If you are looking to make your WordPress website GDPR compliant, you are in the right place. Whether you have a WordPress site or you build WordPress websites for your clients, you are dealing with the personal data of your site visitors. This means you are bound by legal requirements and regulations like the GDPR.

GDPR, short for General Data Protection Regulation, is a privacy law designed to protect the personal data of European Union residents and give them rights over their data. The GDPR became applicable on 25 May 2018 and put in place a regulatory framework for organizations of all sizes. 

Checklist for WordPress GDPR compliance

Here’s a quick overview of what you need to do. You can find a detailed explanation of each step in the article.

  • Update your WordPress to version 4.9.6 or higher.
  • Use only GDPR-compliant plugins and tools.
  • Assess how your site collects users’ data.
  • Review the plugins and tools you use.
  • Enable opt-in checkbox for website forms.
  • Only send emails to users that have explicitly signed up.
  • Keep your privacy policy up-to-date and transparent.
  • Make your website secure with HTTPS.
  • Notify users about cookies and get their consent.
  • Offer an easy method for users to delete or export their data.

Why should my WordPress website comply with GDPR?

GDPR applies to all organisations that process the personal data of EU residents. It is also applicable to organizations outside the EU that offer products and services to customers in the EU. 

So what is personal data and how do you, as a website owner, process it?

  • Personal data is any information relating to an individual that can directly or indirectly identify them including name, email address, location, IP address, cookies, social security number, photos, genetic data and even political opinions. 
  • Process is to use personal data in any way, including collecting, storing, retrieving, disclosing or sharing, or destroying personal data. 

In short, if you have a personal blog, newsletter, eCommerce store or just about any WordPress website and if you have visitors from the EU, you process their personal data and you should gear up to be GDPR compliant. 

Want to grasp GDPR in a little detail? We have you covered.

How to make your WordPress GDPR Compliant?

You need to first ensure that your WordPress is updated to version 4.9.6 or higher to utilise the built-in data privacy features mentioned in the steps below.

Step 1. Use GDPR-compliant plugins and tools

With more than 55,000+ plugins, WordPress has a huge repository of tools for website publishers. While most of the popular plugins have implemented GDPR compliance, not all of them have. Keep in mind that you:

  • Use plugins or themes that are GDPR-compliant including your web hosting provider.
  • Assess their data collection and storage practices described in their respective privacy policies.
  • Ensure that they store data in EEA or have an adequate level of protection for transferring personal data outside EEA such as Standard Contractual Clauses (SCCs) approved by the European Commission.
  • If you use SaaS applications on your WordPress, don’t forget to review the privacy policy and data-processing agreement of these service providers.
privacy policy for gdpr wordpress
Privacy policy by Automattic detailing data transfer mechanism. 

Step 2. Review plugin data collection practices 

You should first audit your website for all the data that you collect and store through your website. Some of these include: 

  • Contact forms
  • Comments and social media plugins
  • Analytics and traffic plugins
  • IP addresses, cookies and location information
  • Security tools and plugins

Most of the top-rated WordPress plugins are GDPR-ready, but here are some of the common aspects that you still need to review and update for foolproof compliance. 

Google Analytics

If you use Google Analytics for your WordPress website, you need to do the following to be GDPR compliant:

  • Anonymize the data before Google Analytics stores them. If you use the Site Kit plugin by Google, it automatically anonymizes IP addresses upon activation of the Google Analytics module. 
  • Set data retention settings for Google Analytics. This will help you to set the amount of time before the data is automatically deleted from GA. You can access these settings under Admin → Property →  Tracking Info → Data Retention.
  • If you use Google Analytics plugin for WordPress like MonsterInsights, you can install and activate the EU Compliance Addon that will automatically turn the Anonymize IP Addresses option on.

Website forms

If you collect user data through various forms on WordPress, then you are required to get the user’s explicit consent. If you have multiple forms for multiple purposes on your site, then you have to ask consent for the different purposes separately.

Contact form plugins that are like Contact Form 7, WP Forms and Gravity Forms GDPR are GDPR ready. This means you can easily find GDPR-compliant consent features in their Settings.

  • To get opt-in consent from users, you can simply add a checkbox that a user has to click before they sign up or register through a form on your website. 
  • Link your privacy policy, terms and conditions along with the explanation. 

Here’s the opt-in form for our monthly Privacy Digest. You can sign up here and get checklists like this in your inbox!

  • If a user is subscribed to a newsletter or email marketing campaign, provide an unsubscribe option within the emails. 
  • While it isn’t a requirement, you may enable double opt-in for your email campaigns. This means that subscribers will receive an email asking for their confirmation before you send them any emails.
  • You can also add an opt-in checkbox for your comment forms. Head to Settings → Discussion → Other comment settings → Show comments cookies opt-in checkbox, allowing comment author cookies to be set
comment opt-in settings for gdpr wordpress

eCommerce plugins

If you are running an eCommerce website you are collecting and storing a lot of personal data like phone numbers, shipping addresses, and payment details that can be prone to cyber-attacks like phishing and skimming. Hence choosing GDPR-compliant eCommerce plugins on WordPress should be of high priority to you.

  • If you use WooCommerce, you can access the built-in privacy features.  Head to WooCommerce → Settings → Accounts and Privacy to enable the options for personal data retention, personal data removal, and privacy policy links. 
  • If you use payment gateways, ensure that they have strict GDPR-compliant policies. Some of the popular plugins are Stripe and PayPal.

Third-party API

If you are using third-party APIs on your website, remember that they collect and store user data. For instance, if you use Google Fonts API ensure that you host it locally in your CDN so that no personal data is sent to Google’s servers.

You need to vet each service and its privacy policy before implementing a third-party API on your website.

Step 3. Add an updated privacy policy

GDPR requires that you inform users about the personal data you collect, your purpose for collecting and how you ensure that the data is protected. While you may already have a privacy policy, for GDPR compliance, your policy should be comprehensive and have full disclosure about all the data your website collects, stores, processes, and uses.

WordPress has a built-in privacy policy template that you can use for your policy page. You can access it from Settings Privacy. Keep in mind that this is a template and you should add further information about your data collection practices. 

privacy policy settings for gdpr wordpress

Your policy should be written in clear and plain language and should be easily accessible on your site. It should include sections on:

  • The information you collect from all the sources
  • How and why the information is collected
  • Cookies used on your site and their purposes
  • How and where is the data stored
  • The information you share with third-parties
  • Describe the users’ rights under GDPR and other applicable laws
  • How can users contact you for data access requests
  • Any other relevant information and policy updates 

An even easier way to create a privacy policy is to use a free privacy policy generator. You can just answer the simple questionnaire and generate your policy in minutes. 

Step 4. Display a cookie consent banner

When we talked about reviewing all data you collect, you may have missed out on cookies! All the plugins and tools your website has set cookies to collect personal data about your visitors. Similar to adding opt-in consent in contact forms, you are required to disclose your use of cookies and obtain consent from your site visitors. 

You can use top-rated plugins like the free GDPR Cookie Consent Plugin by CookieYes. With this plugin you can fulfil GDPR cookie consent requirements easily :

  • Obtain user consent before setting any cookies except strictly necessary cookies.
  • Give users the ability to give consent only for specific cookie categories. 
  • Provide information about cookies and their purposes.
  • Document cookie consent for proof of compliance.
  • Give users an easy option to withdraw their consent.
cookie consent banner for gdpr wordpress
A simple cookie consent banner on a WordPress website.

Using the CookieYes plugin, you will also be able to generate a detailed cookie policy for your website. You can then add it to your privacy policy page or publish it as a separate cookie policy page.

Step 5. Encrypt your website with HTTPS

If you still haven’t moved from HTTP to HTTPS, it’s time to do so. GDPR requires that websites implement measures to mitigate any data security risks such as encryption. To encrypt your WordPress website, you need to enable HTTPS protocol. For this, you just need to get an SSL certificate and activate it. 

You can check for free SSL certificates from your current WordPress hosting provider or you can get it from any of the popular hosting companies like Bluehost, SiteGround, WPEngine, Cloudflare etc.

https for gdpr wordpress
Image credits: Cloudflare

Step 6. Ensure data portability

GDPR requires that any business that collects user’s data should also provide the user with the ability to download it or transfer the data elsewhere. WordPress has the option that allows you to export and erase users’ data from your database. You can access the setting from Tools → Export Personal Data or Erase Personal Data

data export settings for gdpr wordpress

After entering the relevant details, an automated email will be sent to the user to confirm their request. Once the request is confirmed, you can generate a zip file of the user’s personal data. WordPress will also send that user an email with a link to download the generated zip. 

Step 7. Hire a lawyer 

If you are a small website, personal blog or just starting out with your online store, you can get on the right track with the steps listed above. However, if your website receives considerable traffic and you collect a large amount of user data, we recommend that you hire a lawyer and get professional advice for compliance. This way, you can safeguard your business from legal hassles in the future.

If your core activity involves processing a large amount of data, for instance, you are an HR website for job-seekers in the EU, then you may need to appoint a Data Protection Officer (DPO) for GDPR. You can consult with your lawyer and determine whether you need a DPO. 

What happens if my WordPress website isn’t compliant?

You could face an administrative audit by your respective data protection authority and if non-compliance is established, it may result in GDPR fines. Serious infringements can get you a maximum fine of up to €20 million or 4% of annual global turnover! 

In practice, the fines will depend on the severity of the infringement, the size of your business and the existing GDPR-compliant measures you have put in place. This means if you are GDPR-ready, you are not likely to face any monetary penalties. 

A few further steps for WordPress GDPR compliance

Now that you have the basics covered for your website, you can take some additional steps to be thorough with your compliance efforts.

Notify about policy updates

If you make any updates to your privacy policy, you need to notify users about the changes. Maintain an email list of all users and send privacy update emails to keep them informed.

Prepare for data breach notifications 

GDPR requires businesses to inform relevant authorities within 72 hours of the incident and if the breach is high-risk, you are required to notify your affected users. Your breach notification letter should include information such as the nature of the breach, contact details of the data protection officer and measures taken by you to address the breach.

Maintain a data retention policy

GDPR does not allow businesses to keep users’ personal data for longer than they need it. This means you need to create a data retention policy for all the data you collect. You can check your plugin settings to see if they have data retention schedules. For instance, in WooCommerce, you can delete user data after a set amount of time. You can access this under WooCommerce → Settings → Accounts & Privacy → Personal data retention.

FAQ on WordPress GDPR compliance

Is WordPress GDPR compliant?

Yes, the core software of WordPress versions 4.9.6 and higher is GDPR compliant. These newer versions include several GDPR enhancement features such as a privacy policy template, comments checkbox and other settings to ensure that WordPress is GDPR compliant.

What is WP GDPR?

WP GDPR or WordPress GDPR refers to fine-tuning your WordPress site for GDPR compliance. The goal is to ensure that all the WordPress features, plugins and additional tools that you use on your website are privacy-friendly and comply with the regulations set by the GDPR.

Does my WordPress site need a privacy policy?

Yes. Your WordPress site needs a privacy policy page. You are legally required to inform your website visitors about the personal data you collect, your purpose for collecting and how you are ensuring that their personal data is protected. 

WordPress has an in-built privacy policy template that you can use to get started on your policy. You can head to Settings → Privacy → Create a new privacy policy page

Does WordPress collect personal data?

Yes, like any website your WordPress website also collects personal data from your website visitors and users. For example, if someone leaves a comment on your blog or sign-ups for your newsletter, you are collecting their personal data such as name and email address. You may use analytics tools to improve your user experience, cookies for retargeting ads, payment information for an online transaction and so on. In short, you are collecting a lot of user data to enable certain services and features and improve your website. 

How do WordPress sites collect user information?

Your WordPress website might be collecting user’s information in a lot of ways such as:

  • Website forms (contact forms, newsletter signups etc.)
  • Comments
  • Through cookies, IP addresses and geolocation 
  • Payment gateways
  • Social media likes and shares
  • Analytics and tracking tools