How to Make Your WordPress Website GDPR Compliant

What is the GDPR? - A blog post by Acacia CarrYou may have received emails from all different kinds of companies over the last few months with “GDPR” being the main theme. If you are a WordPress site owner, you may be wondering if and how the GDPR applies to you and your site visitors.

GDPR, or General Data Protection Regulation, is a new set of regulations set by the European Union (EU) which took effect May 25th, 2018. Though the GDPR was actually introduced in 2016, it only became enforceable as of May this year. The GDPR regulates how websites interact with website visitors, and how we as site owners handle user data.


While this new set of regulations was implemented by the EU, as an Internet citizen I recognize that I am a global citizen and I have chosen to align my Privacy Policy with the GDPR, the new International standard in website data protection. All major websites in the US and abroad are following suit as well.

Any website which processes the personal data of an EU resident is subject to these new privacy requirements, no matter where in the world the website is based.

Sites found in violation of GDPR are technically at risk of a fine equal to 4% (in Euros) of the website owner’s annual income though how these fines might be rolled out is still in the early stages.

GDPR states that website owners must have policies and methods in place that facilitate the provision of the website user a copy of their own data when required. The new regulations also state that site visitors must be notified of a breach in site security that affects the client’s data within 72 hours of the event.

If you are a WordPress website owner, it is best to make your website GDPR compliant because all websites are global by definition. This way, you align yourself with the best standards in global security and data protection.

Essentially, the GDPR provides:
– Information about how a website uses cookies and other tracking technologies
– A clear outline of how the site owner works with third party vendors
– A description of the type of information stored on the website server
– The site visitor’s rights in regard to their data
– A site’s security protocol in the event of a data breach

For some, the rollout of GDPR may seem intimidating. Just how does one make a WordPress website GDPR compliant?

Follow these guidelines to ensure your website meets the requirements for world class security and data protection.

Develop your Privacy Page

If you don’t already have a Privacy Policy page on your site, this is the first place to start. Even if you do have a Privacy Policy, you will need to review it to make sure it meets the specific requirements of GDPR. The focus of the GDPR is both to help educate and protect consumers and website owners alike regarding their data rights and obligations.

Your final Privacy Policy page should contain the following:

Personal data is any data regarding you that could help someone to identify you. It is individual information pertaining to you, and it is not anonymous.

Anonymous data is any data where the identity has been removed from the statistical data, and could not help to identify an individual.

Your website may collect personal data in the form of PayPal payments, Newsletter signups via email or via Blog comment and site membership. Even if you have no members logging into the back end of your site, if you engage with the public at all on your website, a certain level of data is being collected.

Helping your site visitors understand the difference between personal and anonymous data is key. Include your data collection and storage policy as well.

This would include contact forms, comments, ecommerce transactions, event bookings and similar user generated content (data) submissions.

This would be from Google Analytics, Jetpack, ad tracking programs, or similar site tracking software.

This is where you break down what information you keep and how you store it.

I don’t use ads on my site but I do webmaster for some websites that serve ads. If you run ads, you must disclose this fact and also how the data gathered and stored by the ad software will be used.

There are several reasons that you may legitimately use the data gathered on your website in the normal course of business, with the consent of the site visitor which is considered to be the acceptance of the site’s Privacy Policy.

– To complete an order and maintain a record of sales for tax and accounting purposes
– For fraud investigation in compliance with the law
– To comply with a law or regulation such as the GDPR
– To enhance your the site visitor experience
– To complete contractual obligations (like delivering a Newsletter or providing a product)

Cookies are little pieces of code stored in your browser to help speed up site visits. Consider using a Cookies consent form on your website to subtly notify your site visitors of your Privacy Policy. Don’t turn on a full screen cookie message, just a small element in the footer will be sufficient as per most default cookie acceptance plugin settings.

As a website owner or webmaster, your site may share personal data with the following types of third parties:
– Technology service providers (i.e. webhost)
– As part of a business transfer of ownership
– As required by law

I select third parties to work with who adhere to the laws and best practices of the Internet. Any information shared on site by the site visitor may not be used for any purpose other than the stated upon website related purpose.

If you use PayPal, Stripe, Square, Merchant Services or any other payment vendor to process payments made for products and services via the website, you need to disclose the vendor’s name in the Privacy Policy. How you work this section will depend on whether the site visitor’s checkout experience is completed on your server or their server or both. Very likely, you will store a copy of basic checkout information in your WordPress ecommerce Plugin.

If you have not thought about or developed a website security protocol, now is the time. It should include what your response would be in the face of a security event and what steps you take to prevent security events from taking place.

If you do link to 3rd parties, make sure you state that you are not responsible for any content or software served by the third party linked to.

You can use the information legally collected on your website to fulfill any legal, accounting, or reporting requirements.

Any transactions resulting in a purchase mean that the website owner as a US tax payer must store this information for 7 years for tax and legal record keeping purposes.

There are a few examples of when a user may request removal of their data from your site. For example, when you unsubscribe from my Newsletter, you may then contact me and ask me to delete your subscriber information including email and name. Your anonymous aggregate data will remain, as it is not legally protected data.

In the case of desired data deletion, the site visitor must specifically contact the website owner and be able to demonstrate reasonable need for deletion that does not conflict with any current law or regulation pertaining to the website and as set forth in this Privacy Policy.

Anonymous data may be used in perpetuity for the purposes of continuing to improve your website for the enjoyment of your site visitors.

As part of the GDPR, site users now have the right to request a copy of their data from the site owner under the following circumstances:

Provide your email or a link to your site’s Contact page so that your site visitors can get in touch with you if they have questions about your Privacy Policy or if they need to exercise their GDPR rights.

You will need to update your Privacy Policy as the web and it’s laws and regulations continue to evolve. If you make changes to your Privacy Policy, it is best practice to notify your site’s subscribers via email and to make a note of the revision and it’s date in the Privacy Policy page itself.

Make sure your Privacy Policy includes any Plugins that gather data and an explanation of how that data might be stored or used.

Set Your Privacy Page in WordPress

Once you have created your Privacy Policy as a WordPress page and Published it, navigate to Tools > Privacy in your WordPress Dashboard to activate your new Privacy Policy page. This tells WordPress which page is your preferred Privacy Policy.

The WordPress Privacy area is where you can download a copy of the User’s data for emailing upon appropriate user data pull request.

Install an SSL Certificate

Though not a requirement of GDPR per se, installing a Secure Sockets Layer adds a layer of encrypted protection to your website which improves your site security. An active SSL is now required by Google for any website with a backend such as WordPress. Without an active and properly configured SSL, your website could receive SEO penalties and will appear with a warning in the address bar of Google Chrome.

Many webhosts will have easy options for SSL installation. If you have any trouble finding the SSL area in your webhost’s control panel, simply contact your webhost or you can contact me.

As part of the SSL installation process, you will also need to make sure that your site contains only references to https whenever a link is called or named. All of the links within your own site and the links serving your code (if you use external JavaScript or other libraries) must be https. Outbound site links that are not serving parts of your site (reference links) can be http because site visitors may experience issues with the link if the site owner you link to has not yet enabled SSL. That’s why I recommend the Force HTTPS (SSL) plugin or similar to deal with pages that have mixed security level (http and https) content.

To see the http references in your site, open any page of your site in your browser of choice. I recommend using Firefox or Chrome for development purposes. Once you have the site in the frame, single right click anywhere on the page to open up the pop up menu. Select View Page Source or similar option. Once this editor opens, run a search for http by hitting CTRL/CMND + F for http. Review all instances of http and then go into your site and correct them all to https. Refresh and reload your site, being sure to clear your cache when you do. If there are instances you cannot correct because they are coming from a plugin or offsite source, consider how you can replace that Plugin or code call with an https compliant plugin.

Keep correcting all instances possible until the lock turns green and in the locked position on the address bar next to your website’s URL address. This means your page is now SSL compliant.

This process will need to be repeated until all pages are complete. You will find that there are certain elements in your site you will fix once and they will remove issues from other pages whereas some pages may have their own specific needs.

Your Newsletter List

By law, all subscribers on your enews list must have either directly subscribed or directly have given consent for you to sign them up. If you have concerns that there are subscribers on your list that did not consent, you can send an enews subscription confirmation checkin. If you use Mailchimp or a similar provider, they already have an email template ready for you to turn into a campaign and send to your enews list. People can unsubscribe by clicking a button or do nothing and stay subscribed.

Evaluate your Plugins for Compliance

You will need to look at each and every plugin in your site and review it’s GDPR compliance policy. Make sure you are using only Plugins that are 4 stars or above in the WordPress ratings. These Plugins are more likely to be frequently updated and well supported, meaning that their developers are tuned into GDPR and other critical developments in the WordPress space.

Visit for more information and to stay updated on the GDPR.

Here’s a good article on GDPR from another resource:

If you are a WordPress website owner and have questions about the GDPR and how it affects you, feel free to reach out in the comments or contact me.

Every effort to provide full and complete information on this subject has been made. This information is offered in the spirit of education and should not be considered legal advice.

Submit a Comment

Your email address will not be published. Required fields are marked *

Pin It on Pinterest