Contact forms are a prime target for hackers to exploit, as they can introduce hidden fields and functions that steals user data. Even user data from a user’s autofill keychain can be taken without them or the site owner knowing.

When users enter their details on your contact form, the server still has to process the data in order to send it to your email provider and in some cases stores the user's data (such as IP address) which is considered as personal data. 

GDPR outlines that users are "are entitled to be protected from this kind of harm as well", and this is something that is expected of you as a website owner.

Did this answer your question?