How To Make Your WordPress Site GDPR Compliant

0. Introduction

1. How WordPress Is Handling the Implementation of the GDPR

2. What do I need to do next?

3. WordPress GDPR Compliance Plugins

3.1. Install WP GDPR Compliance

3.2. Install Cookie Notice

4. Privacy Policy and Cookies pages

4.1. Privacy Policy and Cookies pages templates & generators in English

4.2. Privacy Policy and Cookies pages templates in Romanian

5. Conclusion

#0. Introduction

In the past, we have talked about the most popular open source CMS in the world right now: WordPress. We have actually published this article about WordPress Theme Customizer and our PHP team has hands-on experience with WordPress development. So, obviously, when the General Data Protection Regulation (GDPR on short) was to go into effect, some business owners had an increased interest on making their websites GDPR compliant and this generated an avalanche of questions and requests for technical implementations and updates.

While GDPR is quite a lot about internal processes for businesses and organisations (so it falls under the expertise of a legal adviser or an attorney), it also contains a technical component. Here at Infobest, we are keen to respect European and International regulations when developing software of any kind and consult our parteners in the process, so that they always get the best outcome.

Still, if your website or online shop is based on WordPress (+Woocommerce) and you would like to take up the challenge of making it GDPR compliant, we gathered a list of resources below.

#1. How WordPress Is Handling the Implementation of the GDPR

In mid April, on the WordPress blog, Andrew Ozz wrote about GDPR Compliance Tools in WordPress. In 17th of May 2018, WordPress 4.9.6 was released to the public and introduced a Privacy admin menu item (Settings > Privacy). That setting offers the possibility of choosing a Privacy Policy page and provides some tips and recommendations on what content to include. Also, under Tools > Export Personal Data and Tools > Erase Personal Data you will find resources to comply with Art. 15 GDPR (3) “Right of access by the data subject” and Art. 17 GDPR “Right to erasure (‘right to be forgotten’)”.

#2. What do I need to do next?

The fun thing about WordPress is the fact that – with the help of plugins and themes – it can help you, as a developer, use it for a wide variety of projects. You can build an online shop using Woocommerce, you can build a classifieds ads platform using premium themes like Classiera, AdForest, ClassifiedEngine or plugins like AWPCP Classifieds Plugin and Classifieds WP or you can build a real estate platform using custom types and taxonomies plus some custom fields. But all those projects, well, they mean processing and / or collecting data from the users. And in many cases, that data can be sensible (email addresses, phone numbers, names etc).

Even for a small presentation website, if you’d like to allow the users to send you an email via a contact form (like Contact form 7), you’d need to take additional actions to comply with GDPR. There are two options here:

  1. You start adding checkboxes for all your forms and link them to the Privacy Policy page, create a nice Cookies notification bar / popup that will allow the user to accept or reject Cookies and generate an easy way for the user to access his data or request deletion of his data.
  2. You use one or more plugins to generate all the functionality above for you. This sounds like the easy option, right? (Though you should consider the fact that plugins need to be maintained and may slow down the site a bit more than if you were to code those features yourself)

#3. WordPress GDPR Compliance Plugins

Here is a quick and easy path to having everything in place:

#3.1. Install WP GDPR Compliance – developed by 

If you go to the “Settings” tab of this plugin you will have the option of selecting the “Privacy Policy” page and link. You will also be able to generate a “Request User Data” page which will display a form where users can, obviously, request their data. It’s quite easy to set-up and configure and it saves a lot of time in development, while in the same time helps you with a checklist.

As alternative to this plugin, you can have a look over: WP GDPR (by AppSaloon, with 5,000+ active installations).

#3.2. Install Cookie Notice by dFactory (with 700.000+ active installations) – this plugin will help you add a customizable the cookie message, while in the same time allow you to link to Privacy Policy / Cookies page. Cookie Notice by dFactory also provides other nice features like the option to refuse functional cookies, option to revoke the user consent and option to manually block scripts. Some small design / positioning settings are also available.

As alternatives to this plugin, you can have a look over: GDPR Cookie Compliance (20.000+ active installations), GDPR Cookie Consent (by webtoffee, 300.000+ active installations), Cookie Consent (by Catapult_Themes with 200.000+ active installations), Cookiebot | GDPR Compliant Cookie Consent and Notice (by Cybot A/S with 10,000+ active installations).

#4. Privacy Policy & Cookies pages

Protecting user data is very important. But just as important is to notify them about your Privacy Policy and about Cookies and to give them control over their personal data. If you’d like to write your own Privacy Policy page, but don’t really know where to start (presuming that you read the EU data protection rules), you can have a look over the following templates:

#4.1. Privacy Policy and Cookies pages templates & generators in English

  1. Free Privacy policy Template by SEQ Legal
  2. Free Cookies policy, from the same website above
  3. Privacy Policy template from Termsfeed
  4. Free Cookies policy template from Termsfeed
  5. Free privacy policy generator from Shopify
  6. Free Custom privacy policy

And because we are a software development company based in Romania, below you can find two templates for the local market

#4.2. Privacy Policy and Cookies pages templates in Romanian

  1. Privacy Policy page template
  2. Cookies Polity page template, both from local blogger Razvan Baciu

#5. Conclusion

Keeping up to date with all things related to the GDPR is vital. But as I stated earlier in this article, the regulation is not just about technical implementations, is mostly about processes. And whenever you hear “process”, you should probably think “audit”. Don’t collect more data than you need. Don’t store data longer than required. Remember to update both Privacy Policy and Cookies Policy pages each time you’re making changes on your site (activate a new plugin that “does something” in relation to users or implement a 3rd party cookie). Update WordPress and all the plugins as often as necessary and avoid the risk of getting hacked (and have your data stolen). Review and update your custom code modifications as often as necessary. Use something like Security Audit Log to make sure your application is performing as intended to. On short: care about your user’s privacy and GDPR will no longer look like the monster under the bed.

Disclaimer: this is by no means legal advice and is based entirely on our findings of this subject so far. Please seek proper legal advice on the subject if required and remember to check for the latest WordPress updates.

Leave a Reply

Your email address will not be published. Required fields are marked *