The form on your contact page is probably the most important thing on your website and the least audited. It is how people reach you, how quotes come in, how leads arrive. And for most businesses it has not been looked at properly since the day it was pasted in.
That matters for two reasons that usually get treated separately and are actually the same problem. The first is compliance. Every contact form, quote request and newsletter signup collects personal information, and under the Australian Privacy Principles that collection carries obligations: how you notify people, how you handle what they send, how you keep it. Those obligations apply to the form on your contact page just as much as to anything on your internal network.
The second reason is the one that should get attention fastest, because it costs you money every week: the same setup that raises the privacy question is quietly losing you leads.
The short version. Your contact form collects personal data, so it carries privacy obligations. It also loads from someone else’s domain, so your consent tool can block it like a tracker until a visitor accepts cookies. Patch it in your consent tool today. Deliver the form first-party from your own domain and both problems close at once.
What your form is actually doing
Your contact form is almost certainly an embed. Nobody built a form from scratch on your own site. Someone pasted a snippet that pulls one in from a provider, something loading from a domain like js.hsforms.net or form.jotform.com. It works, so it gets forgotten.
You have probably also got a cookie consent tool running. Cookiebot, Usercentrics, OneTrust or similar. Most of them ship with an auto-blocker that holds back third-party scripts until a visitor agrees to cookies, which is how the site stays on the right side of privacy rules.
Here is where the two collide. The auto-blocker decides what to block by the domain a script loads from. Anything off your domain is treated as third-party and held back until consent. Your form loads from the provider’s domain, so the blocker cannot tell it apart from a tracking pixel and keeps it hidden.
The cost you never see in your analytics
Most visitors never touch the cookie banner. They scroll past it, close it, ignore it. No acceptance means no consent, and no consent means the form stays hidden for the entire visit.
So this is not a fringe issue affecting a handful of privacy-conscious users. It can hit a large share of everyone who reaches your contact page, and those are your warmest visitors. They arrived on purpose, ready to get in touch, and the one thing the page had to get right failed.
It is also silent. The people it affects often are not being tracked in the first place, so nothing drops in your reporting. The enquiries simply stop arriving and nothing tells you why. For a business that spends money to bring people to that page, this is spend leaking straight out the bottom with no alarm attached.
The visitors this hits came to contact you. Not browsers killing time. They reached the contact page on purpose, and the page failed at its one job.
The compliance angle most businesses get backwards
There is a reasonable argument that the form should never have been behind a consent gate to begin with. Consent rules are aimed at tracking and marketing cookies, not at a contact form someone is actively trying to use. Showing the form sends no data. Data only leaves when the visitor clicks submit, and that click is the permission.
That means the quick fix is free and lives in your consent tool: mark the form’s service as functional or essential rather than marketing, or allowlist its domain so the blocker leaves it alone. Five minutes if you know your way around the dashboard, and worth doing today.
The problem is that the patch lifts, and it is worth being straight about how:
- It repeats everywhere. Every site and every new form needs the same treatment. For anyone managing more than one site, that is an ongoing job rather than a fix.
- It can revert quietly. A consent-tool update or a re-imported setting can switch the blocking back on, and the forms go dark with no warning.
- Some blockers stay aggressive. A few keep catching the provider’s assets even after you think you have allowed them.
The fix that closes both gaps at once
All of this traces back to one thing. The form loads from a domain that is not yours. Remove that and the blocker has nothing to catch.
A first-party form loads from your own domain rather than the provider’s. To the consent tool, the form is now part of your site, because it is. There is no foreign domain to flag, so it renders for every visitor whether they engage with the banner or not. That fixes the problem in the architecture instead of in a settings panel, which means it holds when the consent tool updates, and it holds against tracker blockers and Safari’s Intelligent Tracking Prevention, which work the same way by spotting third-party domains.
It also keeps your privacy posture clean. You are not bending a rule. You are removing a consent question that should never have applied to a contact form, which keeps lead capture aligned with the Australian Privacy Principles, GDPR and UK GDPR in one move.
It is the same first-party move good teams already use to keep their lead tracking and lead source data out of reach of trackers and ITP. Lead Source delivers your forms first-party and records the real source behind each enquiry; see how it works. For the mechanics in full, including the five-minute patch and the permanent setup, read why your cookie consent tool is blocking your contact forms.
Put it on the radar
Check it yourself in two minutes. Open your contact page in a private window, decline cookies, and confirm the form still loads. Do not call it fine until you have watched it render with consent refused. If it disappears, you have found a compliance question and a lead leak in the same place, and both have the same fix.
A contact form has one job: let people reach you. If a cookie banner is standing between your best visitors and that form, it is not protecting anyone. It is costing you business.