Gravity Forms

Overview

Gravity Forms is the dominant premium form builder plugin for WordPress, used on a large proportion of business WordPress installations globally. Unlike SaaS form tools, Gravity Forms operates as a self-hosted plugin — its scripts load from the host website's own domain rather than third-party servers, and form data is stored in the site's own WordPress database by default. This architectural distinction significantly affects the consent and data processing analysis compared to cloud-hosted form providers.

What This Script Does

Gravity Forms scripts run entirely within the host WordPress site's own domain. Client-side behavior includes:

Form rendering and validation: The primary script gravityforms.js (or its minified equivalent) handles client-side form rendering, conditional logic evaluation, field validation, and multi-page navigation. It loads from the host site's WordPress assets directory.

AJAX submission: Gravity Forms supports AJAX-based form submission that posts form data to the WordPress admin AJAX handler at /wp-admin/admin-ajax.php without a full page reload. This request goes to the host site's own server, not a third-party endpoint.

File uploads: For file upload fields, the script manages the upload interface and client-side file validation before submitting the file to the host server.

Cookies: Gravity Forms sets a cookie (typically gf_token or gf_{form_id}) to save partial form completion state, allowing users to resume incomplete multi-page forms. This cookie is first-party and set on the host domain.

Anti-spam: Some Gravity Forms configurations load the Google reCAPTCHA script from Google's servers for spam prevention. This third-party script is the primary source of external requests when present.

No third-party data transmission: Default Gravity Forms installations send form data only to the host WordPress database. Third-party data transmission only occurs through add-on integrations (e.g., Zapier, Mailchimp, Salesforce) that operators configure separately.

Consent & Compliance

GDPR and ePrivacy Directive: Gravity Forms itself, when configured without third-party add-ons, processes form data exclusively on the host site's own infrastructure. The form completion state cookie is a functional first-party cookie. For standard contact or inquiry forms, the lawful basis is contract performance or legitimate interests. The ePrivacy Directive's consent requirement applies to the form state cookie, but this is borderline functional — it serves the user's interest in not losing form progress. If reCAPTCHA is used, Google's reCAPTCHA script requires separate analysis and potentially consent.

CCPA/CPRA: Gravity Forms itself does not constitute sharing with a third party in default configuration. Form data is stored on the operator's own WordPress server. Third-party sharing only occurs through explicitly configured add-on integrations.

Consent category: functional. Gravity Forms performs form functionality with no inherent third-party data transmission or behavioral tracking.

Should You Block This Without Consent?

No.

Gravity Forms scripts are functional tools that enable website visitors to submit inquiries, applications, and other requests. Blocking these scripts would disable core website functionality. The form completion cookie is first-party and functional in nature. If reCAPTCHA is enabled, that specific third-party integration should be assessed separately for consent requirements.