Configuring Netlify [1] forms to be GDPR [3] conformant by automatically deleting form submissions with the help of Netlify functions [2]. This prevents form submissions, which may include personally identifiable information (PII) to remain on Netlify servers, after form submissions have been forwarded to e.g. an email address.

This works only in production environments. Back up existing submissions, if you need them, before implementing.

Get Netlify API Access Token

The set up makes use of Netlify API [5] and requires an access token. The token must be added to the projects environment variables [6] in Netlify.

Important: Personal access token are private tokens. They should not be shares it with anybody and should not be committed into repositories.

Steps to follow:

Create Netlify function

Define location of function

Making use of file-based configuration [7] with netlify.toml, we can define the location of the function, which deletes the form submissions.

The path netlify/functions is the default path in which Netlify looks for functions. Adjust it as needed.

Create Netlify function file

/*
  Supports GDPR conformity of contact form submissions on Netlify
  
  process.env.SITE_ID variable is one of Netlify's built-in env vars. It is 
  defined as the ID specific to the site on Netlify.
*/

// require netlify package as a dependency
const NetlifyAPI = require('netlify')

exports.handler = async function (event, context) {
  const client = new NetlifyAPI(process.env.NETLIFY_API_ACCESS_TOKEN)

  const submissions = await client
    .listSiteSubmissions({
      site_id: process.env.SITE_ID,
    })
    .catch((e) => console.log('Error getting submissions', e))

  if (submissions.length) {
    for (i = 0; i < submissions.length; i++) {
      await client.deleteSubmission({ submission_id: submissions[i].id })
    }
    return {
      statusCode: 200,
      body: 'All submissions deleted',
    }
  } else {
    return {
      statusCode: 200,
      body: 'No submissions to delete',
    }
  }
}

The submission-created.js function will be triggered when a form submission is verified for your site.

Create/Update package.json file

If there are errors, they will be mentioned in the Netlify deploy log file. Make sure to test everything in production. With the next form submission, all previous submissions will be deleted. You should see a "No remaining verified submissions This form’s verified submissions have all been deleted or marked as spam."

Abbreviations

API
Application Programming Interface
GDPR
General Data Protection Regulation
PII
Personally Identifiable Information

References

  1. Netlify
  2. Netlify Functions
  3. General Data Protection Regulation
  4. Trigger serverless functions on events
  5. Netlify API
  6. Netlify Environment variables
  7. Netlify file-based configuration
  8. Available Netlify triggers
  9. Create package.json file