A Simple Guide to Make your WordPress Site GDPR Compliant

A Simple Guide to Make your WordPress Site GDPR Compliant

The General Data Protection Regulation (GDPR) overhauls how businesses process and handle data. It came into effect on May 25, 2018, targeting how businesses and the public sectors handle the information of 750 million European citizens. Although this law exists in the EU, its reach is global. Businesses that are outside of EU would still face penalties and fines if they do not comply with the legislation. Therefore, it is very crucial that you make your WordPress site GDPR compliant even if you aren’t based on the EU. And, if you haven’t already prepped your website yet, here’s a simple guide to make your WordPress site GDPR compliant.

Update to WordPress 4.9.6 or Higher

WordPress 4.9.6 or Higher

WordPress 4.9.6 has added tons of built-in privacy settings to WordPress core, which makes things easier for you to set yourself up for GDPR compliance success. WordPress has added several privacy features in 4.9.6, however, as you’re trying to make your WordPress site GDPR compliant, below are a few key features you need to stress on.

Comments Cookie Option:

WordPress, by default, stores a cookie so users don’t have to retype their information when leaving a new comment on your site. Now, there is an option included on the Comments Form automatically.

Data Export and Erase:

There are two new items under Tools section – Export personal data and Erase personal data. If you collect your user’s information, you can now effortlessly export a user’s information or completely erase them from your database at their request.

Policy Generator:

You can either select an existing page for your privacy policy or create a new page for it. Visit Settings > Privacy from your dashboard and select the suitable option. If you use the generated policy, it will already include privacy information and disclosures related to WordPress core. Also, it adds in helpful headings for other suggested information—such as contact forms, analytics contact information, data protection, data protection, breach disclosure, etc.—you should add to make your WordPress site GDPR compliant.

Update Your Privacy Policy

Update Your Privacy Policy

Depending on the services and plugins you use, you will have to update your privacy policy to include disclosures for all of the cookies and data being collected on your website. Below are a few disclosures that are the most common ones.

Cookies Collected:

The most common ones are:

  • Google Analytics and other tracking services
  • Google Adwords, Bind and other as networks
  • Cloudflare and CDN services
  • Opt-ins or pop-ups
  • Push Notifications
  • Video Players
  • Heatmaps
  • Shopping Carts

If you own a website, it is important that you have information on what cookies your website is using. Open a browser and clear out your cookies first. Then, with your cookies cleared out, visit your homepage and blog, then inspect your website to open the developer tools. Under the ‘Application’ tab (‘Storage’ in Firefox), click on the Cookies option on the left side of the screen. After that, click on the website URL and view all of the cookies being set. These should all be disclosed on your privacy policy page. In addition to disclosing the cookies used on your website, include a section on how users can disable or delete cookies in their browser as well.

Contact Forms:

Make sure you include a checkbox for consent on your contact forms if you have any. And if you’re using any contact form plugin, remember to check if the plugin is GDPR compliant. Some of the popular Contact Form plugins, such as Contact Form 7, and wpForms have already updated to ensure their forms are GDPR compliant. After picking up a contact form plugin and adding a consent confirmation for GDPR, you will also need to add a section to your privacy policy page about the information you collect. This depends on the fields you include—name, email, address, age, or anything else—in your forms.


You need to confirm user consent for newsletters. It can be done with either a checkbox that a user has to click before they opt-in or by requiring double-opt-in to your email list.

The double opt-in is quite easy to enable in MailChimp. Log into your account and visit Lists > Opt-in Settings. Then, select the mailing lists that you’d like to add a double opt-in to and save it. With your consent confirmation method in place, just add a section on your privacy policy page mentioning you retain users’ email addresses for your newsletter.

WooCommerce Data:

If you own an ecommerce store, you need to disclose how you’re retaining customer data, the duration and what you do with it. First, use WooCommerce’s built-in privacy features. After installing and updating the plugin, visit Settings > Accounts & Privacy section. Then, enable options for personal data retention, erasure, and privacy policy links. Now, make sure you add appropriate disclosures to your privacy policy and mention all the aspects regarding the collection of personal data.

Add a Cookie Notice

cookie notice
Credit: Thirty Bees

You must disclose your use of cookies, not just only on your privacy policy, but also via a notice. You need to add a cookie disclosure and acceptance notice to the first page a user visits. It is to make sure your visitors know about the usage of cookies. There are many plugins to help you display your cookie notice—such as Cookie Notice (Free) and WeePie Cookie Allow (Premium).

Easier access for users to Request/Delete their Information

Easier Access to users
Credit: Publika.MD

WordPress 4.9.6 has added easy options for user data management. So, if a user would like you to forward a copy of their information or delete their information completely, you can manage them smoothly. But, in order for them to share their request, you’ll first need to create a contact form or page for them to get in touch with you. Install a contact form plugin depending on your website to streamline contact submissions. It is a better option if you’re dealing with a website that has tons of users. But, if your website is a basic blog or business site with no user accounts other than your own, then you should be okay with just including a contact email in your privacy policy.

Notifications for Policy Updates

Notifications for Policy Updates
Credit: Host Capitol

Policy updates and data breach notifications come into play if you offer user accounts on your website, collect customer information or if you maintain a newsletter. After updating privacy policy to comply with GDPR, notify your users of your changes. If you’re using an email platform, send out a quick privacy update notice to your users. And, if you’re using a GDPR compliance WordPress plugin, there might be a built-in notification system to notify your users.

Finally, these were a few tips to make your WordPress site GDPR compliant. We hope the article was helpful to get you started with GDPR.

Credit: ICO

Note: GDPR applies to businesses and organizations based outside the EU as long as they’re handling data about EU residents.

We’d love to hear your thoughts and/or questions on GDPR, so feel free to leave a comment using the box below.


Reference: WP Explorer

Leave a Reply

Your email address will not be published. Required fields are marked *