Disclaimer: We are not lawyers. Nothing on this website should be considered legal advice.
In many countries (including the United States), websites are required by law to disclose the information they collect about their visitors and how this information is used.
Additionally, the European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018. This regulation requires website owners like you to be transparent about how you collect, use, and share personal data of EU residents no matter where your business is located. If your business isn’t in compliance with GDPR requirement, then you may face large fines up to 4% of the company’s annual global revenue OR €20 million (whichever is greater).
Some ways a typical WordPress website collects user information are:
WordPress comments: If commenting is enabled on your site, you’re also collecting personal data like name and email address of your users. After commenting on a website, personal data is also saved in browser cookies, so commenters don’t have to resubmit them next time. This makes commenting more convenient on WordPress websites.
Google Analytics: If you use Google Analytics on your WordPress site to track user interactions, chances are you’re collecting personal data like IP addresses, user IDs, and cookies for behavior profiling.
Contact forms: If you store contact form entries in WordPress or use the data for marketing purposes, you might want to get explicit consent from users to do so.
Advertisement: If you serve advertisements through third party websites, like Google AdSense, then you’re likely sharing user behavioral information with your advertising partners.
What Is GDPR Regulation?
The General Data Protection Regulation (GDPR) is a European Union (EU) law, which takes effect on May 25, 2018. It requires companies and site owners to reveal how they collect, use, and share personal data of their users. The goal is to give EU citizens more access and choice when it comes to how their own personal data is collected, used, and shared.
Keep in mind that while GDPR is a European regulation, it’s applicable to all websites and online businesses around the world that collect, store, and process personal data about EU residents no matter where the business is located.
Of course, this law applies to you as well if your site attracts visitors from European Union countries.
For more details, check out the ultimate guide to WordPress and GDPR compliance.
- The details about the data you collect on your site.
- Explain how you collect the data. For example, it could be through site logs, cookies, web beacons, signup/registration forms, comment forms, etc.
- If you use third-party ad networks like Google AdSense, you may also be serving cookies and web beacons on your website to serve targeted ads.
- Explain why you collect this information. This could be for improving your website, improving user experience, etc.
- Explain if your users could opt-out of these cookies. If so, then you might add the links to opt-out pages on your site and third-party advertiser websites.
How to Create a GDPR Compliant Privacy Notice (Step by Step)
Step 1: Update Your WordPress
If you’re using an older version of WordPress on your site, make sure to update your WordPress core files before you begin.
Below are a few new features of WordPress that you’ll find useful to make your website compliant with international laws including GDPR.
By default, personal details like name and email address will no longer be saved in browser cookies. Users are given a choice whether they want to save the data in a browser cookie for convenient commenting.
Site owners can now export a zip file containing users’ personal data, including the data collected by WordPress and participating plugins. You can also erase personal data of individual users.
- Who we are: In this section, your website URL is specified automatically. You’ll have to add any additional information you want to display on your own.
- What personal data we collect and why we collect it: In this section, you can find several subsections such as comments, media, contact forms, cookies, embedded content from other websites, and analytics.
- Where we send your data
- And a lot more.
Step 3: Understand What Data You Collect on Your WordPress Website
Similarly, you’ll have to write what other information your website collects through your WordPress theme, plugins, and third-party services you use on your website.
The data you collect on each website may vary based on the WordPress plugins and tools you use. However, below are a few essential data usage policies you’ll need to explain on your WordPress website no matter what plugins you use.
- Analytics data usage policy
- Contact forms data usage policy
- Ads data usage policy
Now you have an idea of what data your website collects through your WordPress plugins and third-party tools. In order to stay GDPR-compliant, it’s recommended to use WordPress plugins and tools that are compliant with GDPR.
If you’re like most website owners, then you’re likely using Google Analytics to track and collect user interactions on your website. For behavior profiling, Google Analytics extensively collects personal data including IP addresses, user IDs, and cookies.
To be GDPR compliant, you need to do one of the following:
- Anonymize the data before storage and processing begins
- Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking
Both of these are difficult to implement if you’re not an Analytics expert or a WordPress developer. And this is why we always recommend you to install Google Analytics through a plugin rather than manual installation.
If you’re using MonsterInsights, the best Google Analytics plugin for WordPress, it’s easy to stay GDPR-compliant. All you have to do is install the EU compliance addon that helps automate the above process. Once you installed the addon, you’ll be given a choice to anonymize IP addresses, disable UserID tracking, disable author tracking, etc.
For more details, refer to this GDPR and MonsterInsights article.
If you are using a contact form on your WordPress site, and store the form entries or use the data for marketing purposes, then you may want to add extra transparency measures on your site.
A few ways to remain compliant with international laws, including GDPR, when it comes to using your WordPress forms are:
- Get explicit consent from users to store their information and use them for marketing purposes.
- Disable cookies, user-agent, and IP tracking for forms.
- If you are using a SaaS form solution, then make sure you have a data-processing agreement with your form providers.
To make your WordPress forms GDPR-compliant, simply adding a required consent checkbox with clear explanation should be good enough.
With WPForms, the easiest contact form WordPress plugin, you can easily add a GDPR consent field on your forms. You can also disable user cookies, disable user IP collection, and disable entries with a single click.
You can do this by using a plugin like Cookie Notice.
Then, head over to Appearance » Widgets and drag and drop the Custom Menu widgets to your footer sidebar. Select the menu you just created and save your widget.
You may also check out our guide on the best Google Analytics plugins for WordPress.