WordPress and GDPR: a Helpful Guide

WordPress and GDPR: a Helpful Guide

GDPR is a hot topic for website owners and users alike. You may be wondering where exactly do we see the effect of GDPR though.

Check your email. You’ll find a lot of websites asking your permission to accept their updated cookie or privacy policy. This is because a lot has changed on what is taken for granted and what needs permission to access.

You’ll also see a lot more of the cookie banners shown more prominently on websites. It is for a simple reason though – they need your permission to save your data.

What is GDPR?

General Data Protection Regulation or GDPR was passed by the European Union on May 25, 2018. It came into effect to crack down on breaches of citizens’ data by companies, both within and outside of Europe.

At its core, GDPR is a set of regulations that every business or data handler must adhere to when handling the personal data of EU inhabitants.

GDPR is no joke, as the hefty fines they impose on companies have already begun to make waves of change in tech companies around the world.

One key feature that GDPR tries to claim for European inhabitants is the “Right to be forgotten”. As much as companies take user information for granted, GDPR helps to give users the right to not give their data as well. You’ll now realize that the laws and regulations surrounding GDPR are strictly to preserve personal data.

  • Personal Data in this case includes a wide spectrum of information, but for starters, it will cover your location, sexuality, race, ethnicity, and even health status.

Countries all over the world are forming their own regulations against data breaches, but GDPR is by far the most prominent of these laws.

  • Residents of California have a similar law called CCPA – The California Consumer Privacy Act. Similarly, Brazil has its LGPD – Lei Geral de Proteção de Dados Pessoais. All in an effort to ensure the data security of people living in those countries so as not to get exploited by companies.

What does GDPR cover?

The 1950s European Human Rights Convention clearly mentions, “everyone has the right to respect for his private and family life, his home and his correspondence”.

The new law mandates it in the digital space where any information that could be used to identify a person must be safeguarded against wrong players and mishandling.

GDPR is a consumer-friendly regulation which means it is for everyone who browses for products or services. The regulation helps in anonymizing your data for businesses that focus on collecting data for creating behavior models.

Do you need to worry?

Not every website requires GDPR compliance though. Websites that don’t require users to share their personal data to interact with you is GDPR exempt.

  • A good example of this is personal blogging. But if you have a mailing list of readers for your blog posts, your website comes under GDPR as you are now gathering their personal information.

Do you think any of your readers, customers, visitors are from the EU? If yes, then GDPR applies to your business as well. It doesn’t matter if you are in another country serving customers in the EU.

The law strictly mentions that every transaction that happens between you and someone from the EU must comply to the rules explicitly mentioned under GDPR.

  • Neglecting to look into these laws will cost you dearly, as the fines for violation could scale up to 20 million euros or 4% of your global revenue, whichever is higher – something that even tech giants will take notice of.

Here’s how to Identify Cookies Your Website Installs on the Browser. It is important to know what your website does on the browser to know where you stand in compliance.

What is WordPress doing for GDPR?

  • Websites that are fairly recent and are up to date on their version of WordPress can breathe easy. As of version 4.9.6, the core software of WordPress is GDPR compliant.
  • Remember, having a website GDPR compliant takes all of the plugins, extensions and any extra features added to the core website to be compliant as well.

So it’s not enough to have your version of WordPress to be updated but the entire list of plugins and even image links to be compliant to the data privacy guidelines as mentioned under GDPR.

Privacy policy, data export, and consent under comments are three additions that you’ll find on the latest version of WordPress.

Privacy policy generator

Under WordPress Settings > Privacy, you now have the option to add a better version of the privacy policy. You can make relevant edits for the things to consider based on the installed plugins and features on your website.

This is not to say that it’s just a click away though. Privacy policies are to be taken really seriously as any breach or malpractice found could incur heavy penalties for websites. These fines could even destabilize small businesses if they aren’t careful enough with handling user data.

Privacy policy settings

Erasing and exporting personal data

Under GDPR, customers have the right to see the data stored by your website and even delete them entirely from your database.

Through Tools > Export Personal data and Tools > Erase Personal data, you can easily provide user information back to the customer or delete it entirely according to your customer’s request.

Data export/import tools

Comment with consent

websites usually save user information while commenting just to reduce their effort in typing in their details every time they feel like commenting on any of the website’s forms.

WordPress now has a specific checkbox below the comments section that users can tick to give consent to personal data that they’ve added on any of the forms. This checkbox should also contain the reason why you are saving the information as well.

You’ll find the settings under Settings > Discussion to enable cookie consent for users who comment on any of your web pages.

Comment Consent

How can you be compliant?

  • As a first step, start searching your website for places where customers may add in their personal information. Even their preference for products can also be considered as personal data in this case.
  • Forms, comments, carts, analytics, and email marketing list are some of the most obvious areas that you might want to get compliant with.
  • Chances are that you might be using plugins for much of the data collection widgets on your website. Make sure that these plugins are compliant to the GDPR standards and uninstall/update any plugin or extensions which haven’t already.
  • Make it a habit of asking customers twice for their consent whenever they give you their personal data. It’s especially easy to have a two-step signup process for email signups just to make sure that customers understand that we are serious about handling their data.
  • Another important aspect of making your website truly transparent to your customers is to explicitly mention the reason why you require data of your customer and give them the complete freedom to opt-out of it if they choose to do so.

Roles of Plugins to get you GDPR compliant

There are a lot of helpful extensions and plugins to get you compliant with GDPR. Although individual plugins could be compliant in themselves, it doesn’t guarantee that your website will be compliant as well.

Thankfully, form builders, privacy policy generators, comment consent, personal data export/erase features are all available through plugins.

Here are our top 7 plugins you could add to your website to get GDPR compliant in 2020.


The complexity of our digital space will keep increasing at an exponential rate. Thus, it is important that we have strict laws that safeguard users from online threats of data breaches of every kind.

Like GDPR, nations across the world have started opening up to this challenge of data security. We’ll definitely see more regulations passed in this sense as data becomes a valuable commodity in the digital domain.