The Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know

By WP Saviour •  Updated: 09/22/20 •  15 min read

Are you confused by GDPR, and the way it will affect your WordPress website? GDPR, quick for Normal Information Safety Regulation, is an European Union regulation that you’ve seemingly heard about. We’ve got acquired dozens of emails from customers asking us to clarify GDPR in plain English and share recommendations on the best way to make your WordPress website GDPR compliant. On this article, we are going to clarify every little thing you have to find out about GDPR and WordPress (with out the complicated authorized stuff).


Disclaimer: We’re not attorneys. Nothing on this web site ought to be thought-about authorized recommendation.

That can assist you simply navigate by our final information to WordPress and GDPR Compliance, we now have created a desk of content material beneath:

Desk of Content material

What’s GDPR?

The Normal Information Safety Regulation (GDPR) is a European Union (EU) regulation taking impact on Could 25, 2018. The aim of GDPR is to offer EU residents management over their private knowledge and alter the information privateness method of organizations the world over.


You’ve seemingly gotten dozens of emails from corporations like Google and others relating to GDPR, their new privateness coverage, and bunch of different authorized stuff. That’s as a result of the EU has put in hefty penalties for individuals who are usually not in compliance.


Mainly after Could 25th, 2018, companies that aren’t in compliance with GDPR’s requirement can face massive fines as much as 4% of an organization’s annual world income OR €20 million (whichever is larger). That is sufficient motive to trigger wide-spread panic amongst companies world wide.

This brings us to the massive query that you simply is likely to be fascinated about:

Does GDPR apply to my WordPress website?

The reply is YES. It applies to each enterprise, massive and small, world wide (not simply within the European Union).

In case your web site has guests from European Union nations, then this regulation applies to you.

However don’t panic, this isn’t the tip of the world.

Whereas GDPR has the potential to escalate to these excessive degree of fines, it is going to begin with a warning, then a reprimand, then a suspension of knowledge processing, and if you happen to proceed to violate the regulation, then the big fines will hit.


The EU isn’t some evil authorities that’s out to get you. Their aim is to guard customers, common folks such as you and me from reckless dealing with of knowledge / breaches as a result of it’s getting uncontrolled.

The utmost positive half in our opinion is basically to get the eye of enormous corporations like Fb and Google, so this regulation is NOT ignored. Moreover, this encourage corporations to truly put extra emphasis on defending the rights of individuals.

When you perceive what’s required by GDPR and the spirit of the regulation, then you’ll understand that none of that is too loopy. We may even share instruments / tricks to make your WordPress website GDPR compliant.

What’s required below GDPR?

The aim of GDPR is to guard consumer’s personally figuring out info (PII) and maintain companies to the next normal in relation to how they gather, retailer, and use this knowledge.

The non-public knowledge contains: identify, emails, bodily handle, IP handle, well being info, earnings, and so on.


Whereas the GDPR regulation is 200 pages lengthy, listed below are a very powerful pillars that you have to know:

Specific Consent – if you happen to’re accumulating private knowledge from an EU resident, then it’s essential to get hold of specific consent that’s particular and unambiguous. In different phrases, you’ll be able to’t simply ship unsolicited emails to individuals who gave you their enterprise card or crammed out your web site contact kind as a result of they DID NOT opt-in in your advertising and marketing publication (that’s known as SPAM by the best way, and also you shouldn’t be doing that in any case).

For it to be thought-about specific consent, it’s essential to require a optimistic opt-in (i.e no pre-ticked checkbox), include clear wording (no legalese), and be separate from different phrases & situations.

Rights to Information – it’s essential to inform people the place, why, and the way their knowledge is processed / saved. A person has the best to obtain their private knowledge and a person additionally has the best to be forgotten which means they’ll ask for his or her knowledge to be deleted.

This can make it possible for while you hit Unsubscribe or ask corporations to delete your profile, then they really do this (hmm, go determine). I’m you Zenefits, nonetheless ready for my account to be deleted for two years and hoping that you simply cease sending me spam emails simply because I made the error of attempting out your service.

Breach Notification – organizations should report sure sorts of knowledge breaches to related authorities inside 72 hours, except the breach is taken into account innocent and poses no threat to particular person knowledge. Nevertheless if a breach is high-risk, then the corporate MUST additionally inform people who’re impacted immediately.

This can hopefully stop cover-ups like Yahoo that was not revealed till the acquisition.

Information Safety Officers – in case you are a public firm or course of massive quantities of non-public info, then it’s essential to appoint a knowledge safety officer. Once more this isn’t required for small companies. Seek the advice of an lawyer if you happen to’re unsure.


To place it in plain English, GDPR makes positive that companies can’t go round spamming folks by sending emails they didn’t ask for. Companies can’t promote folks’s knowledge with out their specific consent (good luck getting this consent). Companies should delete consumer’s account and unsubscribe them from e mail lists if the consumer ask you to try this. Companies should report knowledge breaches and total be higher about knowledge safety.

Sounds fairly good, in concept not less than.

Okay so now you’re most likely questioning what do you have to do to make it possible for your WordPress website is GDPR compliant.

Properly, that basically will depend on your particular web site (extra on this later).

Allow us to begin by answering the largest query that we’ve gotten from customers:

Is WordPress GDPR Compliant?

Sure, as of WordPress 4.9.6, the WordPress core software program is GDPR compliant. WordPress core group has added a number of GDPR enhancements to make it possible for WordPress is GDPR compliant. It’s necessary to notice that after we speak about WordPress, we’re speaking about self-hosted (see the distinction: vs

Having stated that, as a result of dynamic nature of internet sites, no single platform, plugin or answer can supply 100% GDPR compliance. The GDPR compliance course of will range based mostly on the kind of web site you’ve gotten, what knowledge you retailer, and the way you course of knowledge in your website.

Okay so that you is likely to be pondering what does this imply in plain english?

Properly, by default WordPress 4.9.6 now comes with the next GDPR enhancement instruments:

Feedback Consent


By default, WordPress used to retailer the commenters identify, e mail and web site as a cookie on the consumer’s browser. This made it simpler for customers to go away feedback on their favourite blogs as a result of these fields have been pre-populated.

Attributable to GDPR’s consent requirement, WordPress has added the remark consent checkbox. The consumer can go away a remark with out checking this field. All it will imply is that they must manually enter their identify, e mail, and web site each time they go away a remark.

Replace: In case your theme shouldn’t be displaying the remark privateness checkbox, then please just be sure you have up to date to WordPress 4.9.6 and are utilizing the most recent model of your theme. Additionally please just be sure you are logged-out when testing to see if the checkbox is there.

If the checkbox remains to be not displaying, then your theme is probably going overriding the default WordPress remark kind. Right here’s a step-by-step information on the best way to add a GDPR remark privateness checkbox in your WordPress theme.

Information Export and Erase Function


WordPress gives website house owners the power to adjust to GDPR’s knowledge dealing with necessities and honor consumer’s request for exporting private knowledge in addition to elimination of consumer’s private knowledge.

The info dealing with options will be discovered below the Instruments menu inside WordPress admin.

Privateness Coverage Generator


WordPress now comes with a built-in privateness coverage generator. It gives a pre-made privateness coverage template and give you steerage by way of what else so as to add, so that you will be extra clear with customers by way of what knowledge you retailer and the way you deal with their knowledge.

These three issues are sufficient to make a default WordPress weblog GDPR compliant. Nevertheless it is vitally seemingly that your web site has further options that may even have to be in compliance.

Areas on Your Web site which are Impacted by GDPR

As a web site proprietor, you is likely to be utilizing varied WordPress plugins that retailer or course of knowledge like contact kinds, analytics, e mail advertising and marketing, on-line retailer, membership websites, and so on.

Relying on which WordPress plugins you’re utilizing in your web site, you would want to behave accordingly to make it possible for your web site is GDPR compliant.

A number of the best WordPress plugins have already gone forward and added GDPR enhancement options. Let’s check out a number of the widespread areas that you’d want to handle:

Google Analytics

Like most web site house owners, you’re seemingly utilizing Google Analytics to get web site stats. Which means it’s doable that you simply’re accumulating or monitoring private knowledge like IP addresses, consumer IDs, cookies and different knowledge for habits profiling. To be GDPR compliant, you have to do one of many following:

  1. Anonymize the information earlier than storage and processing begins
  2. Add an overlay to the location that offers discover of cookies and ask customers for consent previous to monitoring

Each of those are pretty troublesome to do if you happen to’re simply pasting Google Analytics code manually in your website. Nevertheless, if you happen to’re utilizing MonsterInsights, the preferred Google Analytics plugin for WordPress, then you definitely’re in luck.

They’ve launched an EU compliance addon that helps automate the above course of. MonsterInsights additionally has an excellent weblog put up about all you have to find out about GDPR and Google Analytics (this can be a should learn, if you happen to’re utilizing Google Analytics in your website).


Contact Types

In case you are utilizing a contact kind in WordPress, then you might have so as to add additional transparency measures specifically if you happen to’re storing the shape entries or utilizing the information for advertising and marketing functions.

Beneath are the stuff you may need to think about for making your WordPress kinds GDPR compliant:

The great half is that if you happen to’re utilizing WordPress plugins like WPForms, Gravity Types, Ninja Types, Contact Type 7, and so on, then you definitely don’t want a Information Processing Settlement as a result of these plugins DO NOT retailer your kind entries on their website. Your kind entries are saved in your WordPress database.

Merely including a required consent checkbox with clear clarification ought to be adequate so that you can make your WordPress kinds GDPR compliant.

WPForms, the contact kind plugin we use on WPSaviour, has added a number of GDPR enhancements to make it straightforward so that you can add a GDPR consent area, disable consumer cookies, disable consumer IP assortment, and disable entries with a single click on.


Word: We’ve got created a step-by-step information on the best way to create GDPR compliant kinds in WordPress.

Electronic mail Advertising and marketing Choose-in Types

Much like contact kinds, in case you have any e mail advertising and marketing opt-in kinds like popups, floating bars, inline-forms, and others, then you have to just be sure you’re accumulating specific consent from customers earlier than including them to your record.

This may be executed with both:

  1. Including a checkbox that consumer has to click on earlier than opt-in
  2. Merely requiring double-optin to your e mail record

High lead-generation options like OptinMonster has added GDPR consent checkboxes and different crucial options that will help you make your e mail opt-in kinds compliant. You possibly can learn extra concerning the GDPR strategies for marketers on the OptinMonster weblog.

WooCommerce / Ecommerce

If you happen to’re utilizing WooCommerce, the preferred eCommerce plugin for WordPress, then you have to be sure that your web site is in compliance with GDPR.

The WooCommerce group has ready a complete information for retailer house owners to assist them be GDPR compliant.

Retargeting Advertisements

In case your web site is working retargeting pixels or retargeting advertisements, then you’ll need to get consumer’s consent. You are able to do this by utilizing a plugin like Cookie Notice.

Finest WordPress Plugins for GDPR Compliance

There are a number of WordPress plugins that may assist automate some points of GDPR compliance for you. Nevertheless, no plugin can supply 100% compliance as a result of dynamic nature of internet sites.

Watch out for any WordPress plugin that claims to supply 100% GDPR compliance. They seemingly don’t know what they’re speaking about, and it’s greatest so that you can keep away from them utterly.

Beneath is our record of really helpful plugins for facilitating GDPR compliance:

We are going to proceed to watch the plugin ecosystem to see if some other WordPress plugin stands out and supply substantial GDPR compliance options.

Last Ideas

Whether or not you’re prepared or not, GDPR will go in impact on Could 25, 2018. In case your web site shouldn’t be compliant earlier than then, don’t panic. Simply proceed to work in direction of compliance and get it executed asap.

The probability of you getting a positive the day after this rule goes in impact are fairly near zero as a result of the European Union’s web site states that first you’ll get a warning, then a reprimand, and fines are the final step if you happen to fail to conform and knowingly ignore the regulation.

The EU shouldn’t be out to get you. They’re doing this to guard consumer’s knowledge and restore folks’s belief in on-line companies. Because the world goes digital, we’d like these requirements. With the current knowledge breaches of enormous corporations, it’s necessary that these requirements are tailored globally.

Will probably be good for all concerned. These new guidelines will assist increase shopper confidence and in flip assist develop your online business.

We hope this text helped you find out about WordPress and GDPR compliance. We are going to do our greatest to maintain it up to date as extra info or instruments get launched.

If you happen to preferred this text, then please subscribe to our YouTube Channel for WordPress video tutorials. You may as well discover us on Twitter and Fb.

Further Assets

Authorized Disclaimer / Disclosure

We’re not attorneys. Nothing on this web site ought to be thought-about authorized recommendation. Because of the dynamic nature of internet sites, no single plugin or platform can supply 100% authorized compliance. When unsure, it’s greatest to seek the advice of a specialist web regulation lawyer to find out in case you are in compliance with all relevant legal guidelines in your jurisdictions and your use instances.

gp-5325034 as-9032150

WP Saviour

I am a WordPress specialist. My mission is to help you create beautiful websites with ease!