How To Make Your WordPress Blog GDPR Compliant

Read about the new regulations involving personal data in the EU and find out how to prepare your blog.

*Disclaimer: This is a very brief overview and by no means legal advice. Read the official GDPR rules to find out more

You may have noticed a lot of websites sending you emails about their new privacy policy, implementing pop-ups you never noticed before, and asking you to re-confirm your subscription to a newsletter. The reason for all this is GDPR, the new EU legislation on personal data privacy.

The General Data Privacy Regulation (GDPR) comes into effect tomorrow, May 25th, and requires all websites that gather personal information from customers and visitors based in the EU to follow a new set of rules.

What is personal data?

Personal data can be anything from the information we actively give to a site, such as our email address, billing address, and credit card details to data collected when we browse, like our IP address and the history of the sites we’ve visited.

The purpose of the GDPR is to give individuals in the EU more control over what personal data of theirs is collected and how it’s used. The main reason so many companies are updating their privacy policy is that they now need to explain what information they collect, why they need it, and how they intend to use it.

This also comes with new rights around access to data. The GDPR outlines eight rights that individuals can exercise including the right to view and download the data, delete their data, and withdraw their consent to have that data be used by the site owner.

-> Read the full list of rights here.

Who has to be GDPR compliant?

If you have website visitors based in the EU, the GDPR applies to you. Even if you don’t sell anything, you’re still collecting personal data on your WordPress blog through:

  • user registrations
  • comments
  • contact form entries
  • analytics and traffic logs (either native to your blog host or through Google Analytics)
  • any other logging tools and plugins
  • security tools and plugins

To be GDPR compliant, you have to be transparent about the information you gather and how you plan to use it, even if it’s just to track which blog post got the most hits.

How do I make my blog GDPR compliant?

Evaluate how you ask for personal data

Are you aware of all the data collection points on your blog? Take a look at all the places where you gather people’s information both actively and automatically and take inventory of the questions you ask. These could be a contact form, comments, contests, submission forms, and more.

Are you asking people for information that has no relevance to your operations (for example, asking to identify their gender)? Under the GDPR, the recommendation is to limit the information you ask to what’s necessary for you to run your blog successfully.

Also, how are you asking for this information and where is it being stored? The best way for you to move forward with compliance is having a really good understanding of how your blog works and how people interact with it.

Create a privacy policy

If you don’t already have one, you should definitely write a privacy policy and link to it in a widget area on your blog. Luckily, the new WordPress update (4.9.6) has a privacy policy template built right in that you can use and edit. Look for Settings -> Privacy on your dashboard. Doing the proper evaluation as explained above will help you get a better idea of what data you collect and why — which is information that needs to go in your privacy policy.

Image by

Cookies are another element of compliance that should be outlined in your policy. Cookies are tracking codes that allow yourself or third-party advertisers to display messages based on an individual’s browsing history. Anyone can edit their cookie settings in their own browser, but websites under the GDPR should have a cookie disclaimer visible on their site. If you’re using, you can enable the Cookie widget on your site. Self-hosted sites can seek out a plugin to do the same job.

-> See a list of plugins for GDPR here.

Update your newsletter settings

If you collect email addresses and send newsletters, promotional messaging, or announcements, you’ll need to verify your email service provider (ESP)  is GDPR compliant. Luckily, the most popular ones like Mailchimp, MailPoet, and Constant Contact have done most of the work for you.

The changes under GDPR include having the proper consent mechanisms so you can prove someone actually signed up to receive your emails. Under anti-spam legislation in the US and Canada, your emails should already have a clear and timely unsubscribe option. Your ESP should also have a way for you to export personal data about your individual subscribers so this information can be sent to them if they request it.

Image by MailPoet


Update your forms

Your forms should also have explicit consent mechanisms built into them. This goes for subscription forms, contests, and even for submitting comments on your site. It should be obvious what someone is signing up for, not implicit. For example, you can’t sign someone up to the newsletter automatically because they submitted a question through the contact form unless they’ve given their express consent.

In the new WordPress update, consent mechanisms have been added to comments. Logged-out commenters will be given a choice on whether their name, email address, and website are saved in a cookie on their browser.

Image by

Provide a way for your readers to exercise their rights

Under the GDPR, individuals have the right to view the information you’ve collected about them. They are also allowed to edit, download, remove their consent for it to be used, and delete it, as long as this doesn’t interfere with your legal or tax obligations as a site owner. That’s why it’s important to make it possible for your readers and subscribers to contact you to request a copy of their data.

According to the site, with the new release, site owners can export a ZIP file containing a user’s personal data, using data gathered by WordPress and participating plugins. They can also erase that user’s personal data. If a user requests access to that data, you have to send it to them.

Image by


Check that your partners are GDPR compliant

It’s up to you to check that the third-party tools you use are GDPR compliant. This includes your web host, analytics tool, newsletter tool, plugins, and any partner you might be associated with and sharing personal data with (for example, a contest management tool or partner).

At the end of the day, while these changes may seem annoying and take an hour out of your day to implement, the GDPR is a good thing for all of us. It protects the right to personal privacy and gives more power to individuals to control their own data.

Jetpack Crowdsignal


Share your thoughts