GDPR Compliance

Disclaimer: This section is not legal advice. While we have made sure it’s correct in general manner, each blog and business is unique. Please seek your own legal advice to be sure.

What is GDPR?

GDPR is a new Data Protection Regulation law that applies to EU citizens, going into effect on 25th May, 2018. It gives EU citizens rights over their data and it sets rules for how and when you can collect personal information from your EU visitors and users.

Data such as IP addresses, email, names all fall under the category of personal data. To collect this data you either need consent (an action by the user like a click on checkbox or button), or a lawful basis (e.g. network security). It applies to you if you EU visitors or presence.

You can learn more about GDPR here.

What GDPR asks of you:

  1. Tell the users who you are, why you collect the data, for how long and who receives it. (Right of Information)
  2. Let users access their data, and take it with them. (Right to Access)
  3. Let users delete their data. (Right to be Forgotten)
  4. Breach Notification: Let users know if data breaches occur.
  5. Get a clear consent, before collecting any data.

What you need to do:

All of this is available with WordPress v4.9.6 (update now!) which have tools to create a privacy page (#1), export personal data (#2) and erase personal data (#3). For #4, you just have to notify your users via any communication channel you have, in case of a site hack or data breach.

You will have to review your third-party plugins to see if they’re collecting any personal data that may require consent or a privacy page mention. You will also have to review third-party widgets you may have embedded.

1. Create a Privacy Policy Page

WordPress v4.9.6 includes the tools to create your privacy page.

  • Go to Settings > Privacy. Click check out our guide to see samples and info for privacy page. Copy sections you may want to use.
  • Click Create New Page and that’s all.

You may want to link this privacy page in one of your site navigation menus. Also make sure you have mentioned an email address or a contact form to contact you from for users to Request Access to their data or exercise their Right to be Forgotten.

If you include YouTube videos, Instagram Embeds, SoundCloud or Tweets in your posts, you will also have to mention that third-party social media sites are used which may set cookies.

While we recommend the manual route as it makes everything specific to your site, alternatively, you may use a service like iubenda (has a free plan) which makes it very easy to create a privacy policy with pre-made defaults. It also includes a pre-written Google Analytics policy you can use.

2. Newsletter & MailChimp

For newsletter, first thing you have to do is identify if you have what’s called an unbundled or single-intent form.

a) You will use email address just to send newsletter:

You have to do nothing here. Since the subscribe box says Newsletter – the form is unbundled and has the single intention of subscribing the user to a newsletter. Clicking Subscribe button here is consent to receive newsletter.

One thing to keep in mind, you still have to mention that you use MailChimp for your newsletter with a link to their privacy policy, in your privacy policy page.

It’s still a good practice to include a small message on what you will use this email for. And always use double opt-in.

b) You will use the email address for marketing or sending promotional emails:

Now this becomes a bundled form. The user didn’t consent to anything other than a newsletter.

You may still be able embed special offers if they’re part of your newsletter emails (do mention in advance) but won’t be able to send separate promotional emails.

You may configure the consent text in the Powerkit Opt-In Forms settings page in the WordPress dashboard in SettingsOpt-In Forms.

3. Contact Forms

When using a Contact Form, collect only the needed info and make user aware how it will be used. Normally, on a Contact Form, Name and Email may be covered under lawful basis – as long as you delete this info after it’s no longer needed and mention it in your privacy policy.

What if it’s not single intent? If you’re asking for more information than necessary or if you’re going to keep this data around for longer than needed, or if you wish to use it for other purposes like Marketing or subscribing them to a Newsletter, you need a consent checkbox.

Contact Form 7 supports acceptance checkboxes. Remember to create a unticked checkbox for each type of activity. For example, if it’s for Newsletter and Marketing, you will need two checkboxes.

4. Google Fonts

Our themes make use of Google Fonts. While it’s generally not an issue to use Google Fonts, there are some from Netherlands and Germany that are concerned with Google Font’s server compliance. While most EU lawyers consider it a non-issue, there’s still some disagreement. Regardless, you have to mention this in your Privacy Policy.

Do note that there are several advantages of using them such as:

  • Speed via Cache: Billions of sites use Google Fonts so most of the fonts are already cached in your visitor’s browser.
  • Speed via CDN: Google has one of the best networks in the world so they serve the fonts from the nearest datacenter. CloudFlare is an alternative for self-hosted.

However if your legal counsel has determined Google Fonts shouldn’t be used, we have a solution to self-host them automatically so they’re served from your server locally:

Self-Hosted Google Fonts

  • Go to AppearanceCustomise → Typography.
  • Enable the “Download font-family to server instead of using the Google CDN” option next to each typography field.
The “Download font-family to server instead of using the Google CDN” option

5. Google Analytics

If you use Google Analytics, you will need to take some steps to be compliant.

  • IP Anonymization: You can use a plugin that has *IP Anonymization feature like this plugin.
  • Add a cookie notice plugin to inform users about cookie usage. We recommend cookie notice plugin.
  • Remember to have a section on Google Analytics with a link to their official Privacy Policy, and the fact that cookies will be used.
  • Review data retention at Google

Notice: If you use Google Analytics for personalized advertising (most of the bloggers don’t), you will likely need consent before Google Analytics is even loaded (info here).

A cookie notice has been necessary ever since ePrivacy Directive in the EU for years. But with GDPR, it’s no more optional. You are required to mention if any cookies are going to be set by you or a 3rd party in your Privacy Policy.

Consider cookies from these categories:

  1. Functional cookies required for an important function of the website or app, such as login, security etc. These require no notice and you can just mention them in Privacy police.
  2. Preference & Statistics cookies related to user settings and 3rd party Web Analytics. These require a cookie notice.
  3. Tracking cookies or cookies with personal data, set to track user for marketing or to show personalize ads and so on. This category requires cookie notice and consent.

For a blogger using no 3rd party Analytics service and no third party embeds, no action is needed.

If you determined that you need a cookie notice, for example because you use Google Analytics, here are the plugins we recommend:

It unusual for bloggers but some of you may install web beacons or pixels from services like Facebook Ads to show personalized ads to the users. As explained in #3, these may require notice and consent.

What this is means is the user must accept (click a button or a checkbox) before you can load these pixels/beacons or set any tracking cookies for marketing.

Fortunately, Cookie Notice plugin has a solution to block scripts before user accepts it.

Learn More at ICO’s Guide (UK official), or iubenda’s guide.