GDPR Compliance

How to make your WordPress website GDPR compliant (in 5 easy steps)

The General Data Protection Regulation (GDPR) can be daunting and confusing for many WordPress website owners. However, the consequences of violating GDPR mean that you cannot afford to ignore this regulation.

Fortunately, plugins, tools, and best practices can make your WordPress website GDPR compliant. By following a few straightforward steps, you can bring your site into line with this European Union (EU) law and avoid fines and possible jail time.

In this post, we’ll demystify this complex and sometimes intimidating legislation. We’ll then show how to update your WordPress website for these new rules. Let’s get started! 

An introduction to GDPR (and why it’s important)

The General Data Protection Regulation (GDPR) is a European Union (EU) directive that came into effect in May 2018. It was created to give EU citizens more control over their personal data: 

GDPR EU website

Personal data is any information that could directly or indirectly identify a living person. For example, it can include names, email addresses, bank details, or Internet Protocol (IP) addresses.

The GDPR lays out strict rules for keeping this data secure and reporting any security breaches. It also specifies how to document your information collection. Finally, it outlines security procedures to demonstrate compliance with the regulation. 

Crucially, this legislation doesn’t just apply to organizations based in Europe. If you offer goods or services to any citizen, resident, or visitor to the EU, you’re legally obligated to adhere to the GDPR. 

Simply having a website accessible to EU data subjects doesn’t make you subject to the GDPR. However, if you provide services to EU citizens or track behavioral data related to them, the GDPR applies to you. 

For example, something as simple as running targeted advertising campaigns or monitoring your visitors with Google Analytics makes you subject to the regulation. 

The regulation applies to all data controllers, which is anyone who collects information from EU subjects. They also apply to data processors. These are organizations or individuals who process the information on behalf of data collectors. 

If you fail to comply with the GDPR, the results could be disastrous – and expensive. The EU sets a maximum fine of €20 million or 4 percent of your organization’s annual global turnover. In severe cases, violating the GDPR may even result in a prison sentence. 

5 steps to make your WordPress site become GDPR compliant

GDPR fines aren’t just an empty threat. In 2021, the Amazon e-commerce store received a record-breaking €746 million fine for violating the regulation. 

With more and more websites receiving penalties, let’s make sure you’re playing by the rules. Here’s how to make your WordPress website GDPR-compliant in five easy steps.

1. Ensure your plugins comply with GDPR

Many WordPress plugins collect personal data. If you’re using any add-ons, it’s your responsibility to verify how this software utilizes and stores personally identifiable information. You’ll need to add all these details to your privacy policy, which we’ll cover in the next step. 

If you’re using multiple plugins, this may seem daunting. To make things easier, some developers are starting to tag their plugins as GDPR-compliant. 

You should never assume that a plugin is GDPR-compliant just because of a tag. However, it can be a useful starting point to see how a particular add-on manages its data:

GDPR compliant tag

The GDPR also gives people the right to access, correct, and delete their personally identifiable information. If any of your plugins collect data, you must export all of this information and provide it to visitors if they ask for it. You must also be able to edit this data or delete it entirely if requested. 

If you’re using multiple plugins, this can represent a significant amount of work. It can also become a massive headache for add-ons that make heavy use of personally identifiable information.

The good news is that many developers have already taken steps to ensure their software is GDPR-compliant. If you’re unsure, it’s worth checking the plugin’s listing or the developer’s website for more information. 

Since GDPR compliance is such a serious issue, we always recommend reaching out to the plugin’s developer with any questions you may have. You can often find this contact information on the add-on’s website or within its listing in the official WordPress repository.

2. Update your privacy policy 

Under the GDPR, you must inform data subjects about how you use their personal information. The best way to communicate these details is via a privacy policy: 

WordPress Privacy Policy

Your policy should detail the type of data you collect, how you plan to use it, and your steps to protect it. If you share the user’s information with third parties, you’ll also need to disclose this. 

You should also detail your cookie usage and provide information about any data that’s collected via plugins. Even if you already have a privacy policy, you may need to update it to align with these GDPR specifications.

This may sound like a lot of work, but some GDPR plugins can help you generate compliant documents. 

For example, Privacy Policy provides over 25 legal pages for your WordPress website, including a privacy policy:

Privacy policy GDPR

This free plugin generates a standard policy compliant with advertising networks, analytics, and marketing tools. While the generic policy isn’t GDPR-compliant, you can use it as a template for writing your own document:

Privacy Policy update

Alternatively, you can upgrade to WPLegalPages Pro. This premium plugin generates a privacy policy specifically designed to comply with the GDPR’s requirements:

WP Legal Pages Pro

You can simply input your business details, and WPLegalPages Pro will generate a privacy policy for your WordPress website. 

3. Obtain explicit consent to use cookies

Cookies are text files containing small pieces of information, such as visitor usernames and passwords. Websites use cookies to identify individuals and improve browsing experiences. For example, sites utilize them to deliver personalized content. 

Cookies can identify individuals, which places them firmly in the realm of personal data. Under GDPR, you must obtain explicit content from your visitors before placing cookies in their browsers. 

Many websites request permission via popups that appear when people first visit your site. Chances are you’ve encountered these popups hundreds of times when browsing the web:

Cookie popup example

It’s important to note that the GDPR requires explicit consent. This means that your popups cannot have a default answer, such as Accept.

Cookie Notice is a simple plugin that you can use to obtain visitor permission. Whenever someone new lands on your website, this add-on will display a customizable banner:

Cookie notice banner

To help ensure your banner adheres to all regulations, Cookie Notice provides ready-made and customizable templates. For example, you might include links where the visitor can learn more about your data usage. Here, you can point users in the direction of your privacy policy:

Cookie notice settings

You also need to ensure your site continues to display and function correctly for visitors who choose not to allow cookies. If you fall short, you’re immediately limiting your audience and may lose out on a significant amount of traffic.

4. Limit the data you collect via forms 

Forms are designed to collect personal data. As such, they play a significant role in your GDPR compliance. 

Firstly, it’s essential only to gather the information that you actually require. Less data means fewer opportunities to violate GDPR accidentally.

GDPR also creates a significant overhead associated with acquiring and storing data. For example, you’ll need to record consent for every piece of personal information that you collect. 

GDPR also grants EU subjects the right to access, rectify, and delete their data. These requests can represent a significant amount of work. By limiting how much information you collect, you may reduce the number of petitions you receive. 

When creating your forms, it’s essential to obtain and record explicit consent for collecting and using every piece of personal data. Pre-checked boxes that assume permission by default aren’t classed as valid under the GDPR. 

Instead, the visitor will need to explicitly confirm their approval, such as selecting an unchecked opt-in box:

Newsletter opt-in

Many websites use plugins to build their forms. If you’ve installed a form creation add-on, be aware that some software submits the visitor inputs to a database. It’s always worth checking whether this is the case with your form plugin. If it is, you may need to include this information in your privacy policy.

Even if the form stores data by default, it may include an option that prevents saving visitor inputs. For this reason, it may be worth exploring the plugin’s settings to see whether you can bring it into line with the GDPR. 

5. Review your email marketing strategies

Email marketing can be a powerful way to keep your customers engaged over the long term. It can also be a great tool for pushing visitors down the sales funnel. 

Despite its popularity, if you operate a mailing list, you may be violating the GDPR. 

To bring your email marketing into line with EU laws, we recommend running double opt-ins. The visitor provides their email address as part of the signup process. Then, you send them a message containing a confirmation link. This person must click on the URL to finalize their subscription:

Newsletter sign up

Technically, the GDPR doesn’t require double opt-in. However, you must provide proof that you comply with all of the EU policies. Double opt-in is an effective way to prove that you obtained explicit permission from your users.

Most of the time, visitors will subscribe to your mailing list via a form. When creating this signup form, remember that the person must give consent. Therefore, you should avoid pre-checked boxes that assume the user wants to receive marketing emails.

Your users must also give this consent freely, so you must always give them the option not to subscribe to your mailing list. Forcing visitors to subscribe to your newsletter to download an e-book is a common marketing tactic. However, it isn’t considered free content. 


When you know that a task will be complicated and time-consuming, there’s always the temptation to avoid it altogether. However, when the consequences include fines and even jail time, WordPress website owners cannot afford to ignore the GDPR. 

Let’s quickly recap how to make your WordPress website GDPR compliant:

  1. Ensure your plugins comply with GDPR.
  2. Update your privacy policy using GDPR plugins such as WPLegalPages Pro or Privacy Policy.
  3. Obtain explicit content to use cookies with the help of a plugin such as Cookie Notice
  4. Limit the data you collect via forms.
  5. Review your email marketing strategies. 

GDPR compliance can be a daunting topic. At FreshySites, we strive to provide a bespoke, tailored service that meets your exact requirements – including GDPR compliance. Whether you’re updating an existing website or launching an entirely new one, our team can help you achieve WordPress GDPR compliance with this new EU standard.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Related articles