You are currently viewing The Ultimate Guide to WordPress and GDPR Compliance

The Ultimate Guide to WordPress and GDPR Compliance

Are you confused by GDPR and how it will impact your WordPress site?

The GDPR, short for General Data Protection Regulation, is a European Union law that you have likely heard about. We’ve received dozens of emails from users asking us to explain the GDPR in plain English and share tips on how to make your WordPress site GDPR-compliant.

In this article, we will explain everything you need to know about the GDPR and WordPress (without the complex legal stuff).

The Ultimate Guide to WordPress and GDPR Compliance

Disclaimer

We are not lawyers, and nothing on this website should be considered legal advice.

To help you easily navigate through our ultimate guide to WordPress and GDPR compliance, we have created a table of contents below:

What Is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law that took effect on May 25, 2018. The goal of the GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.

What is GDPR?

Over the years, you’ve likely gotten dozens of emails from companies like Google about the GDPR, their new privacy policies, and a bunch of other legal stuff. That’s because the EU has made big penalties for people who don’t comply with the regulations.

Businesses that are not in compliance with the GDPR’s requirements can face large fines of up to 4% of a company’s annual global revenue or €20 million (whichever is greater). This is enough reason to cause widespread panic among businesses around the world.

What Is the CCPA?

The state of California introduced similar privacy legislation on January 1, 2020, though the potential fines are much lower.

The California Consumer Privacy Act (CCPA) is designed to protect the personal information of Californian residents. It gives them the right to know what personal information is being collected about them, request its deletion, and opt out of the sale of their data.

In this article, we will focus on the GDPR, but many of the steps we list in this article will also help you become CCPA compliant.

This brings us to the big question that you might be thinking about:

Does the GDPR Apply to My WordPress Website?

The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).

If your WordPress website has visitors from European Union countries, then this law applies to you.

But don’t panic. It’s not the end of the world.

While the GDPR can escalate to those high levels of fines, it will start with a warning, then a reprimand, and then a suspension of data processing.

And only if you continue to violate the law will the large fines hit.

GDPR Fines and Penalties

The EU isn’t some evil government that is out to get you. Their goal is to protect innocent consumers from reckless handling of data that could result in a breach of their privacy.

The maximum fine part, in our opinion, is largely to get the attention of large companies like Facebook and Google so that this regulation is NOT ignored. Furthermore, this encourages companies to actually put more emphasis on protecting the rights of people.

Once you understand what is required by the GDPR and the spirit of the law, then you will realize that none of this is too crazy.

We will also share tools and tips to make your WordPress site GDPR-compliant.

What Is Required of Website Owners Under the GDPR?

The goal of GDPR is to protect users’ personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.

This personal data includes your users’ names, email addresses, physical addresses, IP addresses, health information, income, and more.

GDPR Personal Data

While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:

You Must Gain Explicit Consent to Collect Personal Information

If you are collecting personal data from an EU resident, then you must get explicit consent or permission that is specific and unambiguous.

In other words, you can’t just send unsolicited emails to someone who gave you their business card or filled out your website contact form. This is spam. Instead, you must allow them to opt in to your marketing newsletter.

For it to be considered explicit consent, you must require a positive opt-in. The checkbox must not be ticked by default, must contain clear wording (no legalese), and must be separate from other terms and conditions.

Your Users Have a Right to Their Personal Data

You must inform individuals where, why, and how their data is processed and stored.

An individual has the right to download their personal data and the right to be forgotten.

This means they have a right to demand that you delete their personal data. When a user clicks an unsubscribe link or asks you to delete their profile, you actually need to do that.

You Must Provide Prompt Data Breach Notifications

Organizations must report certain types of data breaches to relevant authorities within 72 hours unless the breach is considered harmless and poses no risk to individual data.

However, if a breach is high-risk, then the company must also inform individuals who are impacted right away.

This will hopefully prevent cover-ups like Yahoo that were not revealed until the acquisition.

You May Need to Appoint a Data Protection Officer

If you are a public company or process large amounts of personal information, then you must appoint a data protection officer.

This is not required for small businesses. Consult an attorney if you are in doubt.

GDPR Data Protection Officer

Plain English Summary of What’s Required

To put it in plain English, the GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses also can’t sell people’s data without their explicit consent.

Businesses have to delete users’ accounts and unsubscribe them from email lists when asked. Businesses also have to report data breaches and overall be better about data protection.

Sounds pretty good, at least in theory.

But you are probably wondering what you need to do to make sure that your WordPress site is GDPR-compliant.

Well, that really depends on your specific website (more on this later).

Let us start by answering the biggest question that we’ve gotten from users:

Is WordPress GDPR Compliant?

Yes, the WordPress core software has been GDPR-compliant since WordPress 4.9.6, which was released on May 17, 2018. Several GDPR enhancements were added to achieve this.

It’s important to note that when we talk about WordPress, we are talking about self-hosted WordPress.org. This is different from WordPress.com, and you can learn the difference in our guide on WordPress.com vs. WordPress.org.

Having said that, due to the dynamic nature of websites, no single platform, plugin, or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.

Ok, so you might be thinking, what does this mean in plain English?

Well, by default, WordPress comes with the following GDPR enhancement tools:

Comments Consent Checkbox

Before May 2018, WordPress would store the commenter’s name, email, and website as a cookie on the user’s browser by default. This made it easier for users to leave comments on their favorite blogs because those fields were pre-filled.

Due to the GDPR’s consent requirement, WordPress has added a consent checkbox to the comment form.

WordPress Comments Opt-in for GDPR

The user can leave a comment without checking this box. All this means is that they will have to manually enter their name, email, and website every time they leave a comment.

Tip: Make sure that you are logged out when testing to see if the checkbox is there.

If the checkbox is still not showing, then your theme is likely overriding the default WordPress comment form. Here’s a step-by-step guide on how to add a GDPR comment privacy checkbox in your WordPress theme.

Personal Data Export and Erase Features

WordPress offers site owners the tools they need to comply with the GDPR’s data handling requirements and honor users’ requests for exporting personal data as well as removal of users’ personal data.

WordPress Data Handling - GDPR

The data handling features can be found under the Tools menu inside WordPress admin. From here, you can go to Export Personal Data or Erase Personal Data.

Privacy Policy Generator

WordPress comes with a built-in privacy policy generator. It has a pre-made privacy policy template and offers you guidance on what else to add. This helps you be more transparent with users in terms of what data you store and how you handle their data.

WordPress Privacy Policy Generator for GDPR

You can learn more in our guide on how to create a privacy policy in WordPress.

These three features are enough to make a default WordPress blog GDPR-compliant. However, your website will likely have additional areas that will also need to be in compliance.

Additional Areas on Your Website to Check for GDPR Compliance

As a website owner, you might be using various WordPress plugins that store or process data, and these can affect your GDPR compliance. Common examples include:

Depending on which WordPress plugins you are using on your website, you will need to act accordingly to make sure that your website is GDPR compliant.

A lot of the best WordPress plugins have added GDPR enhancement features. Let’s take a look at some of the common areas that you will need to address.

Google Analytics

Like most website owners, you are likely using Google Analytics to get website stats. This means that you might be collecting or tracking personal data like IP addresses, user IDs, cookies, and other data for behavior profiling.

To be GDPR compliant, you need to do one of the following:

  1. Anonymize the data before storage and processing begins.
  2. Add an overlay that gives notice of cookies and asks users for consent prior to tracking.

Both of these are fairly difficult to do if you are just pasting Google Analytics code manually on your site. However, if you are using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you are in luck.

They have released an EU compliance addon that helps automate the above process.

MonsterInsights EU Compliance Addon

MonsterInsights also has a very good blog post talking about about the GDPR and Google Analytics. This is a must-read if you are using Google Analytics on your site.

Contact Forms

If you are using a contact form in WordPress, then you may need to add extra transparency measures. This is especially true if you are storing the form entries or using the data for marketing purposes.

Here are some things to consider when making your WordPress forms GDPR-compliant:

  • Get explicit consent from users to store their information.
  • Get explicit consent from users if you are planning to use their data for marketing purposes, such as adding them to your email list.
  • Disable cookies, user-agent, and IP tracking for forms.
  • Comply with data deletion requests.
  • Make sure you have a data processing agreement with your form providers if you are using a SaaS form solution.

The good news is that you don’t need to organize a data processing agreement if you are using a WordPress plugin like WPForms, Gravity Forms, or Ninja Forms.

These plugins store your form entries in your WordPress database, so you just need to add a consent checkbox with a clear explanation to stay GDPR compliant.

WPForms, the contact form plugin we use on WPBeginner, has several GDPR enhancements to make it easy for you to add a GDPR consent field, disable user cookies, disable user IP collection, and disable entries with a single click.

GDPR Form Fields in WPForms

You can see our step-by-step guide on how to create GDPR-compliant forms in WordPress.

Email Marketing Opt-in Forms

Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline forms, and others, then you need to make sure that you get explicit consent from users before adding them to your list.

This can be done by either:

  1. Adding a checkbox that the user has to click before opt-in.
  2. Simply requiring double-optin to your email list.

Top lead-generation solutions like OptinMonster have added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant.

You can read more about GDPR strategies for marketers on the OptinMonster blog.

eCommerce and WooCommerce Stores

If you are using WooCommerce, the most popular eCommerce plugin for WordPress, then you need to make sure your website is in compliance with the GDPR.

Luckily, the WooCommerce team has prepared a comprehensive guide for store owners to help them be GDPR compliant.

Retargeting Ads

If your website is running retargeting pixels or retargeting ads, then you will need to get the user’s consent.

You can do this by using a plugin like Cookie Notice. You can find detailed instructions in our guide on how to add a cookies popup in WordPress for GDPR/CCPA.

Google Fonts

Google Fonts are a great way to customize the typography on your WordPress website.

However, Google Fonts have been found in violation of GDPR regulations. That’s because Google logs your visitor’s IP address each time a font is loaded.

Luckily, there are a few ways to handle this so your website is GDPR-compliant. For example, you can load your fonts locally, replace Google Fonts with another option, or disable them.

You can learn how in our guide on how to make Google Fonts privacy-friendly.

Best WordPress Plugins for GDPR Compliance

There are several WordPress plugins that can help you automate some parts of GDPR compliance.

However, no plugin can offer 100% compliance due to the dynamic nature of websites.

Beware of any WordPress plugin that claims to offer 100% GDPR compliance. They likely don’t know what they are talking about, and it’s best for you to avoid them completely.

Below is our list of recommended plugins for GDPR compliance:

  • If you use Google Analytics, then we recommend you use MonsterInsights and enable their EU compliance addon.
  • WPForms is the most user-friendly WordPress contact form plugin and offers GDPR fields and other features.
  • Cookie Notice is a popular free plugin for adding an EU cookie notice, and it integrates well with top plugins like MonsterInsights and others.
  • GDPR Cookie Consent lets you create an alert bar on your site so the user can decide whether to accept or reject cookies and covers CCPA as well as GDPR.
  • WP Frontend Delete Account is a free plugin that allows users to automatically delete their profile on your site.
  • OptinMonster is advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
  • PushEngage lets you send targeted push messages to visitors after they leave your site and is fully GDPR compliant.
  • Smash Balloon gives you a GDPR-compliant way to embed live feeds and show posts from Facebook, Twitter, Instagram, YouTube, TripAdvisor, and more.
  • Instead of loading the default share buttons with tracking cookies, the Shared Counts plugin loads static share buttons while displaying share counts.

You will find more options in our expert pick of the best WordPress GDPR plugins to improve compliance.

We will continue to monitor the plugin ecosystem to see if any other WordPress plugin stands out and offers substantial GDPR compliance features.

Final Thoughts

The GDPR has been in effect since May 2018.

Perhaps you have had your WordPress website for a while and have been working towards GDPR compliance. Or you may be just starting out with a new website.

Either way, there is no need for panic. Just continue to work towards compliance and get it done ASAP.

You may be concerned about the large fines. Remember that the risk of being fined is minimal. The European Union’s website states that first, you’ll get a warning, then a reprimand, and fines are the last step if you fail to comply and knowingly ignore the law.

Remember that the EU is not out to get you. They are doing this to protect user data and restore people’s trust in online businesses.

As the world goes digital, we need these standards. With the recent data breaches of large companies, it’s important that these standards are adapted globally.

It will be good for all involved. These new rules will help boost consumer confidence and, in turn, help grow your business.

We hope this tutorial helped you learn how to become GDPR-compliant on your WordPress blog. You might also like to see our expert guides on how to make your website GDPR-compliant.

Expert Guides on Making Your WordPress Site GDPR-Compliant

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Legal Disclaimer

We are not lawyers, and nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance.

When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.

Additional Resources

The post The Ultimate Guide to WordPress and GDPR Compliance first appeared on WPBeginner.

Dr Crash says:

Dr Crash

Behind the Scenes drummer for the Syndicated Solution