > Add New in the menu on the left.
  3. Search for Real Cookie Banner. Install and activate the plugin.
  4. Click on Cookies in the menu on the left.
  5. Navigate to Cookies (Services) > Add Service.
  6. Search for “Google reCAPTCHA”.
Google reCAPTCHA Website einbinden
  1. Click on the template (in the PRO version) and you will automatically land in the service configuration. And here’s the kicker: You don’t have to worry about anything, as all the important (technical) information is already stored in the template (🎉).
  2. Scroll down to the entry Create Content Blocker for this service. Be sure to leave the box ticked so that once the reCAPTCHA service has been created you are automatically redirected to the associated Content Blocker template. From the Content Blocker templates, select the one for Contact Form 7.
  3. Click on Save.
Google reCAPTCHA WordPress GDPR
  1. Welcome to the general service configuration for the Content Blocker. Again, you don’t have to do anything, as Real Cookie Banner does the work for you.
  2. Scroll to the end of the template and click Save.
  3. Now, reCAPTCHA will be included in your Contact Form 7 contact forms only after your visitor’s opt-in consent to your WordPress website.

It was easy, wasn’t it 😉 Data protection can be that simple!