Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

The Ultimate Guide to WordPress and GDPR Compliance

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

The GDPR, short for General Data Protection Regulation, is a European Union law that protects users’ privacy when using websites. We’ve received dozens of emails from users asking us to explain the GDPR in plain English and share tips on how to make your WordPress site GDPR-compliant.

In this article, we will explain everything you need to know about the GDPR and WordPress (without the complex legal stuff).

The Ultimate Guide to WordPress and GDPR Compliance


We are not lawyers, and nothing on this website should be considered legal advice.

To help you easily navigate through our ultimate guide to WordPress and GDPR compliance, we have created a table of contents below:

What Is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law that took effect on May 25, 2018. The goal of the GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.

What is GDPR?

Over the years, you’ve likely gotten dozens of emails from companies like Google about the GDPR, their new privacy policies, and a bunch of other legal stuff. That’s because the EU has made big penalties for people who don’t comply with the regulations.

Businesses that are not in compliance with the GDPR’s requirements can face large fines of up to 4% of a company’s annual global revenue or €20 million (whichever is greater). This is enough reason to cause widespread panic among businesses around the world.

What Is the CCPA?

The state of California introduced similar privacy legislation on January 1, 2020, though the potential fines are much lower.

The California Consumer Privacy Act (CCPA) is designed to protect the personal information of Californian residents. It gives them the right to know what personal information is being collected about them, request its deletion, and opt out of the sale of their data.

In this article, we will focus on the GDPR, but many of the steps we list in this article will also help you become CCPA compliant.

This brings us to the big question that you might be thinking about:

Does the GDPR Apply to My WordPress Website?

The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).

If your WordPress website has visitors from European Union countries, then this law applies to you.

But don’t panic. It’s not the end of the world.

While the GDPR can escalate to those high levels of fines, it will start with a warning, then a reprimand, and then a suspension of data processing.

And only if you continue to violate the law will the large fines hit.

GDPR Fines and Penalties

The EU isn’t some evil government out to get you. Its goal is to protect innocent consumers from reckless data handling that could result in a breach of their privacy.

In our opinion, the maximum fine is largely intended to get the attention of large companies like Facebook and Google so that this regulation is NOT ignored. Furthermore, this encourages companies to actually put more emphasis on protecting people’s rights.

Once you understand what is required by the GDPR and the spirit of the law, then you will realize that none of this is too crazy.

We will also share tools and tips to make your WordPress site GDPR-compliant.

What Is Required of Website Owners Under the GDPR?

The goal of GDPR is to protect users’ personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.

This personal data includes your users’ names, email addresses, physical addresses, IP addresses, health information, income, and more.

GDPR Personal Data

While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:

You Must Gain Explicit Consent to Collect Personal Information

If you are collecting personal data from an EU resident, you must obtain explicit, specific, and unambiguous consent or permission.

In other words, you can’t just send unsolicited emails to someone who gave you their business card or filled out your website contact form. This is spam. Instead, you must allow them to opt-in to your marketing newsletter.

For it to be considered explicit consent, you must require a positive opt-in. The checkbox must not be ticked by default, must contain clear wording (no legalese), and must be separate from other terms and conditions.

Your Users Have a Right to Their Personal Data

You must inform individuals where, why, and how their data is processed and stored.

An individual has the right to download their personal data and the right to be forgotten.

This means they have a right to demand that you delete their personal data. When a user clicks an unsubscribe link or asks you to delete their profile, you actually need to do that.

You Must Provide Prompt Data Breach Notifications

Organizations must report certain types of data breaches to relevant authorities within 72 hours unless the breach is considered harmless and poses no risk to individual data.

However, if a breach is high-risk, then the company must also inform individuals who are impacted right away.

This will hopefully prevent cover-ups like Yahoo that were not revealed until the acquisition.

You May Need to Appoint a Data Protection Officer

If you are a public company or process large amounts of personal information, then you must appoint a data protection officer.

This is not required for small businesses. Consult an attorney if you are in doubt.

GDPR Data Protection Officer

Plain English Summary of What’s Required

To put it in plain English, the GDPR ensures that businesses can’t spam people by sending them emails they didn’t ask for. Businesses also can’t sell people’s data without their explicit consent.

Businesses have to delete users’ accounts and unsubscribe them from email lists when asked. Businesses also have to report data breaches and overall be better about data protection.

Sounds pretty good, at least in theory.

But you are probably wondering what you need to do to make sure that your WordPress site is GDPR-compliant.

Well, that really depends on your specific website (more on this later).

Let us start by answering the biggest question that we’ve gotten from users:

Is WordPress GDPR Compliant?

Yes, the WordPress core software has been GDPR-compliant since WordPress 4.9.6, which was released on May 17, 2018. Several GDPR enhancements were added to achieve this.

It’s important to note that when we talk about WordPress, we are talking about self-hosted This is different from, and you can learn the difference in our guide on vs.

Having said that, due to the dynamic nature of websites, no single platform, plugin, or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.

Ok, so you might be thinking, what does this mean in plain English?

Well, by default, WordPress comes with the following GDPR enhancement tools:

Comments Consent Checkbox

Before May 2018, WordPress would store the commenter’s name, email, and website as a cookie on the user’s browser by default. This made it easier for users to leave comments on their favorite blogs because those fields were pre-filled.

Due to the GDPR’s consent requirement, WordPress has added a consent checkbox to the comment form.

WordPress Comments Opt-in for GDPR

The user can leave a comment without checking this box. However, they will have to manually enter their name, email, and website every time they do so.

Tip: Make sure that you are logged out when testing to see if the checkbox is there.

If the checkbox is still not showing, then your theme is likely overriding the default WordPress comment form. Here’s a step-by-step guide on how to add a GDPR comment privacy checkbox in your WordPress theme.

Personal Data Export and Erase Features

WordPress offers site owners the tools they need to comply with the GDPR’s data handling requirements and honor users’ requests for exporting personal data as well as removal of users’ personal data.

WordPress Data Handling - GDPR

The data handling features can be found under the Tools menu inside WordPress admin. From here, you can go to Export Personal Data or Erase Personal Data.

Privacy Policy Generator

WordPress comes with a built-in privacy policy generator. It has a pre-made privacy policy template and offers you guidance on what else to add. This helps you be more transparent with users in terms of what data you store and how you handle their data.

WordPress Privacy Policy Generator for GDPR

You can learn more in our guide on how to create a privacy policy in WordPress.

These three features are enough to make a default WordPress blog GDPR-compliant. However, your website will likely have additional areas that will also need to be in compliance.

Additional Areas on Your Website to Check for GDPR Compliance

As a website owner, you might be using various WordPress plugins that store or process data, and these can affect your GDPR compliance. Common examples include:

Depending on which WordPress plugins you are using on your website, you will need to act accordingly to make sure that your website is GDPR compliant.

A lot of the best WordPress plugins have added GDPR enhancement features. Let’s take a look at some of the common areas that you will need to address.

Google Analytics

Like most website owners, you are likely using Google Analytics to get website stats. This means that you might be collecting or tracking personal data like IP addresses, user IDs, cookies, and other data for behavior profiling.

To be GDPR compliant, you need to do one of the following:

  1. Anonymize the data before storage and processing begins.
  2. Add an overlay that gives notice of cookies and asks users for consent prior to tracking.

Both of these are fairly difficult to do if you are just pasting Google Analytics code manually on your site. However, if you are using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you are in luck.

They have released an EU compliance addon that helps automate the above process.

MonsterInsights EU Compliance Addon

MonsterInsights also has a very good blog post talking about about the GDPR and Google Analytics. This is a must-read if you are using Google Analytics on your site.

Contact Forms

If you are using a contact form in WordPress, then you may need to add extra transparency measures. This is especially true if you are storing the form entries or using the data for marketing purposes.

Here are some things to consider when making your WordPress forms GDPR-compliant:

  • Get explicit consent from users to store their information.
  • Get explicit consent from users if you are planning to use their data for marketing purposes, such as adding them to your email list.
  • Disable cookies, user-agent, and IP tracking for forms.
  • Comply with data deletion requests.
  • If you are using a SaaS form solution, make sure you have a data processing agreement with your form providers.

The good news is that you don’t need to organize a data processing agreement if you are using a WordPress plugin like WPForms, Gravity Forms, or Ninja Forms.

These plugins store your form entries in your WordPress database, so to stay GDPR compliant, you just need to add a consent checkbox with a clear explanation.

WPForms, the contact form plugin we use on WPBeginner, has several GDPR enhancements to make it easy for you to add a GDPR consent field, disable user cookies, disable user IP collection, and disable entries with a single click.

GDPR Form Fields in WPForms

You can see our step-by-step guide on how to create GDPR-compliant forms in WordPress.

Email Marketing Opt-in Forms

Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline forms, and others, then you need to make sure that you get explicit consent from users before adding them to your list.

This can be done by either:

  1. Add a checkbox that the user has to click before opt-in.
  2. Simply require double-optin to your email list.

Top lead-generation solutions like OptinMonster have added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant.

You can read more about GDPR strategies for marketers on the OptinMonster blog.

eCommerce and WooCommerce Stores

If you are using WooCommerce, the most popular eCommerce plugin for WordPress, then you need to make sure your website is in compliance with the GDPR.

Luckily, the MonsterInsights team has prepared an in-depth guide on how to make a WooCommerce store GDPR compliant.

Retargeting Ads

If your website is running retargeting pixels or retargeting ads, then you will need to get the user’s consent.

You can do this by using a plugin like Cookie Notice. You can find detailed instructions in our guide on how to add a cookies popup in WordPress for GDPR/CCPA.

Google Fonts

Google Fonts are a great way to customize the typography on your WordPress website.

However, Google Fonts has been found to violate GDPR regulations. That’s because Google logs your visitor’s IP address each time a font is loaded.

Luckily, there are a few ways to handle this so your website is GDPR-compliant. For example, you can load your fonts locally, replace Google Fonts with another option, or disable them.

You can learn how in our guide on how to make Google Fonts privacy-friendly.

Best WordPress Plugins for GDPR Compliance

There are several WordPress plugins that can help you automate some parts of GDPR compliance.

However, no plugin can offer 100% compliance due to the dynamic nature of websites.

Beware of any WordPress plugin that claims to offer 100% GDPR compliance. They likely don’t know what they are talking about, and it’s best for you to avoid them completely.

Below is our list of recommended plugins for GDPR compliance:

  • If you use Google Analytics, then we recommend you use MonsterInsights and enable their EU compliance addon.
  • WPForms is the most user-friendly WordPress contact form plugin and offers GDPR fields and other features.
  • Cookie Notice is a popular free plugin for adding an EU cookie notice, and it integrates well with top plugins like MonsterInsights and others.
  • GDPR Cookie Consent lets you create an alert bar on your site so the user can decide whether to accept or reject cookies and covers CCPA as well as GDPR.
  • WP Frontend Delete Account is a free plugin that allows users to automatically delete their profile on your site.
  • OptinMonster is advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
  • PushEngage lets you send targeted push messages to visitors after they leave your site and is fully GDPR compliant.
  • Smash Balloon gives you a GDPR-compliant way to embed live feeds and show posts from Facebook, Twitter, Instagram, YouTube, TripAdvisor, and more.
  • Instead of loading the default share buttons with tracking cookies, the Shared Counts plugin loads static share buttons while displaying share counts.

You will find more options in our expert pick of the best WordPress GDPR plugins to improve compliance.

We will continue to monitor the plugin ecosystem to see if any other WordPress plugin stands out and offers substantial GDPR compliance features.

Final Thoughts

The GDPR has been in effect since May 2018.

Perhaps you have had your WordPress website for a while and have been working towards GDPR compliance. Or you may be just starting out with a new website.

Either way, there is no need for panic. Just continue to work towards compliance and get it done ASAP.

You may be concerned about the large fines. Remember that the risk of being fined is minimal. The European Union’s website states that first, you’ll get a warning, then a reprimand, and fines are the last step if you fail to comply and knowingly ignore the law.

Remember that the EU is not out to get you. They are doing this to protect user data and restore people’s trust in online businesses.

As the world goes digital, we need these standards. With the recent data breaches of large companies, it’s important that these standards are adapted globally.

It will be good for all involved. These new rules will help boost consumer confidence and, in turn, help grow your business.

We hope this tutorial helped you learn how to become GDPR-compliant on your WordPress blog. You might also like to see our expert guides on how to make your website GDPR-compliant.

Expert Guides on Making Your WordPress Site GDPR-Compliant

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Legal Disclaimer

We are not lawyers, and nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance.

When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.

Additional Resources

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

199 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Teresa Cuervo says

    I use Jetpack plugin for my contact form and stats (among others) How to make their contact form compliant?

  3. Dan says

    One thing that people don’t seem to be discussing is the comment section. Right here, in this very form, you just asked me for my email address, as does every standard WP comment form. But nowhere are you telling me what this email address will be used for. You aren’t using it for follow up because I’m not going to subscribe to that option.

    The default WP comment behaviour is just to ask for people’s email address but with no particular purpose, which also goes against GDPR, right? You have to have a purpose to ask for someone’s data now.

    This seems so obvious that I wonder what I’m missing. They clearly thought about comments and added that new cookie comment check-box, so why is nothing mentioned about the email address collection in the first place?

  4. Faizan says

    Thelanguage you use o explain this GDPR issue,is tremendously unique. ALL in one solution for small projects like mine. From this I get to know completely about GDPR and Now I can analyze where i have to improve.

  5. Rahadian says

    Wonderful guide, I thought this compliance is not affecting me, although I wonder what is this “GDPR compliance” people talking about, and this article provide me with clear explanation. Now I know I should update my website and must follow this compliance. Thank you for sharing this information.

  6. Q says

    Thank you for a very detailed explanation AND most of all for curbing panic. I can look at decent solutions and implement GDPR compliance on my website with ease now that I know what it entails.

  7. Himadri Saha says

    Hi, Thanks for your nice, clear and explanatory article. I am using Sumome to generate my subscriber base. Do you have any idea whether this is GDPR compliant?

  8. Aliyy Oke says

    What a succinct and we’ll informative article. This article has quite enlightenment effect on understanding what GDPR is. Until now I never knew that this law is just going to be taking its effect from 25th of May and there has been a lot buzzes and news of it here and there for a long time now. Thank you for the wonderful post.

  9. Waqas says

    I run a cybersecurity news website and I have never collected anything from any visitor other than email for sending readers notifications about new news articles.

    Do I have to go through all this headache as well? Also, do we have to show GDPR compliance popup to visitors like we do with cookie consent popup?

    Thanks for the great article.

  10. Gary Sonnenberg says

    I think you’re going to get a lot of hits on this article. :)

    I agree with others that it’s the best one out there so far. Thanks!

  11. Jeff Coombs says

    How would I know – or – what can I do on my WordPress site to make sure there are no cookies being used so I don’t have to have the cookie warning or any other policy (GDPR etc) to worry about?
    (I just have a few “how-to” guides on there, nothing else – no comments etc or any contact boxes etc).
    * Thank you for taking the time to create this GDPR post – greatly appreciated!

  12. Cheryl Harrison says

    Other sources say that GDPR applies only to people/company in the EU, NOT to EU citizens who happen to be in the US.

    We have enabled country blocking so our site is simply not available anywhere but the US and Canada.

    Is it your (non-legal) opinion that we therefore do not need to comply?

  13. glenda taylor says

    I have used WP Simple Membership Plug in on my website. What do I need to do to update the forms there?

  14. rodrigo says

    Congratulations for a very informative and well explained article. A very good starting point for further reading.

  15. Tamara says

    Thank you for this :)

    About the plugins you recommend, so you recommend downloading ALL OF THEM right? :)

    Thank you :)


  16. Carolyn Astfalk says

    This is a very helpful article. I’d previously addressed all of these issues in the fashion you recommend, but there is one thing I cannot find an answer to despite searching and posting in multiple places:

    What about WP blog subscriptions? Nothing in the WP or JetPack updates that I can find provides that check box of consent for blog subscribers. Don’t those email and WP subscriptions require consent too?

  17. Dan says

    This is a good resources as well,
    Quoting below –
    What effect could the GDPR have on small businesses?
    For the purposes of the GDPR, a small business is classified as one with fewer than 250 employees. Any business with more than 250 employees is required to comply with the GDPR and is required to nominate a Data Protection Officer (DPO).

    Businesses with fewer than 250 employees are required to comply with the GDPR if their data processing could affect the rights and freedoms of individuals, if they process personal data on a regular basis, or if they process data which is covered by Article 9 of the GDPR, which includes sensitive data such as that relating to religious beliefs. If any of these apply to a small business, it needs to ensure that it complies with all aspects of the GDPR.

  18. Dan says

    You are omitting the part of GDPR that gives exemptions to companies with less than 200 employees. At least I didn’t see any mention of it.

    • Editorial Staff says

      I believe that part is specific to requiring a Data Protection Officer. However I do agree that risk of penalty is lower for smaller businesses, but it doesn’t mean that they shouldn’t do their best to comply.



  19. Brian77 says

    WordPress 4.9.6 is not GDPR-compliant, not at all, sorry. Core-content in backend available to all user roles including subscriber is hosted on third party servers without information and/or consent. User IPs are stored in database without notice, just look for session_token. User IPs are stored for comments. User email is used in filename for GDPR data export. Exported meta fields from user profile are hardcoded, export will be incomplete in most cases. And there are a lot of of bugs like privacy policy page can not be edited by editors, your clients need full admin access to edit that page now, good luck with that.

  20. Wayne Rose says

    What a great article, the first bit of sense i have read about the mysterious GDPR, I found that this was informative to start off with and also helpful with advising on plug-ins to add to my website to help make it compliant.
    Thank you very much, i can now breathe a sigh of relief!

  21. Dawson Johnson says

    Amazing article, thanks so much.

    A few questions:

    — With regard to MonsterInsights, is the “anonymize IP” feature in the free version sufficient for GDPR compliance with regard to Google Analytics? Or is there critical functionality associated with the paid version (and EU Compliance Addon)?

    — I’m a bit concerned about third-party ads (via networks like Taboola, RevContent, etc). What exactly is and isn’t required of publishers given that we in no way control or process the data that they collect / cookies they store?

    — With regard to Cookie Plugins, are there any that A) actually block third-party cookies on your site based on a lack of consent or opt-out and B) can be geotargeted to EU users?

    I’m a US based publisher, so I don’t want to show opt-out messages (and risk losing track / ad dollars) to visitors who are outside Europe.

    • WPBeginner Support says

      Hi Dawson,

      Please see MonsterInsights’ blog post for more details.

      You will need to reach out to each network, and most likely they will already have documentation on how to prepare for GDPR compliance.

      As for cookie plugins, surely there will be more plugins coming out to address different requirements.


  22. stefan says


    Not identifying people that post on your blog can be dangerous for many sites. If someone threatens to sue you and you have insurance, I think you need to inform about it and be able to identify the person so that you can protect yourself against legal claims. As a result, you can’t ask for consent because if you do, the person have to right to be forgotten. So, I am using legitimate interest. By the way, I think the privacy policy offers by WordPress is missing some GDRP requirements such as the identification of the legal basis for each processing.

  23. Stephanie Markou says

    By far one of the best articles on GDPR compliance when it comes to plugins and websites. Do you have any examples of privacy policies that show data categories and GDPR compliant terms that would cover plugins in general (in lieu of listing every single plugin used on a website). Thank you!

  24. Elvis Nyamekye says

    Hi, I just wanted to say thanks for writing this article. Didn’t really understand this GPDR Update until today. Thanks so much.

  25. Eleni says

    Hello, thanks for all these information but I do have one last question. My blog is personal, which means I do not give analytics or data to no-one, or I don’t have advertises.

    Do I still have the obligation to obey to the new regulations?

    Thanks in advance

    • Editorial Staff says

      Hi Eleni,

      According to the regulation, yes if you have a website (personal or business or anything else) you would still have to comply. You can wait and see how they enforce it on small personal blogs since there is no precedent of that yet, but if all you have to do is anonymize IP addresses on your analytics, then it’s not that big of a deal :)


      • Trish says

        Thanks for the great article. I’m using your Insert Headers and Footers plug-in, how do I anonymize IP addresses on that?

        • Editorial Staff says

          That plugin only offers you the ability to add scripts. It does not have functionality like anonymizing IPs because that’s specific to individual scripts that you might be loading.

  26. Andrei says

    Hi guys,

    First of all thank you for this great article.

    I have a question regarding the export personal data tool.
    If my understanding is correct, a user can access his personal data by contacting the admin and waiting for an email response. I may be wrong, but it’s not a very user-friendly approach. And it also puts a big load on the admin if working with a big user database.

    Is there a way to make this process automatically? Maybe a plugin that automatically exports & downloads the user, instead of having the admin do it manually?


  27. Peter Derek says

    Thank you for your informative article which I will read more thoroughly. However, I am obliged at this point to mention an issue which has caught my eye. You make mention of ‘EU citizens’ and ‘EU resident’ which are incorrect terms. No one can be legally resident in the EU as such, but only in their respective countries. The EU is not a country, but a bureaucracy which is basically an economic entity that enables free trade among its separate member states and has its own regulations to which member states are subject. The countries of Europe are situated in a landmass geographically, but each have their own identity and culture. Therefore it would be more accurate to refer to the GDPR in terms of relevance to member countries.

    • Editorial Staff says

      Hi Peter,

      I am glad you found the article helpful. My goal with this article is to break down things to it’s simplest level. While the distinction exists on local levels, from the sake of this article any long-term resident of an EU member nation is considered an EU resident.

      The law is being passed by EU as a whole with signatures from each member nation.


  28. Agnes says

    Thanks for the detailed info? Beyond the legal stuff, practical help and tools to make it possible are very needed here.

  29. Che says

    Hi, Can we write our own privacy policy or do we need a lawyer?

    Also, can we copy the privacy policy of another site (certain sentences)?

    • Editorial Staff says

      Hi Che,

      You can most definitely use the default WordPress privacy policy through the generator in 4.9.6. Just make sure you add everything that you’re collecting because there’s no such thing as one-size fits all.


  30. Sieglinde says

    I am still confused. My website has a Add To Cart button but the shopping cart is at PayPal, not on my computer, they advise me when I have an order by email so I can ship to the name and address given the item ordered. I have not heard boo from PayPal about these regulations. I don’t store anything other than the name of the buyer and the ship-to address given to me.
    If people sign up for my blog to “follow”, all I have is their email address and actually am personally never in touch with them. So what do I need to do?

    • Editorial Staff says

      Hey there,

      You would need to update your privacy policy and add what information you store. Add a cookies notice on your blog if you’re adding cookies on the user’s browser and that’s about it.


  31. Mark Corder says

    According to this (very helpful!) article, WP 4.9.6 now has Comments Consent by default. I’m always running the latest version (and I do have the new Privacy setting) but I don’t see this showing on my Comment forms, nor do I see a way to turn it on. I am running a “subscribe” plugin (Subscribe to Comments Reloaded) and this is all I see. Could this be blocking it? Otherwise, how do I activate this feature?

      • Mark Corder says

        Yes – I’ve logged-out, cleared both the WP cache and the browser’s, forced refreshes, tried different browsers … everything I can think of. I installed a clean version of WP 4.9.6 on a test server with NO plugins, and I can see it there – but not on any of the live sites I manage.

        I’m still trying things … If I discover the problem, I’ll let you know. In the meantime, anyone have any ideas?

      • Mark Corder says

        OK, after a lot of reading and digging through the WP files, this seems to be a problem with some themes. As of WP 4.9.6, a “$cookies_consent” parameter was added, and while virtually all themes will have their own Comments Forms, many of them will not make use of this parameter – hence the fact that it doesn’t show up. For more information on what’s happening here (and needs to happen), see this article at : .

        While this explains the problem and offers a way to fix it, I’m afraid this level of hacking to include a new parameter in the array may be beyond the average person that WPBeginner is focused on… So what to do?

        * Contact your theme’s author and ask if they plan to update their theme to include this parameter … and best of luck to you.

        * Switch to a theme that’s GDPR compliant and will show this checkbox option on the Comments Form. (The “bundled” WP themes like Twenty Seventeen and such have all been updated to show it.)

        I predict that in the future you’re going to get a lot of questions about this very issue – you may even want to write a dedicated article about it!

        And while I’m waiting to hear back from a couple of theme developers, I plan to roll up my sleeves and try adding this parameter myself. (Said the fearless code-hacker – who uses child-themes and backs everything up first!)

        I hope this helps explain why this feature is probably not showing up for lots of others … and keep up the great work, folks!

      • Marge says

        The comment consent box isn’t showing up for me, either. I’m logged out and using an incognito browser. I have seen others say the same thing in another forum.

    • Maria Spyrou says

      Hi! It seems I have the same problem here! I’m running WordPress 4.9.6 and there is no consent checkbox for Comments. It goes without saying that I wasn’t logged in when I checked. Any ideas?

  32. Laura Weed says

    And what do we do about blogs? I wrote a privacy policy and I enabled the cookies notice, even though it does not go away when you click accept and close.

    You also forgot Article 21. If your website is accessible and collects data from EU citizens, but you are not located in the EU, you are required to have a representative that IS located in the EU in case a local supervising authority needs to get hold of you. This is mandatory.

    • Editorial Staff says

      Hi Laura,

      Data protection officer is not mandatory. You can review the infographic that we linked to in additional resources section of this article which is by the European Union themselves.

      This is what it says in regards to a Data Protection Officer:

      “This is not always obligatory. It depends on the type and amount of data you collect, whether processing is your main business and if you do it on a large scale.”

      I’m certain more services will come out and offer representative services at scale for affordable prices.


  33. Karin says

    This is good news .. unless I’m missing something loll
    Guess this means that WP will stop sharing our IP’s addresses every time we comment – was not crazy about that .. Wish I knew that before to ensure my VPN’s always active loll But I was a newbie n guess I missed it ;)
    All good. I love WP, I love blogging there; been meeting some really great people. Thanks ;)

  34. Mike C says

    “around the world (not just in the European Union).”

    Please, I’d like to know the source of this information. EU laws do not, and can not apply to US citizens. As I understand, GDPR will only apply to multi national corporations, i.e. ones that have some business unit(s) registered in the EU. Please cite the US statute that states GDPR regulations apply to US citizens operating a business out of the USA. I’ve not been able to find one, and no one has been able to point me to one as of yet. I think all this fear mongering is just plain wrong. EU regulations apply in the EU and US regulations apply in the US. The US has its own privacy related laws. Please advise?

    • Editorial Staff says

      Hi Mike,

      By doing business online and making your website available to the entire world, you expose yourself to the jurisdiction of each state and country. It is a quite common argument that EU laws like GDPR does not apply here in US. That’s actually not true. We just haven’t seen them strictly enforced on companies outside of EU (or large multi-national corporation). This does not mean that it can’t happen.

      A foreign government or entity can bring a legal case against you (for any reason), win in their respective jurisdiction and file for a motion in your local jurisdiction for a judgement claim. As you can imagine, the cost of doing this is very high, and this is why it doesn’t happen often.

      However saying it can’t happen would be a mistake.

      Again I’m no lawyer, and as I stated in the article above, people won’t get fined right away. You’ll get a warning first, then reprimand, and then fine. A lot of fear mongering is being done around fines right now, and I wanted to clarify that here in this article.



      • Neghie Thervil says

        Since you’re not a lawyer, maybe it’s best not to give this kind of advice. There is a lot of misinformation in your comment and is the kind of info that causes widespread unnecessary panic.

      • Barbara Holtzman says

        As the “EU” launched two massive lawsuits against Alphabet (Google and Android) and Facebook as soon as the law went into effect, it’s pretty clear this law was and is a thinly veiled ruse to “get” those two companies.

        As a one to sometimes three-person shop, with a company that rarely grosses over $1k (although I’m hoping to crank it up to $10k over time), the EU can have a fun go at me for the couple bucks in fines they might get.

        More likely I’ll just block all non-US IP addresses [Israel can stay too, the EU will never let them in], and refuse to communicate or do any business with anyone in the EU. Since most of the research I do is US based anyway, and academic research at that, most likely no one will care.

        I’ve always had a double-opt-in, don’t share any info with anyone policy, and my data is double anonymized with a proprietary algorithm. I don’t mind adding all the cookie and privacy warnings and such, so I’m probably in compliance anyway. But I don’t like the EU telling the rest of the world what it can and can’t do by fiat.

        I hope Google and Facebook pull out of the EU along with me. Watching that and the fallout afterward will really be a hoot.

  35. Christine Robinson says

    What are the rules for a non-hosted website? Only used for personal posts, not marketing anything. But I do have worldwide followers. Noticed you addressed only. Thank you!

    • Editorial Staff says

      Hi Christine, everything we do on WPBeginner is focused for helping self-hosted users.

      I’d recommend reaching out to team to see what they’re doing about GDPR for their hosted sites.



  36. Vatsala Shukla says

    Thanks for the simple plain English post. I’ve shared it forward in a Facebook Group where one of the Group members had concerns about GDPR. Thank you for validating my understanding about GDPR and what we need to do for compliance without overwhelm.

  37. Christos says


    I’ve been using the free version for a while and could not be happier.

    However, with regards to the GDRP integration, is that available only with a payment plan?

    Thank you for a great plug-in! (Already a subscriber and happy to remain one)


    • Editorial Staff says

      Hi Christos, which plugin are you talking about?

      For MonsterInsights, the EU compliance addon is available on paid plans only. For WPForms, it has enhancements for both Lite and Pro users (depending on individual needs).


  38. Carole says

    Our website is for our organization and informational in nature. We don’t sell anything or have a blog. Do I still need to be GDPR compliant?

  39. Vidya SUry says

    That’s a concise guide. Jetpack offers the cookie banner with a cookie policy. Today there was a pop up on the dashboard announcing help with the WP Privacy Policy–helping to populate the Privacy Policy subheadings.

    My question is: why would one need a GDPR plug in when WP’s tools are available?

    Also, how does the export/erase data work? From where do website visitors request that info?

    Thanks Syed

    • Editorial Staff says

      Not everyone will need third-party GDPR plugins. It will depend on the type of site you have and your needs. If you’re using Google Analytics, then you would need the MonsterInsights EU compliance addon that either anonymizes IP address or integrates with a cookie notices plugin.

      Adding an email in your privacy policy that a visitor can use to email you to request data export / erasure would work sufficiently. Alternatively, you can use a form plugin like WPForms to create a form on your site for that.


  40. Fernando Tellado says


    Sorry but WordPress isn’t GDPR compliant because it lacks of the first layer of information that must be agreed by the user. Las version of WordPress only doesn’t save the cookie but doesn’t have a place where to inform to the user that his name, IP, email, etc are going to be saved to the database, and doesn’t have the (not checked) checkbox to agree to this personal data storing.

    Curiously, WooCommerce’s next version will include this type of feature in the new Privacy & Accounts tab.


    • Editorial Staff says

      Let’s see if WordPress adds that. I am not a lawyer, but in my opinion this can be addressed in the privacy policy. When the user submits the comment, they understand this information is being stored. However if you want to use their information for something other than just displaying comment (i.e sending a comment notification, email newsletters, etc) then you have to get additional consent.

      I also expect a lot more plugins to come out to solve GDPR related issues :)


  41. Alison Rayner says

    Thank you for producing an easy to understand and follow article on GDPR – the first time I’ve come across something that’s relevant and cuts through all the jargon!

  42. Pat Sonnenstuhl says

    I do not do financial transaction, nor store any information on my websites. I do charge any money for my sites. will i still need to go thru these costly hoops ?

  43. Farukh says

    Thank you so much for posting this article. I was waiting from many days to listen your thoughts on GDPR. It is helpful and specially simple english. Thank you so much for helping on this matter.

  44. Julie Strietelmeier says

    I’d like to know what to do about Amazon affiliate links. How do we become compliant with them? I’ve tried to ask Amazon but they will not provide any advice.

    • Editorial Staff says

      Depending on who you ask, you will get differing opinions. Some will say because the referral cookies don’t get added on your site, you don’t have to do anything regarding affiliate links (it’s the merchant’s responsibility).

      Others will recommend to use a cookie notice on your site and add Affiliate Links section in your privacy policy.


      • Julie Strietelmeier says

        I’ve been trying to find someone’s privacy policy where they mention affiliate links from Amazon and others like Skimlinks but haven’t been successful yet. Do you know of one that I can “borrow”?

      • Christos says

        That actually makes sense – cookie disclaimer and affiliate notice. I use an affiliate notice in the base footer of my site and a cookie consent.

        As long as we are transparent with all that we do there can be no comebacks – theoretically!!!


  45. Dave Soucy says

    Nicely done. I’ll be sending my clients to read this instead of re-inventing the wheel and writing my own version.

  46. Kichtrickster says

    Thanks for the article, great points! I honestly feel ready, but still feel like after a few days I’ll find out some stuff that will be totaly new for me. for example here they say that you even need consent to see and save their IP information and such, and so much more. So I mean they disagree with cookie policy? Too bad then, can’t follow ’em anymore. Tough luck really.

    • Editorial Staff says

      Yes you do need their consent to store IP information. That’s why in our guide we recommend that you anonymize IP for Google Analytics and use Cookie Notice or similar solution to get permission.


Leave a Reply to Editorial Staff Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.