Ultimate Guide to WordPress and GDPR Compliance

Ultimate Guide to WordPress and GDPR Compliance: Are you muddled by the term GDPR, and how it can impact your WordPress blog or site? GDPR, stands for General Data Protection (Safety) Regulation, is uniquely an EU law what you have likely found out about. I’ve received a large number of email messages from followers of Fatsage.Com requesting me to clarify GDPR in simple way and discuss tips about how to make a WordPress blog or site GDPR compliant. In this post, I will describe all you need to learn about GDPR and WordPress (devoid of the complex legal stuff).

GDPR and WordPress Compliance

Disclaimer: I am not lawyer. Absolutely nothing on this site’s advice should be taken as legal advice.

In this post I will discuss one by one on all following GDPR aspects:

  • What is GDPR?
  • What required terms come under GDPR?
  • Is WordPress really GDPR Compliant?
  • Parts on your own WordPress Website that can be Influenced by GDPR
  • The Best WordPress GDPR Compliance Plugins

THE OVERALL Data Security or Protection Regulation (GDPR) is a EU (EU) law taking influence on May 25, 2018. The purpose of GDPR is to provide EU residents control over their personal data and change the info personal privacy approach of companies and organizations around the globe.

What Is GDPR?

You’ve likely gotten a large number of email messages from companies like Google and others regarding GDPR, their new online privacy policy, and couple of other legal stuff. That’s because the EU has devote hefty penalties for individuals who aren’t in compliance.

Fines Related To GDPR

After May 25th basically, 2018, businesses or organizations that aren’t GDPR compliance can face a large amount fines up to 4% of an organization or company’s annual global revenue OR €20 million (whichever is greater). That is enough reason to cause wide-spread panic among businesses organizations around the globe.

This brings us to the big question that you may be considering:

Does GDPR connect with my WordPress site?

The answer is YES. It pertains to every business, small and large, around the world (not only in europe).

If your website has visitors from EU countries, then this legislation pertains to you.

But don’t panic, this isn’t the finish of the world.

While GDPR gets the potential to escalate to those higher level of fines, it’ll focus on a warning, a reprimand then, a suspension of data digesting, and if you keep up to violate regulations, then your large fines will strike.

Details On GDPR Penalties and Fines

The EU isn’t some evil government that has gone out to truly get you. Their goal is to safeguard consumers, average people as if you and me from reckless managing of data / breaches because it’s getting away from control.

The utmost fine part inside our opinion is basically to get the attention of large companies like Facebook and Google, which means this regulation isn’t ignored. Furthermore, this encourage companies to put more emphasis on protecting the rights of people actually.

Once you know what’s required by GDPR and the spirit of regulations, then you will realize that non-e of this is too crazy. We will also reveal tools / tips to make your WordPress site GDPR compliant.

What’s Required Or Comes Under Under GDPR?

The purpose of GDPR is to safeguard user’s personally identifying information (PII) and keep businesses to an increased standard as it pertains to how they collect, store, and utilize this data.

The non-public data includes: name, emails, home address, Ip, health information, income, etc.

GDPR Personal Data

As the GDPR regulation is 200 webpages long, here are the most crucial pillars that you’ll require to learn:

Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. Quite simply, you can’t just send unsolicited email messages to people who offered you their business cards or done your website contact page because they DIDN’T opt-in for your marketing newsletter (that’s called SPAM incidentally, and you shouldn’t be doing that anyways).

For this to be looked at explicit consent, you must need a positive opt-in (i.electronic no pre-ticked checkbox), contain clear wording (no legalese), and become individual from other conditions & conditions.

Rights to Data – you must inform individuals where, why, and how their data is processed stored /. An individual gets the to download their personal data and a person also offers the to be forgotten which means they can require their data to be deleted.

This can make sure when you hit Unsubscribe or ask companies to delete your profile, they do that (hmm, go figure). I’m looking at you Zenefits, still looking forward to my accounts to be deleted for 24 months and wishing that you stop sending me spam email messages because I made the mistake of checking out your service.

Breach Notification – organizations must statement certain types of data breaches to relevant authorities within 72 hours, unless the breach is known as harmless and poses no risk to individual data. If a breach is high-risk however, the company MUST also inform individuals who’re impacted right away then.

This will hopefully prevent cover-ups like Yahoo that had not been revealed before acquisition.

Data Safety Officers – if you are a general public company or process huge amounts of private information, then you must appoint a data safety officer. Again this is simply not required for smaller businesses. Consult an lawyer if you’re in question.

GDPR Data Security Officer

To place it in basic English, GDPR makes certain that businesses can’t bypass spamming people by sending email messages they didn’t require. Businesses can’t sell people’s data without their explicit consent (all the best getting this consent). Businesses have to delete user’s accounts and unsubscribe them from mailing lists if an individual request you to do that. Businesses have to record data breaches and overall be better about data security.

Sounds very good, theoretically at least.

Okay so now you are most likely wondering what do you have to do to ensure that your WordPress site is GDPR compliant.

Well, that basically is dependent on your unique website (more upon this later).

Let us begin by answering the largest question that we’ve gotten from users:

Is WordPress Really GDPR Compliant?

Yes, by WordPress 4.9.6, the WordPress primary software is GDPR compliant. WordPress primary team has added several GDPR enhancements to ensure that WordPress is GDPR compliant. It’s important to notice that whenever we discuss WordPress, we’re discussing self-hosted WordPress.org (start to see the difference: WordPress.com vs WordPress.org).

With that said, because of the dynamic character of websites, no system, plugin or solution can provide 100% GDPR compliance. The GDPR compliance process will vary based on the kind of website you have, what data you store, and how you process data on your site.

Ok so you may be thinking what does this mean in plain english?

Well, by default WordPress 4.9.6 now includes the next GDPR improvement tools:


Comments Consent


WordPress Comments Opt-in for GDPR

By default, WordPress used to store the commenters name, email and website as a cookie on the consumer’s browser. This managed to get easier for users to leave comments on the favorite weblogs because those areas were pre-populated.

Because of GDPR’s consent necessity, WordPress has added the comment consent checkbox. An individual can leave a comment without checking this package. All it could imply is that they might have to manually enter their name, email, and website each time they leave a comment.

Data Export and Erase Feature

WordPress Data Managing – GDPR

WordPress offers online marketers the capability to adhere to GDPR’s data managing requirements and honor user’s obtain exporting personal data as well as removal of user’s personal data.

The info handling features are available under the various tools menu inside WordPress admin.



WordPress now has a built-in online privacy policy generator. It offers a pre-made privacy policy template and provide you with guidance in conditions of what else to add, and that means you can become more transparent with users in conditions of what data you store and how you manage their data.

These three things are enough to create a default WordPress blog GDPR compliant. Nonetheless it is more than likely that your website has additional features that will also have to maintain compliance.

Areas on your own Website that are Influenced by GDPR

As a webmaster, you may be using various WordPress plugins that store or process data like contact forms, analytics, e-mail marketing, web store, membership sites, etc.

Based on which which WordPress plugins you are employing on your website, you would need to act accordingly to ensure that your website is GDPR compliant.

Most of the best WordPress plugins have previously gone forward and added GDPR enhancement features. Let’s check out some of the normal areas that you’ll need to handle:

Google Analytics

Like most site owners, you’re likely using Google Analytics to get website stats. Which means that it’s possible that you’re collecting or monitoring personal data like IP addresses, consumer IDs, cookies and other data for behavior profiling. To be GDPR compliant, you must do one of the next:

Anonymize the info before storage space and processing starts

Add an overlay to the website that provides notice of cookies and have users for consent before to tracking

Both these are fairly difficult to do if you’re just pasting Google Analytics code manually on your site. However, if you’re using MonsterInsights, the most famous Google Analytics plugin for WordPress, you’re in luck then.

They have released an EU compliance addon that helps automate the above process. MonsterInsights also offers an excellent post about all you have to to learn about GDPR and Google Analytics (this is crucial read, if you’re using Google Analytics on your site).

MonsterInsights EU Compliance Addon

Contact Forms And GDPR

If you are utilizing a contact form in WordPress, you might have to include extra transparency steps specially if you’re storing the proper execution entries or using the info for marketing purposes.

Below are the items you might like to consider to make your WordPress forms GDPR compliant:

Get explicit consent from users to store their information.

Get explicit consent from users if you’ve planned to use their data for marketing purposes (i.electronic adding them to your email list).

Disable cookies, user-agent, and IP tracking for forms.

Make sure you have a data-processing agreement with your form providers if you are utilizing a SaaS form solution.

Adhere to data-deletion requests.

Disable storing all form entries (a bit extreme rather than required by GDPR). You almost certainly shouldn’t do that if you don’t know precisely what you’re doing.

The nice part is that if you’re using WordPress plugins like WPForms, Gravity Forms, Ninja Forms, CONTACT PAGE 7, etc, then you don’t need a Data Digesting Agreement because these plugins USUALLY DO NOT store your form entries on the site. Your form entries are stored in your WordPress data source.

Simply adding a required consent checkbox with clear explanation should be sufficient that you should make your WordPress forms GDPR compliant.

WPForms, the contact page plugin we use on WPBeginner, has added several GDPR enhancements to make it easy so that you can put in a GDPR consent field, disable consumer cookies, disable consumer IP collection, and disable entries with an individual click.

GDPR Form Areas in WPForms


Similar to get hold of forms, if you have any e-mail marketing opt-in forms like popups, floating bars, inline-forms, and others, then you will need to ensure that you’re collecting explicit consent from users before adding them to your list.

This is often finished with either:

Adding a checkbox that consumer must click before opt-in

Simply requiring double-optin to your email list

Top lead-generation solutions like OptinMonster has added GDPR consent checkboxes and other necessary features to help you create your email opt-in forms compliant. You can read more about the GDPR approaches for marketers on the OptinMonster blog.

WooCommerce / Ecommerce And GDPR

If you’re using WooCommerce, the most famous eCommerce plugin for WordPress, then you will need to ensure your website is in compliance with GDPR.

The WooCommerce team has prepared a thorough guide for store owners to help them be GDPR compliant.

Retargeting Ads

If your website is operating retargeting pixels or retargeting ads, then you will require to get user’s consent. You are able to do this by utilizing a plugin like Cookie Notice.

Best WordPress Plugins To Make Your Website GDPR Compliance

There are many WordPress plugins that will help automate some areas of GDPR compliance for you. However, no plugin will offer 100% compliance because of the dynamic character of websites.

Avoid any WordPress plugin that statements to provide 100% GDPR compliance. They likely don’t know very well what they’re discussing, and it’s best that you can prevent them completely.

Below is our set of recommended plugins for facilitating GDPR compliance:

  • Cookies Notice – popular free plugin to include an EU cookie notice. Integrates well with top plugins like others and MonsterInsights.
  • MonsterInsights – if you’re using Google Analytics, then you need to use their EU compliance addon.
  • OptinMonster – advanced to generate leads software that offers smart targeting features to improve conversions while being GDPR compliant.
  • WPForms – the most user-friendly WordPress contact page plugin. They provide GDPR areas and other features.
  • Delete Me personally – free plugin that allow users to automatically delete their profile on your site.
  • Shared Counts – rather than loading the default share buttons which add tracking cookies, this plugin load static talk about buttons while showing share counts.

I will continue steadily to monitor the plugin ecosystem to see if any other WordPress plugin sticks out and provide substantial GDPR compliance features.

Final Thoughts On GDPR Topic

Whether you’re ready or not, GDPR will go in place on, may 25, 2018. If your website then is not compliant before, don’t panic. Just continue steadily to work at compliance and take action asap.

The probability of you obtaining a fine your day following this rule goes into effect are pretty near to zero because the European Union’s website states that first you’ll get a warning, a reprimand, and fines will be the last step if you neglect to comply and knowingly disregard the law.

The EU is not out to truly get you. They’re doing this to safeguard user’s data and restore people’s rely upon online businesses. As the global world goes digital, these standards are needed by all of us. With the recent data breaches of large companies, it’s important these requirements are adapted globally.

It’ll be best for all involved. These new guidelines will help increase consumer self-confidence and subsequently help develop your business.

I hope this article helped you find out about WordPress and GDPR compliance. We can do our better to keep it up-to-date as more info or tools get released.

Additional Important Resources On GDPR

GDPR Hysteria Part I and Part II by Jacques Mattheij

Data safety info-graphic by European Commission

Concepts of the GDPR by European Commission

GDPR and MonsterInsights – all you need to know

GDPR Improvement Features for Your WordPress Forms

GDPR Compliance for wordpress WooCommerce Stores

GDPR and OptinMonster – It will help you if you use e-mail marketing opt-in forms

Legal Disclaimer / Disclosure

I am not a lawyer. Absolutely nothing on this site is highly recommended legal advice. Because of the dynamic character of websites, no plugin or system may offer 100% legal compliance. When in question, it’s better to seek advice from an expert internet law lawyer to determine if you are in compliance with all relevant laws and regulations for your jurisdictions as well as your use cases.