Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme!Learn More

How to Make Your WordPress Site GDPR Compliant

Last updated on:
How to Make Your WordPress Site GDPR Compliant

GDPR (or the General Data Protection Regulation) is required as of May 25th, and with it comes a few new regulations most websites should adhere to even if they aren’t based on the EU. So if you haven’t already prepped your website here’s our quick and easy guide on how to make your WordPress site GDPR compliant in just 5 steps.

We’ll cover key points to help get you on your way to compliance, and fast. Why the rush? By choosing not to comply your business could face fines any where from 4% of your annual revenue well on up to €20mil (yikes). While the higher end of that spectrum is likely aimed at giants such as Amazon and Facebook, we always recommend playing by the rules. So here’s how you can have your WordPress site GDPR compliant asap.

IMPORTANT: We are not lawyers, we are simply sharing information about GDPR compliance and some of the steps we’ve used while updating our own website. Following the steps below does not guarantee you fully comply with GDPR requirements. Please consult a lawyer or GDPR consultant to be sure your website is in full compliance.

Table of Contents

  1. Update to WordPress 4.9.6 (or higher)
  2. Update Your Privacy Policy
  3. Add a Cookie Notice
  4. Make it Easy for Users to Request/Delete Their Info
  5. Notifications for Policy Updates or Data Breach

Step 1: Update to WordPress 4.9.6 (or higher)

This is the easy step, since WordPress 4.9.6 added tons of built-in privacy settings to WordPress core. Just by updating your core WordPress installation (which you should already be doing) you’re already setting yourself up for GPDR compliance success. There is a full laundry list of privacy features WordPress added in this update, but so far as GDPR compliance is concerned, here are a few key features you should checkout.

Comments Cookie Optin

WordPress Comments Cookie Optin

By default WordPress stores a cookie so users don’t have to retype their information when leaving a new comment on your site. Now there is an optin included on the comments form automatically – you don’t have to do anything except maybe style it if you don’t love how it looks (note: you won’t see this one on the WPExplorer blog since we disabled it – we don’t feel it’s necessary to store that information in your browser, so we chose to get rid of that cookie).

Data Export and Erase

WordPress Data Export and Erase

Under Tools there are two new items: Export personal data and Erase personal data. If your site collects user information (via subscriber accounts, customer profiles, etc) you can quickly and easily export a user’s information or completely erase them from your database at their request.

Policy Generator

WordPress Policy Generator

If you log into WordPress and go to Settings > Privacy you can either use your current privacy policy if you have one, or Create New Page to auto-generate a policy for your site.

WordPress Generated Privacy Policy

If you do use the generated policy, it will already include privacy information and disclosures related to WordPress core. But it also adds in helpful headings for other suggested information you should add for GDPR compliance (such as contact forms, analytics, contact information, data protection, breach disclosure, etc).

Step 2: Update Your Privacy Policy

Using the auto generated policy is a good start, but depending on the services and plugins you use on your website you’ll need to update your policy to include disclosures for all of the cookies and data being collected on your website.

Cookies Collected

Here are some of the most common:

  • Google Analytics and other tracking services
  • Google Adwords, Bing and other ad networks
  • Cloudflare and CDN services
  • Optins or pop-ups
  • Push notifications
  • Video players
  • Heatmaps
  • Shopping carts

To figure out what cookies your website is using (if you don’t already know) open a browser and clear your cookies (for example Firefox > History > Clear Recent History… then select “everything” and check the cookies option, or Chrome > Settings > Clear browsing data then select “All time” and check the cookies & other site data option). With your cookies clear, now visit your website homepage and blog, then inspect your website to open the developer tools. In Chrome select the “application” tab (in Firefox it’s under “storage”) then click on the Cookies option on the left side of the screen. From here you should be able to click on your website URL and view all of the cookies being set. These should all be disclosed in your privacy policy.

In addition to disclosing the cookies used on your website you should also include a section on how users can disable or delete cookies in their browser. In our own policy we choose to link to the following browser guides:

Contact Forms

Be sure to include a checkbox for consent on your contact forms if you have any. Lucky for you, popular contact forms plugins have already updated to make sure their forms are GDPR compliant. Here are a few form plugins that are already GDPR ready.

Contact Form 7

If you’re using Contact Form 7, you can simply add an acceptance checkbox to your forms. Just add this before your submit button: [acceptance accept-this-1] Check here to consent to this website storing my information so they can respond. [/acceptance]

WPForms WordPress Plugin

The folks over at wpForms have added a GDPR agreement module you can add to all of your forms. First enable the “GDPR Enhancements” under the wpForms settings, then edit your exiting forms to insert the new “GDPR Agreement” checkbox. This way users can confirm that they consent to sending you their information.

So after you’ve picked a contact form plugin and added a consent confirmation for GDPR, you’ll also need to add a section to your privacy policy about the information you collect. This will depend on the fields you include in your forms – name, email, address, age, or anything else.

Newsletters

Similar to contact forms you need to confirm user consent for newsletters. This can be done with either a checkbox that a user has to click before they opt-in, or by requiring double-optin to your email list (if you don’t already).

If you use MailChimp double opt-in is easy to enable. Just log into your account, got to your Lists and click on the button for “Opt-in Settings.” From here just select the mailing lists you’d like to add a double opt-in to and then save. Easy!

With your consent confirmation method in place, just add a section that you do retain users’ email addresses for your newsletter to your privacy policy.

WooCommerce Data

If you have a store you’ll need to disclose how you are retaining customer data, for how long and what you do with it.

First, use WooCommerce’s built-in privacy features. After installing or updating the plugin go to the Settings > Accounts & Privacy section. Enable options for personal data retention, erasure, and privacy policy links.

Next, make sure to add appropriate disclosures to your privacy policy. You might want to consider sections on why your website would collect personal data, how it’s used (to improve your website to better serve users, to process transactions, for promotions, etc), how you protect user information and payment processing.

For more information on WooCommerce and GDPR please reference their guide.

Note: This is in no way a comprehensive list of disclosures – these are just a few, common examples.

We recently talked exclusively about the EU Cookie law and how to make your site cookie law compliant. To simplify – you must disclose your use of cookies, and not just in your privacy policy. You need to add a cookie disclosure and acceptance notice to the first page a user visits. Luckily, there are tons of plugins that can help. Here are a couple popular options.

Cookie Notice by dFactory Free WordPress Plugin

Cookie Notice by dFactory Free WordPress Plugin

The free Cookie Notice plugin is a great, easy way to add a simple cookie notification and optin to your website. The plugin includes settings to add a custom message, links for more information and a button to accept or refuse cookies. You can also add a cookie expiration (at which point users will have to optin again), define the script placement (header or footer) and add simple styling with the included options (text color, button style, position and animation).

WeePie Cookie Allow GDPR Cookie Consent Premium WordPress Plugin

WeePie Cookie Allow WordPress Plugin

Alternatively, you could give the premium WeePie Cookie Allow plugin a try. This more advanced cookie compliance plugin includes options to comply with the EU, UK, Dutch, Italian and German cookie laws. Choose a consent method (explicit via button or implied on scroll), style (box or bar plus design options) and add links to a privacy policy or site terms. This plugin is also multisite compatible and responsive ready for all device sizes.

Step 4: Make it Easy for Users to Request/Delete Their Info

We mentioned before that WordPress 4.9.6 added easy options for user data management, so if a user would like you to forward a copy of their information or delete their info completely you can. But in order for them to share their request you’ll first need to create a contact form or page for them to get in touch.

Depending on your website, it might make sense to install a contact form plugin to streamline contact submissions. This is likely a better option if you’re dealing with a website that has tons of users – like an online forum or membership site.

Ninja Forms Plugin

Some plugins like Ninja Forms have already built-in custom Export Data and Delete Data request form templates (check them our in Ninja Forms GDPR post). Just create your forms, then include links to them in your Privacy Policy.

But if your website is a basic blog or business site with no user accounts other than your own you should be okay just including a contact email in your privacy policy.

Step 5: Notifications for Policy Updates or Data Breach

The last part of GDPR that really stands out as important is policy update and data breach notifications. This comes into play if you offer user accounts on your website, collect customer information or if you maintain a newsletter.

Now that you’ve updated your privacy policy to comply with GDPR it’s a great time to notify users of your changes. If you use an email platform, blast out a quick privacy update notice.

Or if you’re using one of the best GDPR compliance WordPress plugins there’s likely a notification system already built-in so you can contact your site users. The best part is that with some of these plugin options you can easily automate policy update or data breach notifications, saving you some time.

Wrapping Up

Just to reiterate – we aren’t lawyers. This guide on how to make your WordPress site GDPR compliant is simply a collection of tips from our own personal experience researching and prepping for GDPR. Hopefully there were a few helpful tips in there for you, but really it’s just a starting point. We do highly recommend contacting a GDPR consultant or a lawyer to be sure your website is compliant especially if you’re located in the EU or if EU residents make up a significant portion of your website traffic.


Do you have any more questions on how to make your WordPress site GDPR compliant? Leave a comment and we’ll do our best to help. We’ll also update this guide as we learn more about GDPR – so if you have any other tips or key points please do share them.

wordpress-gdpr-compliant
Article by Kyla WPExplorer.com staff
Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.

8 Comments

  1. Joachim

    I’d like to add a plugin recommendation for a related problem: the task of showing ads based on the visitors’ approval. Advanced Ads has developed a new privacy module to support this challenge, which integrates the presented cookie and consent plugins, as well as allowing dynamic switches between personalized and non-personalized AdSense ads.

  2. Jin Markov

    This is an excellent article Kyla. Thanks for the information.

    Would also appreciate some GDPR information for websites using Google AdSense accounts.

    Thanks,

    Jin

    • Kyla

      I am not a lawyer, but from what I’ve read definitely use the tips above (especially the points on having a solid privacy policy and a cookie notice) then take advantage of some of the new tools/options Google has created recently for publishers. Google released a tools list where they mention a bunch of new tools and capabilities for ad personalization, or rather the option for non-personalized ads for EEA users. I think that list is as good a place as any to start but definitely consult a GDPR specialist if the majority of your traffic is EU based.

  3. Sid Greenfield

    It is absolutely Un-True that compliance under EU GDPR is mandatory for anyone outside the EU.

    The USA is a sovereign Nation State, not subject to the edicts, laws or regulations of either the UN, the EU or any other half-baked alliance of Kings, Queens or Parliamentary Associations. If anything, their laws and regulatory efforts must be compliant with Our Edict, Laws and Regulatory Requirements.

    By signing the EU-US Privacy Shield agreement, you admit subservience to the GDPR Authority, thereby becoming a “vassal” of the EU’s regulatory machinery. If you or your business refuse to sign or comply with the agreement, the EU may, under its own laws, prevent its citizens or businesses from accessing or utilizing your online presence, ( of course, they won’t ) but they have no legal presence or authority that compels your compliance if you reside ( or if your web presence originates ) outside the EU.

    The standard, common sense, privacy statement utilized by every E-commerce enabled website is already sufficiently compliant without becoming vassals of UN or EU globalist expansion efforts by signature or fait accompli. The same theory applies equally to voluntary Email or Membership subscriptions by EU citizens wherein they supply routine contact information.

    IF the Global purveyors of Merchant account and payment gateway services wish to sign and comply with such an agreement, it has no effect on our website businesses since payment processing Data comprises a “Pass Through Transaction” wherein the credit card processor is the only entity maintaining an archival record of the customers data. YOU don’t archive the information so YOU are either exempt or already compliant.

    We need to take this very seriously simply because the next step will be to put restrictions on what products are “acceptable” for sale to EU customers. That will be followed by mandated license requirements, product approval requirements, specification submission requirements, licensing fees and Tax mandates. Soon … as in probably THIS YEAR … you will certainly be required to post your [edit] on your landing page … or be excluded from the EU markets.

    • Kyla

      I can understand your feelings on GDPR, however for websites with a majority of traffic (or any customers) located in EU countries it’s probably best to contact a lawyer or GDPR consultant to see what exactly is required. We are not lawyers. This post simply documents some of the steps we personally took that other website managers might be interested in. We prefer to play it safe and have taken reasonable measures to follow the EU laws as best we can, which is our choice.

      But as for some of your other points, here is my non-lawyer personal opinion. I think the EU is well within their rights to create rules for third parties to do business with their residents. Sales/VAT taxes are already applied based on customer location – GDPR just adds data privacy requirements, which is actually pretty easy to accomodate. I would think it’s also within the EU’s rights to block a website if a site owner chooses not comply – in fact I would say it’s a much more realistic possibility compared to heavy fines which are probably aimed more at the big players like Google, Amazon, Walmart, etc. And for your last point, the EU and many other countries (and provinces, states, counties, cities) already restrict goods sold, require business licenses, charge taxes/duties and impose many other requirements (it’s just a cost of choosing to do business in any given locale). This is why I think any web based business should make it a priority to contact a lawyer or other specialist to be sure they are in compliance 🙂

  4. Michal

    Hey, nice blog..
    If you want GDPR WordPress Plugin another good option is the GDPR tool by WSD (free on WordPress.org) which can be sued to record/log all PII Processing.

  5. Ricardo

    Hi!
    Thank you so much for this article, it is really easy to understand what I’ll have to do to setup my new website!
    The only thing that brings me doubts is the inclusion of videos from Vimeo or Youtube in what will be my portfolio page. will it be GDPR compliant?

    Thank you so much!

    • Kyla

      For Vimeo this is easy – just be sure to set the DNT parameter to “true” when you embed a video on your site to prevent analytics/cookies. YouTube is tricky. You can use their “privacy-enhanced” URLs (replace youtube with youtube-nocookie in your video URL) which don’t place cookies, at least until a user presses play at which point a cookie will be set (so it’s really just a delay). To be GDPR compliant you really should block YouTube videos until a user consents, but luckily this is a feature of many top GDPR plugins.

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.