General, Policies & Safety

Your WordPress.com Site and the GDPR

We care a lot about your privacy and that of your site’s visitors. WordPress.com is committed to operating in accordance with the GDPR, as well as giving you tools and resources to help you better understand and comply with the law, for your own site. This guide is designed to aid you in your efforts to be transparent to your site’s visitors about the data your site collects on them and how that data is used.

In general, if you handle the information you collect from your visitors responsibly and are not sharing or selling it to other companies without permission, then the GDPR is unlikely to cause a radical change in how you do things. WordPress.com is not a tool which gives you a lot of personally or legally sensitive details on your visitors by default.

GDPR requirements might be intimidating, but they’re not insurmountable if we all work together. If you have questions about any of the choices we’ve made, tools or features we’ve created, or feedback on how we can make this all a little bit easier, we’d love to hear from you at https://wordpress.com/help/contact/.


Our GDPR Recommendations for Site Owners

The purpose of the GDPR is to encourage site owners to be thoughtful about the personal data they collect and how they use that data. Some of the steps you can take as a site owner are to:

Publish a Privacy Policy

Your Privacy Policy should let your users know what data your site is collecting about them, how they are being tracked and their options for opting out, and provide information on the best way to contact you. If you don’t know what data your site is collecting, or how your visitors are being tracked, we’ve put together the following resources to help you:

If you aren’t sure how to get started with your Privacy Policy you are welcome to use ours as a template. We release our Privacy Policy under a Creative Commons Sharealike license, which means you’re more than welcome to copy it, adapt it, and repurpose it for your own use. Just make sure to revise the language so that your policy reflects your actual practices. You may also find this guide from the UK’s Information Commissioner useful in figuring out what to include when writing a Privacy Policy.

Provide a way for Your Site’s Visitors to Access/Delete their Data

One of the GDPR requirements for site owners, is that you tell people what personal data you have collected about them when they ask, and that you delete that data upon request.

For WordPress.com sites, the easiest way to implement this requirement is to provide some way for your site’s users to contact you with these requests, either via a contact form, an email address you include in your Privacy Policy, or even just through comments left on your site. Much of the data can be gathered/deleted by you directly through your site’s dashboard. For example, you can search for and delete comments from a specific individual via your site’s comments admin area. If you receive a request for either access or deletion, and you aren’t sure how to honor it, you can reach out to us for help at https://wordpress.com/help/contact.

Enable the Cookies & Consent Widget

Our Cookies widget has been updated with new functionality. When you enable it on your site, it allows you to share links to your site’s Privacy Policy, and notifies your site’s visitors about the tracking cookies your site is using. This widget and banner notice is automatically enabled on all sites utilizing our free plan level, but for users of our Personal, Premium, and Business plans you have the option to enable or disable it on your site. For more information about how this widget works please see our doc at https://en.support.wordpress.com/cookie-widget/.

Only Install Third Party Plugins That are GDPR Ready

Sites on our WordPress.com Business plan have the option to install plugins built by 3rd party services. As a site owner, you are responsible for making sure that the plugins you install on your site are handling data in a way that is in line with the GDPR. If you aren’t sure, you can reach out to the plugin developers directly to ask about their GDPR compliance.

Get Permission before Sharing the Personal Data of your Site’s Visitors

In general, the data that’s collected by WordPress.com about your site’s visitors is collected in order to power your site. For example, if someone posts a comment on your site you collect some data about them like their name and email address. This data is for you to be able to run your site and typically should not be shared with third parties, like advertising email-campaign services that would send marketing emails to your site users from advertisers, unless you explicitly get the permission of your site visitors first.

↑ Table of Contents ↑

I Heard that to be GDPR Compliant I Need to...

There is a lot of misinformation floating around the Internet about what it means for your site to be GDPR compliant. Below you’ll find more information about some of the recurring claims we’ve heard from WordPress.com users about things they’ve been told they have to do.

I Need to…Ask All My Site Followers to Re-subscribe

There are many services on the Internet that forcibly signed people up for their newsletter/mailing-list without getting consent. Under EU laws that have been in place for a long time, communications, including email, may not be sent without prior consent, unless there is an existing customer relationship. The GDPR likewise doesn’t allow sending email without these pieces in place, so many of those services are now having to send consent requests to their mailing lists asking people to opt-in to being subscribed.

WordPress.com followers are different, because these are people who voluntarily chose to subscribe to your site. They asked to be emailed with your site’s updates, so they have already consented to your emails. However, if you are concerned about this you can easily contact all your subscribers by adding a new post to your site that lets them know they can stop following your site, if they choose, by using the unsubscribe links we include in every single subscription email we send.

I Need to…Add a Consent Checkbox to the Comment/Contact Form

You likely don’t need to add a checkbox like this to your comment or contact forms.

There are a few valid ways to be transparent and compliant about cookies that a site uses to enable its features, like the comment form. The way we chose is to include information about the cookies we use (including this one) in our cookie policy which you can read here. If you want to alert users to the use of these kinds of cookies on your site, you can do that using the cookie and consent widget, which we describe in more detail here:

https://en.support.wordpress.com/cookie-widget/

I Need to…Stop Collecting IP Addresses

A common misconception is that it’s not permissible to collect personal data like IP addresses if you want to be comply with the GDPR. In fact, this is allowed as long as safeguards are in place to honor key rights established by GDPR. Chief among these are transparency about the data your site collects or transfers, which is what your site’s Privacy Policy is for, and choice and control over a the data’s use, which you offer to your users by honoring their deletion and access requests.

I Need to…Get the Privacy Features Added to WordPress Core in Version 4.9.6

The privacy features added to core WordPress help site owners publish a privacy policy, honor access/deletion requests from their site visitors, and gain consent for the data their site is collecting. On most WordPress.com sites we have disabled these features because they weren’t designed for a shared hosting environment like WordPress.com, and we would never offer you a tool that didn’t do the things it claimed to do. However, even though these tools are disabled you are absolutely still able to build a fully GDPR compliant site on WordPress.com. Please see our suggestions above for how to duplicate these privacy features, like adding a Privacy Policy, on a WordPress.com site.

Note that any WordPress.com Business site with active plugins does have access to the core WordPress privacy features. Because it’s possible an installed plugins will utilize the core privacy tools to manage compliance, we wanted to make sure these features were available to these sites.


NOTE: This guide is not intended as a replacement for legal counsel; if you have concerns about whether or not your site is GDPR compliant we encourage you to seek the advice of a qualified attorney.

Not quite what you're looking for?

Get Help