The Complete Guide to WordPress GDPR Compliance

GDPR is an indispensable data protection law that has been in practice for a year and affected how many businesses control user data on the Internet. This law seeks to create trust between businesses and people. If your business site has not yet complied with GDPR, you might face legal trouble or even fines.

While, almost all webmasters have felt the effect of GDPR, not all know what it is about exactly.

Sit back and relax, because this article is about to explain GDPR  – what GDPR is, how it can impact your web presence and WordPress website, and how to make sure your Website is compliant with the law.

What is GDPR?

GDPR stands for General Data Protection Regulation. It is a data protection and privacy law issued by the European Union Parliament in April 2016. This law, then, was implemented in May 2018.

GDPR attempts to protect the Personally Identifying Information (PII) of internet users in all EU countries. It allows people living in the EU to stay in control of their personal information’s privacy, and how it is used. This topic is becoming increasingly important and it’s visible with the rise of internet users who exploit VPN services to protect their personal information while browsing online.

So, if you have visitors from the EU, GDPR also applies to you even though you live outside the EU.

GDPR concerns the processing of personal data. There are two key aspects  – personal data and the processing of personal data.

Personal data is any information attached to a person; it can directly or indirectly be used to identify someone. This information could be a user’s name, address, email address, phone number, date of birth, bank details, IP address, location data, user behavior, demographic information, and physical, educational, cultural or social identity.

Meanwhile, processing of personal data is any activity involving a particular person’s data. According to GDPR, processing is when collect, record, organize, structure, store, adapt, retrieve, use, disclose, disseminate, make available, combine, align, erase, or destroy any personal data.

tiered fines for sites that not comply with GDPR

If your site is not GDPR compliant, you may face tiered administrative fines  – depending on the violation level  – up to 20 million Euros, or 4% of your business annual global turnover. That’s a solid amount for any kind of business. But, don’t worry, there will be a warning, then a reprimand, and suspension of data processing before you get sanctioned.

WordPress and GDPR Explained

After the law was enabled, WordPress version updates immediately complied with GDPR. However, in order to avoid any further GDPR infringement on your WordPress site, you need to first understand what GDPR requirements are, and how WordPress can collect data.

What are the GDPR Requirements?

There are a few key requirements that you need to take into account in order to comply with the GDPR:

User Consent – GDPR requires the user’s explicit consent for any data processing. Meaning, you must make sure that you have the users’ agreement whenever their data will be processed.

You can request consent for every processing action by providing pre-filled opt-in options or a checkbox selection field containing clear and specific information of the data processing’s purpose.

The users can freely choose whether to agree or disagree with the data processing. By doing this, you cannot process the data of the users who did not opt-in.

Data Rights – GDPR emphasizes users’ data rights. That means you need to clearly explain what the data will be used for.

Keep in mind that according to GDPR, your users always have the right to access, portability, and the right to be forgotten.

The right to access and portability requires you to make data processing and storage transparent. Users have the right to know what data and how it is being collected and where is this data being processed and stored, and also what is the reason behind those processes. Moreover, it allows users to have a copy of their own data. They are entitled to the ability to download and transmit their data.

The right to be forgotten enables users to request personal data erasure. This allows users to withdraw stored data and stop further processing and collection whenever they want.

Notification of Compromised Data – Under GDPR, the notification about any types of data breach must be communicated to the relevant authorities and impacted users within 72 hours. Meaning that you need to notify users if their data was potentially at risk. This encourages all webmasters to perform security monitoring of all compromised data in order to comply with GDPR requirements.

How Can WordPress Collect User Data?

As a WordPress user, you should know that there are multiple ways in which you may unconsciously store your users’ data, namely:

  • Comments – you may collect users’ data if you use the default WordPress comment feature. It stores the name, email, website URL, IP address, and the browser cookie of the commenter.
  • Data upon registration – if your users or customers can sign up or register on your site, you may store their registration data on your site.
  • Cookies and their use – as cookies are used to save your users’ preferences and become a tracking tool for third-party applications such as Google Analytics, you may store your users’ data on your site.
  • Information stored by plugins – basically, every plugin processing data on your site also collects data. They often not only store your site’s data but also your users’ additional personal data.
  • Contact forms – you probably collect and store your users’ submitted data if your site has contact forms, as it allows users to get in touch. The most commonly stored information from contact forms is the name, email, phone number, subject, and messages of your users.

If you employ all of these features on your site, you probably process your users’ personal data. Therefore, you’d better make sure that these features are GDPR compliant.

Making Your WordPress Site GDPR Compliant

Steps to make every site comply with GDPR cannot be similar for every site, as every site requires different need and attention. However, there are some basic ways you can do to make your site GDPR compliant:

Make Sure Your Website Uses HTTPS

HTTPS standing for Hyper Text Transfer Protocol Secure. It is the protected version of HTTP. All data on an HTTPS site is secured with a strong SSL encryption – Secure Socket Layer – that makes it hard for a hacker to break in, adding an extra layer of protection to your site.

Even though GDPR does not oblige you to use an SSL certificate, employing an HTTPS site is highly recommended to enhance your GPRD compliant site.

Why so?

GDPR requires you to make sure that your site securely transmits data, and having SSL encryption on your site can proactively provide your website and your users with extra protection to prevent illegal data processing from ever happening.  Moreover, it really helps maintain a secure connection that increases your site’s credibility.

You can easily and affordably install an SSL certificate for your WordPress site, and even get a free lifetime SSL certificate with Hostinger’s business web hosting plans!

Update Your Legal Documents

After you make sure that your site is secured, it is important to update your legal documents to comply with GDPR. Do so by creating a Privacy Policy that suits GDPR requirements, and review your Terms of Service.

A Privacy Policy is the keystone of GDPR that ensures privacy rights and protection of both the website and its users. It should inform users about the transparency of processed data.

WordPress 4.9.6 released after GDPR came into place, and has an updated privacy policy generator feature where you can create your own privacy policy page. If you have updated your WordPress site, you can simply go to Settings, then to Privacy to generate it.

Privacy policy settings in WordPress admin area

Unlike the Privacy Policy, GDPR does not govern the Terms of Service  – usually referred to as Terms of Conditions, Condition of Use or Terms of Use  – of your site, as it does not fall under the privacy law category.

Terms of Service are an optional responsibility of the site owner, business owner or app developer in the form of a legal agreement covering disclaimers and rules about the products’ usage.

However, if you change your Privacy Policy to make it compliant with GDPR, it may affect certain aspects of your Terms of Service. So, you need to review your Terms of Service and make sure that it is per your Privacy Policy.

Simply put, it is better if you also create Terms of Service that are covered under GDPR from the beginning, where it is applicable. Therefore, even though your site’s Privacy Policy and Terms of Service pages are distinct and separated, they can refer and link to one another.

Be Transparent With Your Users

Then, you should be transparent with your users as transparency is the core principle of GDPR. So, you need to be certain that your users know how, why, and for what you store and process their data.

Do so by making sure that you confirm your users’ explicit consent by providing checkboxes on all forms on your site. So, every further action regarding their data is agreed by both you and your users.

If you have an email sign up page on your site, you should make sure that it has a checkbox which your users may click to confirm that they opt-in. That way they can decide whether they want or don’t want to receive email from you. This prevents you from violating GDPR caused by sending spam emails to your mailing list.

Moreover, each page needing users’ consent on your site  – registration, email forms, giveaway entries, etc. – should have a link to your privacy policy. The link must be clearly visible under common terms, such as “Privacy Policy,” so your users can further learn about it whenever they need to.

Another important point to maintain transparency is that you should be able to delete or transmit your users’ data upon their request. It’s better if you also provide a downloadable file of your users’ data.

Lucky for you if you use a version newer than WordPress 4.9.6 you already have a built-in data export and erasure feature, so it’s easy for your site to meet the GDPR data transparency requirements.

You can simply visit Tools and choose the action regarding data you’re about to handle.

exporting and erasing user data in WordPress Tool admin area

WordPress GDPR Plugins

Even though WordPress 4.9.6 is already GDPR compliant, handling data consent of all your users can be complicated if you do it manually. However, you can easily automate some GDPR compliance aspects for your WordPress site using the best GDPR plugins suggested below:


If you run an eCommerce site, you can use the WooCommerce plugin. It is the most well-known WordPress plugin for eCommerce that provides GDPR updates and tools to handle customers’ request on Right to Access and Right to Erasure.

Email Marketing

Email Marketing becomes easy when using MailerLite or MailChimp plugins, both of them provide double opt-in signups for your users, so you can easily get the explicit consent required. Moreover, both of them also allows you to manage your email list by showing statistics and users who have opted-in post-GDPR.


To comply with GDPR you can use a plugin like Disqus or GDPR to manage the consent or your users’ data stored by the comment feature. However, the WordPress default commenting feature actually complies with GDPR as it has a comment consent checkbox. User can simply leave a comment on your site without checking the opt-in box.

Contact Form

If your WordPress site uses a contact form, you need to set up transparency information about managing data in order to comply with GDPR.

However, you can automatically manage user data using plugins such as Gravity Forms, Ninja Forms, or WPForm.

By using these plugins, you don’t have to get the Data Processing Agreement from the form providers, as your form entries are stored on your site’s database. They also provide consent checkbox with brief and clear information about data processing. Moreover, you can easily export and delete any user’s data.


Cookie consent becomes important when trying to comply with GDPR as you are required to give cookie disclosure and acceptance notices when users visit your site. The GDPR Cookie Consent WordPress plugin is a tool that displays cookie consent notification. This plugin enables users to opt-in or opt-out of your site’s cookies. This plugin also enables you to fully customize the look and location of your cookie bar.


As you now know, GDPR  – General Data Protection Regulation  – is a law that aims to protect the personal data and privacy of internet users as mandated by the European Union. Even though it is issued by the EU, this law generally applies to all website owners that have visitors from the EU.

This law can be very beneficial, but it can also damage businesses if it is not handled properly, as you can get penalties up to 4% of your annual income. So, it is important to make all of your website’s aspects GDPR compliant.

Here are the main things needed to make sure your website is GDPR compliant:

  • Make sure your website uses HTTPS (optional, but highly recommended)
  • Update your legal documents
  • Be transparent with your users
  • Enable consent options

If your WordPress site has been updated to 4.9.6 version, then your site is already GDPR compliant.

You still can automate some GDPR compliance requirements by using plugins to enhance your site. These are some plugins that may be beneficial for your site:

So, does your site already comply with GDPR?

Keep in mind that this article is not a piece of legal advice, you should consult a lawyer to make sure that your site is already fully GDPR compliant.

The author

Fitrana A.

Fitrana is Hostinger's Digital Content Writer. She loves doing in-depth research to make every topic accessible to all readers. Besides writing, she enjoys attending music gigs, photo hunting, and reading books.