WordPress GDPR: What It Is And What You Need To Know

If you pay attention to the news, you’ve probably seen this strange four-letter acronym increasingly popping up among webmasters (perhaps with a sense of panic attached):


What does it mean? And do you need to care about it as a regular webmaster?

In this post, I’ll give you a general overview of what the GDPR is and how it might affect your WordPress site.

I’m definitely not a lawyer (though I did take a Gen-ed class in college!), so don’t take anything that I say as legal advice. But if you just want a good general understanding of what GDPR is, as well as how you should address it on your WordPress site, give this one a read.

What Is The GDPR?

the gdpr homepage

The GDPR, short for General Data Protection Regulation, is an EU law that focuses on data protection and user privacy. It’s an update to the 1995 Data Protection Directive. While the law was originally passed in 2016, it included a 2-year grace period to allow for compliance. That grace period is almost up and the GDPR will go into effect for real on May 25th, 2018.

So what is it?

Well, It’s sort of like those cookie notifications that you’ve seen pop up everywhere…but on steroids.

While the cookie law affected something limited – notifying users that you use cookies on your site – GDPR goes much deeper and affects:

  • Storage of personal data
  • Processing of personal data

Personal data is defined pretty broadly. It’s “any information relating to an identified or identifiable natural person”. That’s…like everything. Name, email, IP address…that, and lots more, could all be defined as personal data.

Processing of personal data, on the other hand, is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”. So even if you manually process that personal data, it still falls under the GDPR.

You can view the full text for these portions here.

So…that wording is pretty broad, right?

In general, the GDPR requires you to:

  • Get consent for many actions, like storing someone’s email when they leave a comment on your site
  • Give users access to the data that you have on them, as well as an option to remove that data (the “right to be forgotten”)
  • Notify users of any data breaches (this one is especially hard because many small webmasters might not even realize when a breach has occurred on their site)

Does GDPR Matter For You As A Regular WordPress User?

Yes. At least according to the law. GDPR applies to all websites that handle data from EU citizens (which is pretty much every single website in the modern world).

Of course, it’s not really possible to monitor every single website on the Internet, and I’m sure millions of unaware webmasters will continue on without making any changes (ignorance is bliss).

But by the letter of the law, GDPR almost certainly applies to you.

What Happens If You Ignore GDPR?

While I’m not a lawyer, I think it’s unlikely that the EU knocks down your door because of your hobby recipe blog that lets users comment without requiring consent (more on this in a second!)…

But the GDPR definitely does have teeth…

The potential fines are up to €20 million. Or, alternatively, 4% of your global revenue (though I think that the first number is scarier for most of us).

How Does GDPR Protect WordPress Sites?

The GDPR has implications for the core WordPress software. And most WordPress sites are probably going to use some plugins or functions that fall under the GDPR.

If you don’t allow public registrations, you might not think that you collect data from your visitors, but I bet that you do…

Examples include:

  • Comments on your site (WordPress logs the email address, IP, and name – remember?)
  • User registrations (obviously)
  • Contact form entries (especially if you’re storing this information in your database)
  • Any analytics tools that you’re using

Basically, it affects you if you collect any type of data, even unintentionally (like with comments – when’s the last time you actually looked at the data?).

Is WordPress Doing Anything About The GDPR?

As you can see from the list above, some of the things that might put you in violation of the GDPR are actually core WordPress functions.

That is – short of disabling comments, it’s hard not to run afoul of the GDPR just by running WordPress.

To address this, the WordPress core team has a #gdpr-compliance tag going on and is working on how to build GDPR compliance into the core WordPress software.

Discussions involve adding tools to the core to help webmasters comply with GDPR, as well as documentation on what WordPress webmasters need to do to comply with GDPR.

You can see a rough roadmap of these ideas on this GitHub page.

Additionally, it’s not just the core team who needs to pay attention to GDPR. Plugin developers also need to shoulder some responsibility for making their plugins compliant.

Responsive plugin developers are already doing this. For example, many contact form plugins have pages on GDPR compliance. You can see two examples below for:

WordPress Plugins To Help With GDPR Compliance

Beyond changes to the WordPress core software and existing plugins, some developers have also created plugins to help webmasters with GDPR compliance.

So far, the most popular option seems to be the WP GDPR Compliance plugin from Van Ons.

In addition to giving you a handy checklist for changes that you should manually make, it also offers integrations for:

With these integrations, you can enable compliance with the click of a toggle:

a nice wordpress gdpr plugin

A second option is the WP GDPR plugin from AppSaloon.

It gives users a page where they can ask for their user data. Users can then view all of their data and ask to remove it if desired. It also includes add-ons for:

another gdpr plugin

What Does The Average WordPress User Need To Do About GDPR?

Again, I am not a lawyer. This is not legal advice.

As an average WordPress user, the situation isn’t quite as dire as a global digital business that’s going to attract attention for any compliance issues.

If you’re in the EU, or if you get a lot of traffic from the EU, you should:

  • Keep an eye on what the core team does so that you know when/if to enable certain features on your site.
  • See if any of your plugins that collect user information have provided documentation for how to comply with GDPR. As I showed you above, many of the popular plugins have already done this.
  • Consider using a plugin like WP GDPR Compliance if you’re worried.

Have any other tips or thoughts on complying with GDPR? Leave a comment and let’s get the think tank going…

Colin Newcomer

Colin Newcomer

Colin Newcomer is a freelance writer and long-time Internet marketer. He specializes in digital marketing, WordPress and B2B writing. He lives a life of danger, riding a scooter through the chaos of Hanoi. You can also follow his travel blog.

Related Articles


6 thoughts on “WordPress GDPR: What It Is And What You Need To Know”

  1. Thanks for this article this give me a bit more information on this pointless and waste of time law. Just like the Cookie Law anyone doing anything dodgy won’t pay any attention anyway but for genuine law abiding businesses it just creates more work!

    I’ve read the official website for this and I still haven’t got a clue what I need to do. I am a limited company that consists of just me, I don’t send any eshots, I do have comments enabled on my own website and I do hold my client’s details but just for invoicing and getting in touch with them about work. Any ideas what I need to do?

  2. This is really interesting article. I’ve heard of GDPR, but never bothered to take a closer look at it. Now, it seems I could be in violation without even knowing it.

    The worst thing about this is that you can never be 100% confident that you have all the bases covered :-). If you install one plugin that collects some harmless data, you could be held liable. Creepy :-)

  3. I’ve heard the term GDPR and understood the gist of it but this is the first full-on article I’ve read. [Very informative and to the point, by the way].

    My question is, if you are a business that services only US based companies, why not just block EU country IP’s and be done with it? I imagine we will eventually update our policies in the United States, but if EU countries cannot access your site–unless they use a proxy workaround–shouldn’t that fix the problem across the pond?

    Your thoughts.

  4. I can’t imagine not being able to check email addresses, and IP info- on an ecommerce site.
    Or- if you have an active community- and require email address for registration.
    I don’t get their email address unless they fill out a form, or post a comment, or make a purchase.
    They give that data voluntarily.
    I would think the only thing that I would need to add is a way for them to remove it later- not just by unsubscribing from comment notifications-
    GDPR goes a little farther than necessary- but, I think it’s about harvesting and tracking and selling of data more than anything else. I don’t mind companies that I’ve bought from using my data to send targeted relevant ads. I’m worried about their ability to continue to do that, even though it might cut down my obsession with camera gear (thanks to BH Photo).

  5. Why do the EU regulations have any authority in nations that are not part of the EU? There is the scare tactic of heavy penalties, but what legal basis does the EU have for enforcing this?

  6. Thanks you for the update and the information about the GDRP. Is there anything else o be done other than enabling it from contact 7? Also, the blog website like mine https://cryptobitcoin.gold, where there is only comment section about any views or opinions, what else should I do to ensure compliance? Do I need to hire any expert or can a newbie will be able to adhere to relations by using some plugin?
    Deepak Singh Rawat

Comments are closed.


Create Your Own

Building beautiful WordPress websites has never been easier. Explore the visual drag & drop Theme Builder that does it all, and works on any theme. Coding skills needed: none.