If you are looking to make your WordPress website GDPR compliant, you are in the right place. Whether you have a WordPress site or you build WordPress websites for your clients, you are dealing with the personal data of your site visitors. This means you are bound by legal requirements and regulations like the GDPR.
GDPR, short for General Data Protection Regulation, is a privacy law designed to protect the personal data of European Union residents and give them rights over their data. The GDPR became applicable on 25 May 2018 and put in place a regulatory framework for organizations of all sizes.
Checklist for WordPress GDPR compliance
Here’s a quick overview of what you need to do. You can find a detailed explanation of each step in the article.
- Update your WordPress to version 4.9.6 or higher.
- Use only GDPR-compliant plugins and tools.
- Assess how your site collects users’ data.
- Review the plugins and tools you use.
- Enable opt-in checkbox for website forms.
- Only send emails to users that have explicitly signed up.
- Make your website secure with HTTPS.
- Notify users about cookies and get their consent.
- Offer an easy method for users to delete or export their data.
Why should my WordPress website comply with GDPR?
GDPR applies to all organisations that process the personal data of EU residents. It is also applicable to organizations outside the EU that offer products and services to customers in the EU.
So what is personal data and how do you, as a website owner, process it?
- Personal data is any information relating to an individual that can directly or indirectly identify them including name, email address, location, IP address, cookies, social security number, photos, genetic data and even political opinions.
- Process is to use personal data in any way, including collecting, storing, retrieving, disclosing or sharing, or destroying personal data.
In short, if you have a personal blog, newsletter, eCommerce store or just about any WordPress website and if you have visitors from the EU, you process their personal data and you should gear up to be GDPR compliant.
Want to grasp GDPR in a little detail? We have you covered.
How to make your WordPress GDPR Compliant?
You need to first ensure that your WordPress is updated to version 4.9.6 or higher to utilise the built-in data privacy features mentioned in the steps below.
Step 1. Use GDPR-compliant plugins and tools
With more than 55,000+ plugins, WordPress has a huge repository of tools for website publishers. While most of the popular plugins have implemented GDPR compliance, not all of them have. Keep in mind that you:
- Use plugins or themes that are GDPR-compliant including your web hosting provider.
Lists of GDPR-compliant WordPress tools
- Assess their data collection and storage practices described in their respective privacy policies.
- Ensure that they store data in EEA or have an adequate level of protection for transferring personal data outside EEA such as Standard Contractual Clauses (SCCs) approved by the European Commission.
Step 2. Review plugin data collection practices
You should first audit your website for all the data that you collect and store through your website. Some of these include:
- Contact forms
- Comments and social media plugins
- Analytics and traffic plugins
- IP addresses, cookies and location information
- Security tools and plugins
Most of the top-rated WordPress plugins are GDPR-ready, but here are some of the common aspects that you still need to review and update for foolproof compliance.
If you use Google Analytics for your WordPress website, you need to do the following to be GDPR compliant:
- Anonymize the data before Google Analytics stores them. If you use the Site Kit plugin by Google, it automatically anonymizes IP addresses upon activation of the Google Analytics module.
- Set data retention settings for Google Analytics. This will help you to set the amount of time before the data is automatically deleted from GA. You can access these settings under Admin → Property → Tracking Info → Data Retention.
- If you use Google Analytics plugin for WordPress like MonsterInsights, you can install and activate the EU Compliance Addon that will automatically turn the Anonymize IP Addresses option on.
If you collect user data through various forms on WordPress, then you are required to get the user’s explicit consent. If you have multiple forms for multiple purposes on your site, then you have to ask for consent for the different purposes separately.
Contact form plugins that are like Contact Form 7, WP Forms and Gravity Forms GDPR are GDPR ready. This means you can easily find GDPR-compliant consent features in their Settings.
- To get opt-in consent from users, you can simply add a checkbox that a user has to click before they sign up or register through a form on your website.
Here’s the opt-in form for our monthly Privacy Digest. You can sign up here and get checklists like this in your inbox!
Stay in the know on privacy
Unsubscribe anytime using the link on the newsletter.
- If a user is subscribed to a newsletter or email marketing campaign, provide an unsubscribe option within the emails.
- While it isn’t a requirement, you may enable double opt-in for your email campaigns. This means that subscribers will receive an email asking for their confirmation before you send them any emails.
- You can also add an opt-in checkbox for your comment forms. Head to Settings → Discussion → Other comment settings → Show comments cookies opt-in checkbox, allowing comment author cookies to be set
If you are running an eCommerce website you are collecting and storing a lot of personal data like phone numbers, shipping addresses, and payment details that can be prone to cyber-attacks like phishing and skimming. Hence choosing GDPR-compliant eCommerce plugins on WordPress should be of high priority to you.
- If you use payment gateways, ensure that they have strict GDPR-compliant policies. Some of the popular plugins are Stripe and PayPal.
If you are using third-party APIs on your website, remember that they collect and store user data. For instance, if you use Google Fonts API ensure that you host it locally in your CDN so that no personal data is sent to Google’s servers.
Your policy should be written in clear and plain language and should be easily accessible on your site. It should include sections on:
- The information you collect from all the sources
- How and why the information is collected
- Cookies used on your site and their purposes
- How and where is the data stored
- The information you share with third-parties
- Describe the users’ rights under GDPR and other applicable laws
- How can users contact you for data access requests
- Any other relevant information and policy updates
Step 4. Display a cookie consent banner
You can use top-rated plugins like the free GDPR Cookie Consent Plugin by CookieYes. With this plugin you can fulfil GDPR cookie consent requirements easily :
- Obtain user consent before setting any cookies except strictly necessary cookies.
- Give users the ability to give consent only for specific cookie categories.
- Provide information about cookies and their purposes.
- Document cookie consent for proof of compliance.
- Give users an easy option to withdraw their consent.
Step 5. Encrypt your website with HTTPS
If you still haven’t moved from HTTP to HTTPS, it’s time to do so. GDPR requires that websites implement measures to mitigate any data security risks such as encryption. To encrypt your WordPress website, you need to enable HTTPS protocol. For this, you just need to get an SSL certificate and activate it.
You can check for free SSL certificates from your current WordPress hosting provider or you can get them from any of the popular hosting companies like Bluehost, SiteGround, WPEngine, Cloudflare etc.
Step 6. Ensure data portability
GDPR requires that any business that collects user’s data should also provide the user with the ability to download it or transfer the data elsewhere. WordPress has an option that allows you to export and erase users’ data from your database. You can access the setting from Tools → Export Personal Data or Erase Personal Data
After entering the relevant details, an automated email will be sent to the user to confirm their request. Once the request is confirmed, you can generate a zip file of the user’s personal data. WordPress will also send that user an email with a link to download the generated zip.
Step 7. Hire a lawyer
If you are a small website, personal blog or just starting out with your online store, you can get on the right track with the steps listed above. However, if your website receives considerable traffic and you collect a large amount of user data, we recommend that you hire a lawyer and get professional advice for compliance. This way, you can safeguard your business from legal hassles in the future.
If your core activity involves processing a large amount of data, for instance, you are an HR website for job-seekers in the EU, then you may need to appoint a Data Protection Officer (DPO) for GDPR. You can consult with your lawyer and determine whether you need a DPO.
What happens if my WordPress website isn’t compliant?
You could face an administrative audit by your respective data protection authority and if non-compliance is established, it may result in GDPR fines. Serious infringements can get you a maximum fine of up to €20 million or 4% of annual global turnover!
In practice, the fines will depend on the severity of the infringement, the size of your business and the existing GDPR-compliant measures you have put in place. This means if you are GDPR-ready, you are not likely to face any monetary penalties.
A few further steps for WordPress GDPR compliance
Now that you have the basics covered for your website, you can take some additional steps to be thorough with your compliance efforts.
Notify about policy updates
Prepare for data breach notifications
GDPR requires businesses to inform relevant authorities within 72 hours of the incident and if the breach is high-risk, you are required to notify your affected users. Your breach notification letter should include information such as the nature of the breach, contact details of the data protection officer and measures taken by you to address the breach.
Maintain a data retention policy
GDPR does not allow businesses to keep users’ personal data for longer than they need it. This means you need to create a data retention policy for all the data you collect. You can check your plugin settings to see if they have data retention schedules. For instance, in WooCommerce, you can delete user data after a set amount of time. You can access this under WooCommerce → Settings → Accounts & Privacy → Personal data retention.
FAQ on WordPress GDPR compliance
Is WordPress GDPR compliant?
What is WP GDPR?
WP GDPR or WordPress GDPR refers to fine-tuning your WordPress site for GDPR compliance. The goal is to ensure that all the WordPress features, plugins and additional tools that you use on your website are privacy-friendly and comply with the regulations set by the GDPR.
Does WordPress collect personal data?
Yes, like any website your WordPress website also collects personal data from your website visitors and users. For example, if someone leaves a comment on your blog or sign-ups for your newsletter, you are collecting their personal data such as name and email address. You may use analytics tools to improve your user experience, cookies for retargeting ads, payment information for online transactions and so on. In short, you are collecting a lot of user data to enable certain services and features and improve your website.
How do WordPress sites collect user information?
Your WordPress website might be collecting user’s information in a lot of ways such as:
- Website forms (contact forms, newsletter signups etc.)
- Through cookies, IP addresses and geolocation
- Payment gateways
- Social media likes and shares
- Analytics and tracking tools