Is Your WordPress Site GDPR Compliant?


New privacy policy laws that give consumers more control over their personal data come into effect on 25 May 2018. Businesses that fail to comply with EU regulations could face severe consequences.

Known as the General Data Protection Regulation (GDPR), the new law changes the rules for companies that collect, store or process data

Although the directives have been signed into European legislation, every business that could potentially receive user data from Europe is required to observe the privacy standards. So in effect, any business in the world that owns a website.

If you run a business that collects customer data from sales, contact forms, newsletter signups, email and SMS opt-ins, or even use software running in the background that identifies visitors to your website – including third-party plugins – you are subject to GDPR.

For small businesses, GDPR is a potential minefield. Failure to comply with EU regulations will result in harsh penalties – up to 4% of your annual global turnover, or £17.39m (€20m), whichever is greater. Needless to say, these penalties could put people out of business.

Key policies you need to know about GDPR

The issues surrounding the private data of consumers has been a longstanding issue for the digital community. The GDPR law is designed to make companies take responsibility and be accountable for ensuring the highest levels of privacy protection are implemented.

The key policies are:

    • If you collect personal data by any means, you have to ask customers for their permission first. It is forbidden to use vague or confusing language, nor can you ask for consent to confirm the right to a bundle of privileges. Each touchpoint requires a separate tick box or notification
    • It must be easy for consumers to withdraw their consent
    • When customers do withdraw their consent, they also have the right the “be forgotten” whereby you are obligated to delete their personal details from your records
    • Minors must have parental permission to opt-in for services that require data collection
    • If you experience a data breach you must inform customers and have 72 hours to notify the data protection authority
      • Consumers must be given access to the personal data you hold about them, and they also have the right to know what purpose the data is being used for
    • Current privacy policies alone are no longer relevant. Privacy policies have to be built into page content where they are visible and accessible to end-users

How does GDPR affect your WordPress website?

There are six potential ways that GDPR impacts the design, page content and system tools of your WordPress website:

    • Data collection forms (contact forms, payments, downloads, newsletter signups etc)
    • How and where analytical data is collected (i.e. Google Analytics)
    • How you intend to use data
      • Where you store customer data
      • Building privacy policy into the design
    • Codes from third-party tools such as plugins, themes, payment gateways, virtual assistants etc..

Businesses that are located outside the EU but use a WordPress website could still be impacted. Here are a few examples of where GDPR will apply:

    • WordPress community sites that collect personal data for user profiles
    • Websites where users sign up to buy WordPress themes or plugins
    • WordPress sites that requires registration for visitors to leave comments or sign up to a newsletter
      • eCommerce stores that sell produce online and use WordPress as a blog
    • WordPress websites that use analytics software

What changes do I need to do to make WordPress / WooCommerce website GDPR Compliant?

  1. WooCommerce Terms & Conditions (Checkout page)

You must amend the Terms & Conditions page of your website in regard to the new GDPR terminology and the gathering of customer data from the WooCommerce checkout. If you don’t have T&Cs on your WordPress website you must add some and a checkbox at the checkout that users must tick.

  1. WooCommerce Privacy Policy (Checkout page)

Under the terms of GDPR, every website has to feature a privacy policy on every page. The privacy policy content must inform the user about how you intend to collect, use and store data.

  1. WooCommerce User registration (My Account page)

The ‘My Account’ page on WooCommerce requires a username and password. You therefore need to add a Privacy Policy checkbox where it is clearly visible to customers. Just to reiterate, the best practice is to keep this simple and only request data you need.

  1. WooCommerce Cart Abandonment (Checkout page)

At present the WooCommerce Cart Abandonment plugin collects email addresses without consent. Although we expect the plugin to be upgraded, the best practice is to specify this above the email collection field detailing that it may be used for re-targeting purposes.

  1. WooCommerce product reviews (Single Product page)

Before customers can leave comments or a review on a WordPress website, they are prompted to register an account. This requires collecting personal data they can use for secure login. This information will also include their IP address and cookies, which under GDPR requires businesses to inform customers you are collecting their data.

  1. WordPress comments (Blog pages)

Allowing and encouraging customers to leave comments also requires you to collect personal data. You guessed it, you need consent on every page with a comments box too.

  1. WordPress & WooCommerce opt-in forms (Newsletter, Lead magnets, etc.)

If customers have the choice to opt-in to receive information from you (newsletters, emails, SMS), you will need to collect their name, email and possibly their mobile number. Opt-in forms are usually tethered to third-party software such as MailChimp. It is therefore important you:

    • Request consent
    • Inform customers why you need their personal data
    • Give them the option to opt-out
      • Explain to customers how they can access the data you hold on them
    • Tell customers about their rights to withdraw consent or request you delete their data
  1. WordPress contact forms (Contact Us page, widgets, etc.)

Contact forms such as Contact Form 7, Ninja Forms, Gravity Forms, etc, request email addresses so you can get back in touch with customers. Wherever there is a contact form, there has to be a Privacy Policy consent form too.

  1. WooCommerce analytics (Google Analytics, Metorik, etc.)

If you’re using analytics software that captures personal data and uses cookies without consent, you need to take action that complies with GDPR. The type of action you take will differ in relation to the analytics tool you are using. If the software is collecting user data without identifying individuals, you don’t have to worry about doing anything. GDPR only applies in situations when EU citizens are identified.

  1. WordPress and WooCommerce Plugins & APIs (Payments, Email marketing, etc.)

Many plugins and APIs collect consumer data without consent. Although some companies are updating their plugins, don’t leave anything to chance, all plugins and APIs will need to be reviewed to ensure you are GDPR compliant.

  1. Breach notification

The new European Directives are very strict about data security. Under the new regulations, if your system defences are breached by hackers, non-GDPR compliant bodies, unauthorised personnel or other third party that does not have permission, you are obligated to inform the data protection agency and customers within 72 hours. In addition, you are obligated to compile a data response plan.

Plugins out of date are the most common cause of hacks on WordPress websites so these must be updated to avoid any potential breaches.

WordPress Integrations  

Even if you don’t collect personal data directly from end users, there’s a good chance the third-party software installed on your WordPress website does. This may include MailChimp, Salesforce, Paypal or their equivalents etc. Many of the popular plugins are already GDPR compliant, but it’s worth running checks on all of them anyway.

This directive sounds scarier than it actually is. The quick fix here is to only use third-party software that is GDPR compliant. The best way to resolve this is to review all plugins that are used on your WordPress website and replace those which are not complaint.

GDPR also extends to analytical data such as Google Analytics. However, this data is only relevant if you are collecting sensitive information that can be traced to an individual. In truth, it is rare for analytics software to collect such a high-level of data but if you do, you must request consent.


There is no getting around GDPR, and with the May 25th deadline looming time is running out to meet compliance targets. When deciding how to manage data collection on your website, keep these two rules in mind;

  1. keep it simple and only collect the minimum amount of personal data you need for the critical operational running of your website; and
  2. be transparent and inform end-users why you are collecting their personal data and how you intend to use it. This gives them the opportunity to give you their consent.

If you need help getting ready for GDPR please get in touch with Code23. Our knowledgeable team will perform all the checks you need to ensure your website is fully compliant with GDPR. We perform security audits, plugin analysis, build appropriate notifications into the design, set up 24/7 security alerts and have teamed up with partners that specialise in EU privacy laws.