Beginner's Guide for WordPress / Start your WordPress Blog in minutes

The Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know

Are you confused by GDPR, and how it will impact your WordPress site? GDPR, short for General Data Protection Regulation, is an European Union law that you have likely heard about. We have received dozens of emails from users asking us to explain GDPR in plain English and share tips on how to make your WordPress site GDPR compliant. In this article, we will explain everything you need to know about GDPR and WordPress (without the complex legal stuff).

WordPress and GDPR Compliance

Disclaimer: We are not lawyers. Nothing on this website should be considered legal advice.

To help you easily navigate through our ultimate guide to WordPress and GDPR Compliance, we have created a table of content below:

Table of Content

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.

What is GDPR?

You’ve likely gotten dozens of emails from companies like Google and others regarding GDPR, their new privacy policy, and bunch of other legal stuff. That’s because the EU has put in hefty penalties for those who are not in compliance.

Fines

Basically after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). This is enough reason to cause wide-spread panic among businesses around the world.

This brings us to the big question that you might be thinking about:

Does GDPR apply to my WordPress site?

The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).

If your website has visitors from European Union countries, then this law applies to you.

But don’t panic, this isn’t the end of the world.

While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.

GDPR Fines and Penalties

The EU isn’t some evil government that is out to get you. Their goal is to protect consumers, average people like you and me from reckless handling of data / breaches because it’s getting out of control.

The maximum fine part in our opinion is largely to get the attention of large companies like Facebook and Google, so this regulation is NOT ignored. Furthermore, this encourage companies to actually put more emphasis on protecting the rights of people.

Once you understand what is required by GDPR and the spirit of the law, then you will realize that none of this is too crazy. We will also share tools / tips to make your WordPress site GDPR compliant.

What is required under GDPR?

The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.

The personal data includes: name, emails, physical address, IP address, health information, income, etc.

GDPR Personal Data

While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:

Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM by the way, and you shouldn’t be doing that anyways).

For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.

Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted.

This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that (hmm, go figure). I’m looking at you Zenefits, still waiting for my account to be deleted for 2 years and hoping that you stop sending me spam emails just because I made the mistake of trying out your service.

Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.

This will hopefully prevent cover-ups like Yahoo that was not revealed until the acquisition.

Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.

GDPR Data Protection Officer

To put it in plain English, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent (good luck getting this consent). Businesses have to delete user’s account and unsubscribe them from email lists if the user ask you to do that. Businesses have to report data breaches and overall be better about data protection.

Sounds pretty good, in theory at least.

Ok so now you are probably wondering what do you need to do to make sure that your WordPress site is GDPR compliant.

Well, that really depends on your specific website (more on this later).

Let us start by answering the biggest question that we’ve gotten from users:

Is WordPress GDPR Compliant?

Yes, as of WordPress 4.9.6, the WordPress core software is GDPR compliant. WordPress core team has added several GDPR enhancements to make sure that WordPress is GDPR compliant. It’s important to note that when we talk about WordPress, we’re talking about self-hosted WordPress.org (see the difference: WordPress.com vs WordPress.org).

Having said that, due to the dynamic nature of websites, no single platform, plugin or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.

Ok so you might be thinking what does this mean in plain english?

Well, by default WordPress 4.9.6 now comes with the following GDPR enhancement tools:

Comments Consent

WordPress Comments Opt-in for GDPR

By default, WordPress used to store the commenters name, email and website as a cookie on the user’s browser. This made it easier for users to leave comments on their favorite blogs because those fields were pre-populated.

Due to GDPR’s consent requirement, WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.

Update: If your theme is not showing the comment privacy checkbox, then please make sure that you have updated to WordPress 4.9.6 and are using the latest version of your theme. Also please make sure that you are logged-out when testing to see if the checkbox is there.

If the checkbox is still not showing, then your theme is likely overriding the default WordPress comment form. Here’s a step by step guide on how to add a GDPR comment privacy checkbox in your WordPress theme.

Data Export and Erase Feature

WordPress Data Handling - GDPR

WordPress offers site owners the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data.

The data handling features can be found under the Tools menu inside WordPress admin.

Privacy Policy Generator

WordPress Privacy Policy Generator for GDPR

WordPress now comes with a built-in privacy policy generator. It offers a pre-made privacy policy template and offer you guidance in terms of what else to add, so you can be more transparent with users in terms of what data you store and how you handle their data.

These three things are enough to make a default WordPress blog GDPR compliant. However it is very likely that your website has additional features that will also need to be in compliance.

Areas on Your Website that are Impacted by GDPR

As a website owner, you might be using various WordPress plugins that store or process data like contact forms, analytics, email marketing, online store, membership sites, etc.

Depending on which WordPress plugins you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.

A lot of the best WordPress plugins have already gone ahead and added GDPR enhancement features. Let’s take a look at some of the common areas that you would need to address:

Google Analytics

Like most website owners, you’re likely using Google Analytics to get website stats. This means that it is possible that you’re collecting or tracking personal data like IP addresses, user IDs, cookies and other data for behavior profiling. To be GDPR compliant, you need to do one of the following:

  1. Anonymize the data before storage and processing begins
  2. Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking

Both of these are fairly difficult to do if you’re just pasting Google Analytics code manually on your site. However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re in luck.

They have released an EU compliance addon that helps automate the above process. MonsterInsights also has a very good blog post about all you need to know about GDPR and Google Analytics (this is a must read, if you’re using Google Analytics on your site).

MonsterInsights EU Compliance Addon

Contact Forms

If you are using a contact form in WordPress, then you may have to add extra transparency measures specially if you’re storing the form entries or using the data for marketing purposes.

Below are the things you might want to consider for making your WordPress forms GDPR compliant:

  • Get explicit consent from users to store their information.
  • Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
  • Disable cookies, user-agent, and IP tracking for forms.
  • Make sure you have a data-processing agreement with your form providers if you are using a SaaS form solution.
  • Comply with data-deletion requests.
  • Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.

The good part is that if you’re using WordPress plugins like WPForms, Gravity Forms, Ninja Forms, Contact Form 7, etc, then you don’t need a Data Processing Agreement because these plugins DO NOT store your form entries on their site. Your form entries are stored in your WordPress database.

Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.

WPForms, the contact form plugin we use on WPBeginner, has added several GDPR enhancements to make it easy for you to add a GDPR consent field, disable user cookies, disable user IP collection, and disable entries with a single click.

GDPR Form Fields in WPForms

Note: We have created a step by step guide on how to create GDPR compliant forms in WordPress.

Email Marketing Opt-in Forms

Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.

This can be done with either:

  1. Adding a checkbox that user has to click before opt-in
  2. Simply requiring double-optin to your email list

Top lead-generation solutions like OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. You can read more about the GDPR strategies for marketers on the OptinMonster blog.

WooCommerce / Ecommerce

If you’re using WooCommerce, the most popular eCommerce plugin for WordPress, then you need to make sure your website is in compliance with GDPR.

The WooCommerce team has prepared a comprehensive guide for store owners to help them be GDPR compliant.

Retargeting Ads

If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cookie Notice.

Best WordPress Plugins for GDPR Compliance

There are several WordPress plugins that can help automate some aspects of GDPR compliance for you. However, no plugin can offer 100% compliance due to the dynamic nature of websites.

Beware of any WordPress plugin that claims to offer 100% GDPR compliance. They likely don’t know what they’re talking about, and it’s best for you to avoid them completely.

Below is our list of recommended plugins for facilitating GDPR compliance:

  • MonsterInsights – if you’re using Google Analytics, then you should use their EU compliance addon.
  • WPForms – by far the most user-friendly WordPress contact form plugin. They offer GDPR fields and other features.
  • Cookies Notice – popular free plugin to add an EU cookie notice. Integrates well with top plugins like MonsterInsights and others.
  • Delete Me – free plugin that allow users to automatically delete their profile on your site.
  • OptinMonster – advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
  • Shared Counts – instead of loading the default share buttons which add tracking cookies, this plugin load static share buttons while displaying share counts.

We will continue to monitor the plugin ecosystem to see if any other WordPress plugin stands out and offer substantial GDPR compliance features.

Final Thoughts

Whether you’re ready or not, GDPR will go in effect on May 25, 2018. If your website is not compliant before then, don’t panic. Just continue to work towards compliance and get it done asap.

The likelihood of you getting a fine the day after this rule goes in effect are pretty close to zero because the European Union’s website states that first you’ll get a warning, then a reprimand, and fines are the last step if you fail to comply and knowingly ignore the law.

The EU is not out to get you. They’re doing this to protect user’s data and restore people’s trust in online businesses. As the world goes digital, we need these standards. With the recent data breaches of large companies, it’s important that these standards are adapted globally.

It will be good for all involved. These new rules will help boost consumer confidence and in turn help grow your business.

We hope this article helped you learn about WordPress and GDPR compliance. We will do our best to keep it updated as more information or tools get released.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Additional Resources

Legal Disclaimer / Disclosure

We are not lawyers. Nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.

WPBeginner founder, Syed Balkhi, is also the co-founder of OptinMonster, WPForms, and MonsterInsights.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit – a collection of WordPress related products and resources that every professional should have!

Reader Interactions

175 CommentsLeave a Reply

  1. I use Jetpack plugin for my contact form and stats (among others) How to make their contact form compliant?
    Thanks

  2. One thing that people don’t seem to be discussing is the comment section. Right here, in this very form, you just asked me for my email address, as does every standard WP comment form. But nowhere are you telling me what this email address will be used for. You aren’t using it for follow up because I’m not going to subscribe to that option.

    The default WP comment behaviour is just to ask for people’s email address but with no particular purpose, which also goes against GDPR, right? You have to have a purpose to ask for someone’s data now.

    This seems so obvious that I wonder what I’m missing. They clearly thought about comments and added that new cookie comment check-box, so why is nothing mentioned about the email address collection in the first place?

  3. Thelanguage you use o explain this GDPR issue,is tremendously unique. ALL in one solution for small projects like mine. From this I get to know completely about GDPR and Now I can analyze where i have to improve.
    Thanks

  4. Wonderful guide, I thought this compliance is not affecting me, although I wonder what is this “GDPR compliance” people talking about, and this article provide me with clear explanation. Now I know I should update my website and must follow this compliance. Thank you for sharing this information.

  5. Thank you for a very detailed explanation AND most of all for curbing panic. I can look at decent solutions and implement GDPR compliance on my website with ease now that I know what it entails.

  6. Hi, Thanks for your nice, clear and explanatory article. I am using Sumome to generate my subscriber base. Do you have any idea whether this is GDPR compliant?

  7. What a succinct and we’ll informative article. This article has quite enlightenment effect on understanding what GDPR is. Until now I never knew that this law is just going to be taking its effect from 25th of May and there has been a lot buzzes and news of it here and there for a long time now. Thank you for the wonderful post.

  8. I run a cybersecurity news website and I have never collected anything from any visitor other than email for sending readers notifications about new news articles.

    Do I have to go through all this headache as well? Also, do we have to show GDPR compliance popup to visitors like we do with cookie consent popup?

    Thanks for the great article.

  9. I think you’re going to get a lot of hits on this article. :)

    I agree with others that it’s the best one out there so far. Thanks!

  10. Hey!
    How would I know – or – what can I do on my WordPress site to make sure there are no cookies being used so I don’t have to have the cookie warning or any other policy (GDPR etc) to worry about?
    (I just have a few “how-to” guides on there, nothing else – no comments etc or any contact boxes etc).
    * Thank you for taking the time to create this GDPR post – greatly appreciated!
    JC.

  11. Other sources say that GDPR applies only to people/company in the EU, NOT to EU citizens who happen to be in the US.

    We have enabled country blocking so our site is simply not available anywhere but the US and Canada.

    Is it your (non-legal) opinion that we therefore do not need to comply?

  12. I have used WP Simple Membership Plug in on my website. What do I need to do to update the forms there?

  13. Congratulations for a very informative and well explained article. A very good starting point for further reading.

  14. Thank you for this :)

    About the plugins you recommend, so you recommend downloading ALL OF THEM right? :)

    Thank you :)

    Tamara

  15. This is a very helpful article. I’d previously addressed all of these issues in the fashion you recommend, but there is one thing I cannot find an answer to despite searching and posting in multiple places:

    What about WP blog subscriptions? Nothing in the WP or JetPack updates that I can find provides that check box of consent for blog subscribers. Don’t those email and WP subscriptions require consent too?

  16. This is a good resources as well,
    https://www.compliancejunction.com/gdpr-for-small-business/
    Quoting below –
    What effect could the GDPR have on small businesses?
    For the purposes of the GDPR, a small business is classified as one with fewer than 250 employees. Any business with more than 250 employees is required to comply with the GDPR and is required to nominate a Data Protection Officer (DPO).

    Businesses with fewer than 250 employees are required to comply with the GDPR if their data processing could affect the rights and freedoms of individuals, if they process personal data on a regular basis, or if they process data which is covered by Article 9 of the GDPR, which includes sensitive data such as that relating to religious beliefs. If any of these apply to a small business, it needs to ensure that it complies with all aspects of the GDPR.

  17. You are omitting the part of GDPR that gives exemptions to companies with less than 200 employees. At least I didn’t see any mention of it.

    • I believe that part is specific to requiring a Data Protection Officer. However I do agree that risk of penalty is lower for smaller businesses, but it doesn’t mean that they shouldn’t do their best to comply.

      -Syed

      Admin

  18. WordPress 4.9.6 is not GDPR-compliant, not at all, sorry. Core-content in backend available to all user roles including subscriber is hosted on third party servers without information and/or consent. User IPs are stored in database without notice, just look for session_token. User IPs are stored for comments. User email is used in filename for GDPR data export. Exported meta fields from user profile are hardcoded, export will be incomplete in most cases. And there are a lot of of bugs like privacy policy page can not be edited by editors, your clients need full admin access to edit that page now, good luck with that.

  19. What a great article, the first bit of sense i have read about the mysterious GDPR, I found that this was informative to start off with and also helpful with advising on plug-ins to add to my website to help make it compliant.
    Thank you very much, i can now breathe a sigh of relief!

  20. Amazing article, thanks so much.

    A few questions:

    — With regard to MonsterInsights, is the “anonymize IP” feature in the free version sufficient for GDPR compliance with regard to Google Analytics? Or is there critical functionality associated with the paid version (and EU Compliance Addon)?

    — I’m a bit concerned about third-party ads (via networks like Taboola, RevContent, etc). What exactly is and isn’t required of publishers given that we in no way control or process the data that they collect / cookies they store?

    — With regard to Cookie Plugins, are there any that A) actually block third-party cookies on your site based on a lack of consent or opt-out and B) can be geotargeted to EU users?

    I’m a US based publisher, so I don’t want to show opt-out messages (and risk losing track / ad dollars) to visitors who are outside Europe.

    • Hi Dawson,

      Please see MonsterInsights’ blog post for more details.

      You will need to reach out to each network, and most likely they will already have documentation on how to prepare for GDPR compliance.

      As for cookie plugins, surely there will be more plugins coming out to address different requirements.

      Admin

  21. Hi,

    Not identifying people that post on your blog can be dangerous for many sites. If someone threatens to sue you and you have insurance, I think you need to inform about it and be able to identify the person so that you can protect yourself against legal claims. As a result, you can’t ask for consent because if you do, the person have to right to be forgotten. So, I am using legitimate interest. By the way, I think the privacy policy offers by WordPress is missing some GDRP requirements such as the identification of the legal basis for each processing.

  22. By far one of the best articles on GDPR compliance when it comes to plugins and websites. Do you have any examples of privacy policies that show data categories and GDPR compliant terms that would cover plugins in general (in lieu of listing every single plugin used on a website). Thank you!

  23. Hi, I just wanted to say thanks for writing this article. Didn’t really understand this GPDR Update until today. Thanks so much.

  24. Hello, thanks for all these information but I do have one last question. My blog is personal, which means I do not give analytics or data to no-one, or I don’t have advertises.

    Do I still have the obligation to obey to the new regulations?

    Thanks in advance

    • Hi Eleni,

      According to the regulation, yes if you have a website (personal or business or anything else) you would still have to comply. You can wait and see how they enforce it on small personal blogs since there is no precedent of that yet, but if all you have to do is anonymize IP addresses on your analytics, then it’s not that big of a deal :)

      Admin

      • Thanks for the great article. I’m using your Insert Headers and Footers plug-in, how do I anonymize IP addresses on that?

        • That plugin only offers you the ability to add scripts. It does not have functionality like anonymizing IPs because that’s specific to individual scripts that you might be loading.

  25. Hi guys,

    First of all thank you for this great article.

    I have a question regarding the export personal data tool.
    If my understanding is correct, a user can access his personal data by contacting the admin and waiting for an email response. I may be wrong, but it’s not a very user-friendly approach. And it also puts a big load on the admin if working with a big user database.

    Is there a way to make this process automatically? Maybe a plugin that automatically exports & downloads the user, instead of having the admin do it manually?

    Cheers,
    Andrei

  26. Thank you for your informative article which I will read more thoroughly. However, I am obliged at this point to mention an issue which has caught my eye. You make mention of ‘EU citizens’ and ‘EU resident’ which are incorrect terms. No one can be legally resident in the EU as such, but only in their respective countries. The EU is not a country, but a bureaucracy which is basically an economic entity that enables free trade among its separate member states and has its own regulations to which member states are subject. The countries of Europe are situated in a landmass geographically, but each have their own identity and culture. Therefore it would be more accurate to refer to the GDPR in terms of relevance to member countries.

    • Hi Peter,

      I am glad you found the article helpful. My goal with this article is to break down things to it’s simplest level. While the distinction exists on local levels, from the sake of this article any long-term resident of an EU member nation is considered an EU resident.

      The law is being passed by EU as a whole with signatures from each member nation.

      Admin

  27. Thanks for the detailed info? Beyond the legal stuff, practical help and tools to make it possible are very needed here.

  28. Hi, Can we write our own privacy policy or do we need a lawyer?

    Also, can we copy the privacy policy of another site (certain sentences)?

    • Hi Che,

      You can most definitely use the default WordPress privacy policy through the generator in 4.9.6. Just make sure you add everything that you’re collecting because there’s no such thing as one-size fits all.

      Admin

  29. I am still confused. My website has a Add To Cart button but the shopping cart is at PayPal, not on my computer, they advise me when I have an order by email so I can ship to the name and address given the item ordered. I have not heard boo from PayPal about these regulations. I don’t store anything other than the name of the buyer and the ship-to address given to me.
    If people sign up for my wordpress.com blog to “follow”, all I have is their email address and actually am personally never in touch with them. So what do I need to do?

    • Hey there,

      You would need to update your privacy policy and add what information you store. Add a cookies notice on your blog if you’re adding cookies on the user’s browser and that’s about it.

      Admin

  30. According to this (very helpful!) article, WP 4.9.6 now has Comments Consent by default. I’m always running the latest version (and I do have the new Privacy setting) but I don’t see this showing on my Comment forms, nor do I see a way to turn it on. I am running a “subscribe” plugin (Subscribe to Comments Reloaded) and this is all I see. Could this be blocking it? Otherwise, how do I activate this feature?

      • Yes – I’ve logged-out, cleared both the WP cache and the browser’s, forced refreshes, tried different browsers … everything I can think of. I installed a clean version of WP 4.9.6 on a test server with NO plugins, and I can see it there – but not on any of the live sites I manage.

        I’m still trying things … If I discover the problem, I’ll let you know. In the meantime, anyone have any ideas?

      • OK, after a lot of reading and digging through the WP files, this seems to be a problem with some themes. As of WP 4.9.6, a “$cookies_consent” parameter was added, and while virtually all themes will have their own Comments Forms, many of them will not make use of this parameter – hence the fact that it doesn’t show up. For more information on what’s happening here (and needs to happen), see this article at WordPress.org : https://make.wordpress.org/core/2018/05/17/changes-that-affect-theme-authors-in-wordpress-4-9-6/ .

        While this explains the problem and offers a way to fix it, I’m afraid this level of hacking to include a new parameter in the array may be beyond the average person that WPBeginner is focused on… So what to do?

        * Contact your theme’s author and ask if they plan to update their theme to include this parameter … and best of luck to you.

        * Switch to a theme that’s GDPR compliant and will show this checkbox option on the Comments Form. (The “bundled” WP themes like Twenty Seventeen and such have all been updated to show it.)

        I predict that in the future you’re going to get a lot of questions about this very issue – you may even want to write a dedicated article about it!

        And while I’m waiting to hear back from a couple of theme developers, I plan to roll up my sleeves and try adding this parameter myself. (Said the fearless code-hacker – who uses child-themes and backs everything up first!)

        I hope this helps explain why this feature is probably not showing up for lots of others … and keep up the great work, folks!

      • The comment consent box isn’t showing up for me, either. I’m logged out and using an incognito browser. I have seen others say the same thing in another forum.

    • Hi! It seems I have the same problem here! I’m running WordPress 4.9.6 and there is no consent checkbox for Comments. It goes without saying that I wasn’t logged in when I checked. Any ideas?

  31. And what do we do about WordPress.com blogs? I wrote a privacy policy and I enabled the cookies notice, even though it does not go away when you click accept and close.

    You also forgot Article 21. If your website is accessible and collects data from EU citizens, but you are not located in the EU, you are required to have a representative that IS located in the EU in case a local supervising authority needs to get hold of you. This is mandatory.

    • Hi Laura,

      Data protection officer is not mandatory. You can review the infographic that we linked to in additional resources section of this article which is by the European Union themselves.

      This is what it says in regards to a Data Protection Officer:

      “This is not always obligatory. It depends on the type and amount of data you collect, whether processing is your main business and if you do it on a large scale.”

      I’m certain more services will come out and offer representative services at scale for affordable prices.

      Admin

  32. This is good news .. unless I’m missing something loll
    Guess this means that WP will stop sharing our IP’s addresses every time we comment – was not crazy about that .. Wish I knew that before to ensure my VPN’s always active loll But I was a newbie n guess I missed it ;)
    All good. I love WP, I love blogging there; been meeting some really great people. Thanks ;)

  33. “around the world (not just in the European Union).”

    Please, I’d like to know the source of this information. EU laws do not, and can not apply to US citizens. As I understand, GDPR will only apply to multi national corporations, i.e. ones that have some business unit(s) registered in the EU. Please cite the US statute that states GDPR regulations apply to US citizens operating a business out of the USA. I’ve not been able to find one, and no one has been able to point me to one as of yet. I think all this fear mongering is just plain wrong. EU regulations apply in the EU and US regulations apply in the US. The US has its own privacy related laws. Please advise?

    • Hi Mike,

      By doing business online and making your website available to the entire world, you expose yourself to the jurisdiction of each state and country. It is a quite common argument that EU laws like GDPR does not apply here in US. That’s actually not true. We just haven’t seen them strictly enforced on companies outside of EU (or large multi-national corporation). This does not mean that it can’t happen.

      A foreign government or entity can bring a legal case against you (for any reason), win in their respective jurisdiction and file for a motion in your local jurisdiction for a judgement claim. As you can imagine, the cost of doing this is very high, and this is why it doesn’t happen often.

      However saying it can’t happen would be a mistake.

      Again I’m no lawyer, and as I stated in the article above, people won’t get fined right away. You’ll get a warning first, then reprimand, and then fine. A lot of fear mongering is being done around fines right now, and I wanted to clarify that here in this article.

      -Syed

      Admin

      • Since you’re not a lawyer, maybe it’s best not to give this kind of advice. There is a lot of misinformation in your comment and is the kind of info that causes widespread unnecessary panic.

      • As the “EU” launched two massive lawsuits against Alphabet (Google and Android) and Facebook as soon as the law went into effect, it’s pretty clear this law was and is a thinly veiled ruse to “get” those two companies.

        As a one to sometimes three-person shop, with a company that rarely grosses over $1k (although I’m hoping to crank it up to $10k over time), the EU can have a fun go at me for the couple bucks in fines they might get.

        More likely I’ll just block all non-US IP addresses [Israel can stay too, the EU will never let them in], and refuse to communicate or do any business with anyone in the EU. Since most of the research I do is US based anyway, and academic research at that, most likely no one will care.

        I’ve always had a double-opt-in, don’t share any info with anyone policy, and my data is double anonymized with a proprietary algorithm. I don’t mind adding all the cookie and privacy warnings and such, so I’m probably in compliance anyway. But I don’t like the EU telling the rest of the world what it can and can’t do by fiat.

        I hope Google and Facebook pull out of the EU along with me. Watching that and the fallout afterward will really be a hoot.

  34. What are the rules for a non-hosted WordPress.com website? Only used for personal posts, not marketing anything. But I do have worldwide followers. Noticed you addressed WordPress.org only. Thank you!

    • Hi Christine, everything we do on WPBeginner is focused for helping self-hosted WordPress.org users.

      I’d recommend reaching out to WordPress.com team to see what they’re doing about GDPR for their hosted sites.

      -Syed

      Admin

  35. Thanks for the simple plain English post. I’ve shared it forward in a Facebook Group where one of the Group members had concerns about GDPR. Thank you for validating my understanding about GDPR and what we need to do for compliance without overwhelm.

  36. Hello,

    I’ve been using the free version for a while and could not be happier.

    However, with regards to the GDRP integration, is that available only with a payment plan?

    Thank you for a great plug-in! (Already a subscriber and happy to remain one)

    Christos

    • Hi Christos, which plugin are you talking about?

      For MonsterInsights, the EU compliance addon is available on paid plans only. For WPForms, it has enhancements for both Lite and Pro users (depending on individual needs).

      Admin

  37. Our website is for our organization and informational in nature. We don’t sell anything or have a blog. Do I still need to be GDPR compliant?

  38. That’s a concise guide. Jetpack offers the cookie banner with a cookie policy. Today there was a pop up on the dashboard announcing help with the WP Privacy Policy–helping to populate the Privacy Policy subheadings.

    My question is: why would one need a GDPR plug in when WP’s tools are available?

    Also, how does the export/erase data work? From where do website visitors request that info?

    Thanks Syed

    • Not everyone will need third-party GDPR plugins. It will depend on the type of site you have and your needs. If you’re using Google Analytics, then you would need the MonsterInsights EU compliance addon that either anonymizes IP address or integrates with a cookie notices plugin.

      Adding an email in your privacy policy that a visitor can use to email you to request data export / erasure would work sufficiently. Alternatively, you can use a form plugin like WPForms to create a form on your site for that.

      Admin

  39. Hi!

    Sorry but WordPress isn’t GDPR compliant because it lacks of the first layer of information that must be agreed by the user. Las version of WordPress only doesn’t save the cookie but doesn’t have a place where to inform to the user that his name, IP, email, etc are going to be saved to the database, and doesn’t have the (not checked) checkbox to agree to this personal data storing.

    Curiously, WooCommerce’s next version will include this type of feature in the new Privacy & Accounts tab.

    Hugs!

    • Let’s see if WordPress adds that. I am not a lawyer, but in my opinion this can be addressed in the privacy policy. When the user submits the comment, they understand this information is being stored. However if you want to use their information for something other than just displaying comment (i.e sending a comment notification, email newsletters, etc) then you have to get additional consent.

      I also expect a lot more plugins to come out to solve GDPR related issues :)

      Admin

  40. Thank you for producing an easy to understand and follow article on GDPR – the first time I’ve come across something that’s relevant and cuts through all the jargon!

  41. I do not do financial transaction, nor store any information on my websites. I do charge any money for my sites. will i still need to go thru these costly hoops ?
    Pat

  42. Thank you so much for posting this article. I was waiting from many days to listen your thoughts on GDPR. It is helpful and specially simple english. Thank you so much for helping on this matter.

  43. I’d like to know what to do about Amazon affiliate links. How do we become compliant with them? I’ve tried to ask Amazon but they will not provide any advice.

    • Depending on who you ask, you will get differing opinions. Some will say because the referral cookies don’t get added on your site, you don’t have to do anything regarding affiliate links (it’s the merchant’s responsibility).

      Others will recommend to use a cookie notice on your site and add Affiliate Links section in your privacy policy.

      Admin

      • I’ve been trying to find someone’s privacy policy where they mention affiliate links from Amazon and others like Skimlinks but haven’t been successful yet. Do you know of one that I can “borrow”?

      • That actually makes sense – cookie disclaimer and affiliate notice. I use an affiliate notice in the base footer of my site and a cookie consent.

        As long as we are transparent with all that we do there can be no comebacks – theoretically!!!

        Christos

  44. Nicely done. I’ll be sending my clients to read this instead of re-inventing the wheel and writing my own version.

  45. Thanks for the article, great points! I honestly feel ready, but still feel like after a few days I’ll find out some stuff that will be totaly new for me.
    https://www.omnisend.com/blog/gdpr-hub/the-3-foundations-of-the-gdpr/ for example here they say that you even need consent to see and save their IP information and such, and so much more. So I mean they disagree with cookie policy? Too bad then, can’t follow ’em anymore. Tough luck really.

    • Yes you do need their consent to store IP information. That’s why in our guide we recommend that you anonymize IP for Google Analytics and use Cookie Notice or similar solution to get permission.

      Admin

Leave a Reply to Andrei Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.