*****Updated 23 May 2018*****

WordPress has now released an update version 4.9.6 and has included various things to tackle the issues surrounding GDPR


Logged-out commenters will be given a choice on whether their name, email address, and website are saved in a cookie on their browser

Handling of Data

Once you have updated you will see options in the dashboard under Tools –  Export/ Erase Personal Data.  These give you the option to see all the data on your site and erase it is a request comes through.

Privacy Policy

Information on adding a privacy policy and guidelines for writing one.  I would still recommend using the privacy policy template linked further down this post.

You can see details of the WordPress update here

For information about your mailing lists please see my post here

*****Written April 2018*****

There is A LOT of information out there on GDPR compliance, and what you need to do on your WordPress website.

For all websites you need to make changes, and look at things beyond your site like data storage.

To be clear, I am not a lawyer and this is my understanding from reading all about it.  You should also fully read and understand what you need to do to make your site compliant.

The main things about the change are that it is not enough to assume that users are ok with you taking their data, they need to actively opt in to it.  For example on a comments form, you need to have a box that they tick (can’t be already ticked) to say they are happy for you to collect their data, and this will link to a fuller privacy policy that states how you will use their data, store it and how they can get a copy of it and delete it if they wish.

Some ways your site might collect data are

  • user registrations
  • comments
  • contact form entries
  • analytics and traffic log solutions
  • any other logging tools and plugins
  • security tools and plugins

Privacy Policy

Your privacy policy needs to detail a lot of information, I have used the free website privacy policy template from Net Lawman that is GDPR compliant. You need to go through it all and make changes, add your information and delete non relevant parts (e.g. payments taken.)

You need to then link this clearly on your website.

Cookie Consent

Previously it was acceptable to use a passive cookie consent button / info bar on your site.  Now if you are collecting sensitive data (this could be emails, names, addresses etc) you need people to actively consent, again this means they need to read and click it away before using your site and before collecting information.  But this really means you need to have a pop up that needs to be clicked before anyone can view and use your site.

A full article here about cookie consent and GDPR

So where does that leave the average WordPress user? Confused yet?

2 choices

  1. You use the ‘old-fashioned’ cookie consent notice, assuming ‘implied consent’ from users, that they can click away if they want.  Stating that by using the site they accept.
  2. You go full on, and use a service that blocks cookies and use of the website until a user accepts.  I am yet to see any of these implemented on any big or small sites, maybe this will change nearer the time?

But what you do need is a cookie consent notice regardless. You can generate one here 

Comments & Contact Forms

WordPress are currently working on changing core files, you can see the progress here and the hope is that this will cover things like a tick box within the comments & contact forms section for agreeing to giving / storing of data by users.

But this will only cover those of you that use the WordPress comments and contact forms.  If you use an external plugin for these then you will need to see what that plugin author is doing for GDPR.

External Data

You need to check any data you take is complying with GDPR.  So where does any data go from your site?  Your hosting company stores it, Google stores it from Google Analytics, you email host

Anything your website uses that takes data e.g.

  • user registrations
  • comments
  • contact form entries
  • analytics and traffic log solutions
  • any other logging tools and plugins
  • security tools and plugins
  • subscribers

You need to see where it is stored and if it complies, so you can write in your privacy policy that it does.

Google  for example have details here.

Contact your host and see what they are doing.

But the onus is on you the site owner to make sure you know where all data is stored and can it be accessed, shared with the owner and deleted if needed.


Emails from people contacting you from your blog or website, how will you store these, how long for.  Are they in the cloud or just on your local machine?

From the information it is fine to keep data, as long as it is needed for your business, so keeping old clients / customers details so if they have a problem is fine.  But you need to be aware of how you store them, is it secure and can you access, share (with that customer if they request) and delete if you need to.

In summary

Small businesses and website owners are having to tackle all the issues are GDPR in the dark, unless they want to pay for someone to audit them.  And even then a lot is still unknown for website function for WordPress.

I (and again I am not a lawyer or expert) am putting in place the above, the privacy policy, auditing how I store my data, making sure the plugins I use have tackled how they store any data.

But I need to have a website and business that functions, I am very interested in how bigger businesses will tackle the cookie consent issue, and I do doubt they will be locking down their sites until you click a pop up, as it is terrible practice.

I will update here with anything WordPress related and GDPR





Pin It on Pinterest

Share This