If you've been reading blogs and tech websites recently, GDPR is all the rage. This acronym stands for the General Data Protection Regulation (GDPR) announced by the European Union, which is a new law governing the use and storage of personal information of all EU citizens (it came into effect on May 25th).

How is that GDPR thing related to WordPress websites or WooCommerce stores even? Well, here's how...

Let's drill down into the details of this new law and, more importantly, how that all comes to you and your WordPress/WooCommerce business.

For more detailed information about GDPR, we published these additional blog posts you might want to check:

What follows is not legal advice and it's intended to give WordPress and WooCommerce website managers a better understanding of GDPR.

What is the General Data Protection Regulation (also known as GDPR)?

The GDPR is a new law that has been in the works for quite some time and was passed in 2016. After a two year transition period, it has entered into force on May 25th, 2018.

It replaces its predecessor from 1995 with updated guidelines that govern and protect the privacy of individuals in the European Union. WordPress developer and Codeable expert Robin Scott highlights:

GDPR is a regulation, not a directive. And without going into details that means it's not just an advice, it's the law. This is very important to the Union and you've really got to pay attention to it.

Here's a nice and informative infographic from the European Commision about GDPR.

What is the purpose of GDPR?

The purpose of this new set of regulations is pretty elaborate but mainly focuses on giving EU citizens more control over their personal data they share with websites. This will, of course, resolve into a different approach from companies and organizations worldwide towards privacy, data management, data collection, security, and profiling of their users. As Robin sums it up:

GDPR really sets down the idea that persons - as opposed to companies - have the right to have their personal data protected. By calling it a 'right', it should be clear how important and strong EU want businesses to interpret this law.

What are the rights GDPR stands for?

The following individual rights are those provided by GDPR:

Besides these, GDPR also has provisions for automated individual decision-making and profiling.

Now, that you're getting the gist of it, let's see how GDPR and WordPress or WooCommerce relate each other.

Does my WordPress website / WooCommerce store need to be GDPR-compliant?

Likely, yes.

If your WordPress website or WooCommerce store collects any personal data from EU users, you need to get it GDPR-compliant. In other words, all websites that collect personal information from individuals and citizens within the EU will fall under the jurisdiction of the GDPR.

I see the look on your face now: personal data, right? Is an email address considered personal data, for example? GDPR has a clear definition of what consists personal data.

What is considered as Personal data?

As the regulation defines it (Chapter #1; Art. 4, point 1):

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

For a website or store manager, those words can be more easily grouped into something like this:

GDPR - What are Personal Data?

The important thing to understand here is this: since your WordPress website is accessible from everywhere in the world and, if it is somehow collecting data from individuals within the European Union, it falls under the jurisdiction of the GDPR.

I don't sell anything via my WordPress website! Should I comply with GDPR?

The focus of GDPR isn't about the type of WordPress website or WooCommerce store you're managing. The regulation doesn't care about it. The main thing which GDPR resolves around is data and that can occur through a simple contact form on one of your pages. As Robin elaborates:

If you have a WordPress website and you have a comment form, and people put their name and email address into your comment form, you are collecting personal data. And if your website is available to people in the European Union, you are collecting personal data from people in the European Union. So it's kind of you might think 'Oh, that does not apply to me' but it might do. Every WordPress website is likely to be potentially impacted by this.

How to make WordPress website or WooCommerce store GDPR-ready?

Short answer is having a strategy in place. One where data is collected, stored, and protected as the regulation requires but also one accounting for the procedures that any website/store manager will need to have for data breach, data portability, and data erasure.

That's a good starting point because the main thing GDPR is aiming at is about enriching the security of personal data. And that goes through an overhaul of your current strategy of how you not only handle and store user data; it starts with how you collect it.

Specifically, you should tweak all your copy and untick all those options on your form to let people subscribe without them directly doing anything and, instead, clearly ask for customer consent.

WooCommerce 4.3 includes the following useful features, which will allow you to have more control over customer data:

  • Personal data eraser the eraser
  • Data retention settings
  • Checkout page display options
  • Privacy policy snippets

Obtaining consent can be hard on WordPress websites but even trickier on WooCommerce sites

The most basic feature that GDPR introduces is that, although consent was being asked before, now it has to be asked very clearly and explicitly. Robin elaborates:

The consent has to be clear, really clear. The word they use in the regulation is unambiguous. So it can't be 'Maybe I'm agreeing to be put on a newsletter list.' No, it has to say, 'I'm agreeing.' And so on with other points of contact with the website or store. In addition, the consent needs to be for each purpose that you collecting data and you also need to give consent on each occasion. And you also need to describe what you're using it for

WooCommerce forms and obtaining permissions on them is difficult because of the tweaks required in order to make them effective. Robin points out:

In the WooCommerce context, there's a couple of eCommerce issues that might be more difficult to deal with to get consent on: abandoned carts, abandoned checkouts for example. Another one is segmentation of customers based on orders. So if you're using a service like MailChimp, for example, and you have it connected to eCommerce data that is segmenting customers based on previous purchases. For that, you're going to need to obtain consent for doing that, and that's actually hard in checkout because you're going to have to add an extra field.

There are some things to think about in there for retailers that will be strictly related to business decisions about 'Okay, what's more important to us?' In which case, we need to obtain specific consent. Or: 'Are we going to have to stop segmenting users in this way?' That's the type of decision for the store owner.

Handling personal data is like borrowing someone else's car

This regulation states that everything should be made crystal clear than ever. Robin explains this key point with a great analogy, where the car plays the role of personal data:

It’s like borrowing someone’s car. You have to state clearly when you need it and for what reason. An important thing to remember here is that you’re only borrowing the car, it’s not your property. So as a result, you can’t use it without authorization, you can’t sell it and, if it gets damaged somehow, you inform the owner and the relevant authorities about it.

What are the very first things that need to be implemented to become GDPR-compliant?

There are a number of features that need to be implemented in accordance with this new law, and as a website or store manager, you should start with these 3 main areas.

3 aspects to focus on immediately for website/store managers:

To help you with that, there are free WordPress plugins already available on the repository:

WordPress plugins for GDPR: WP GDPR Compliance

WP GDPR Compliance plugin

Through a bunch of options, you can toggle on and off, this plugin will help website and store managers to comply with GDPR. As stated on the plugin page, currently this plugin supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments. Additional plugin support will follow soon.

WordPress plugins for GDPR: WP GDPR


This plugin will help you dealing with users asking to see which personal data is collected on your website/store and will enable them to either download or ask for data removal.

GDPR plugin standard initiative: GDPR for WordPress

gdprwp standards initiative

This one is in the making and, at least for website and store managers, there's nothing currently available. But the initiative is brilliant as the involved developers aim at developing standards so that anyone within the WordPress ecosystem will benefit from a shared solution.

Beside website and store managers, this initiative is working on solutions to give plugin developers a simpler way to validate plugins and make them GDPR-compliant. Here's the documentation on GitHub.

It might seem that this GDPR is a kind of a big deal, doesn't it? Well, here's what businesses who don't comply can risk.

What are the consequences of not complying with GDPR?

The consequences of ignoring GDPR are pretty severe. If your guilt is determined and you're found to be in violation of it, the penalty is a fine, a very heavy fine in fact: €20 million (~$24.6 million USD) or 4% annual global turnover of the company, whichever is greater.

Given such numbers, would you feel confident risking it? Your call!

Wrapping up

GDPR brings a new set of strict regulations that concern and govern most websites especially WordPress and WooCommerce-based ones that collect data from customers. Therefore, it is important to study the regulation and have the necessary strategy relevant to it made to your website or store at the earliest.

This is a pretty technical topic which you can dig deeper with the help of some good resources such as: GDPR FAQs, ICO.'s guide on GDPR, and Silicon Dales Guide to GDPR.

For more detailed information about GDPR, we published these additional blog posts you might want to check:

If you have no idea what you should do at first, jumping on a call with a WooCommerce expert might be a cost-effective solution.

This blog post features Robin Scott, an experienced WordPress developer who's also one of the founders of Silicon Dales, an agency focused on WordPress, WooCommerce, and a variety of other services. Robin has specialized in several areas such as Custom Plugins, Gravity Forms, Hosting Transfer, Maintenance, and WooCommerce Extensions, just to name a few.

GDPR GuideQuality: The Codeable Differene

  • Sarah Hills

    Thanks for the article!

    Re. forms – my understanding is that a consent checkbox is not always required for a contact form. It’s only needed if you’re using ‘consent’ as your legal basis for processing data (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/). For a standard contact form, often ‘contract’ might be a more appropriate legal basis. The ICO’s guidance states that ‘contract’ can be used when a user has ‘asked you to do something before entering into a contract (eg provide a quote).’

    The ICO guidance also specifically discourages the use of consent (& therefore a checkbox) if consent would be a pre-condition of service (which it would be for e.g. a contact form).

    What IS important is to ensure the user is informed – e.g. adding a statement to the form which says something like ‘Your data will be processed and stored in line as outlined in our Privacy Information Notice [link]’.

    Would be interested to have your thoughts on this. My article on GDPR/WordPress: https://hexagonwebworks.com/gdpr-wordpress-websites/.

    • Hey Sarah,
      yeah this regulation requires businesses to have crystal clear copy and in-depth information about what they’re asking data for, how will they store, how will they use it, and of corse allow the end user to request them to either delete everything or run a db dump and move to another website.

      On consent being “discouraged” by ICO, for as long as I understood it, is not in general rather they suggest to move to another lawful basis “if consent is difficult”. But that is strictly related to “Avoid making consent to processing a precondition of a service.”

      Nevertheless, the picture I’m getting out of all this GDPR-related topics is that EU laid out many procedures that were ok, or maybe even shady in the past, but they’ll need to come to compliance starting in May. The problem is, EU didn’t provided a set of tools, guidelines, or actionable documentation that made room to a lot of uncertainty.

      • Sarah Hills

        Hi Matteo,
        I think you’re right – the nitty gritty of what’s ok and what’s not is often not 100% clear when it comes to implementation. My guess is that it will only become clearer after 25th May 2018 and legal cases are fought.

        Sorry my wording around consent wasn’t particularly clear – you are right ICO doesn’t discourage consent wholesale. They discourage it if it would be a pre-condition of service, and suggest considering another lawful basis if consent is difficult.

        I just feel it’s important that we quash the idea that EVERY form on the web has got to have a little consent checkbox added to it. I for one would find that rather irritating!!

        • Hey Sarah,
          I think until the end of 2018 (if we’re lucky after Summer maybe) businesses will be walking in the dark or, at least, following some sort of incremental approach where you address more points as far as you learn and analyze.

          I just feel it’s important that we quash the idea that EVERY form on the web has got to have a little consent checkbox added to it.

          That for sure but also, I’d like to see more pages explaining me in proper English – no legalese allowed – what you’re going to do with my data, how can I see what you’re storing about me, and an easy way to download it and request to my user to be delated.

          • Sarah Hills

            Agree 100%. If GDPR helps achieve that, it can only be a positive thing.

          • It has to be that way :)

    • Robin Scott

      I don’t think the submission of a contact form is the “service” in such cases – if you’re not going to use personal data (name, email address, whatever) then don’t collect it. If you are going to use it, just say in what ways. If you’ll be profiling and marketing based on that (i.e. things other than simply entering the form) then you will need consent for THAT. It isn’t 100% clear, but the spirit is very evident: what you can do with personal data without asking is… not a lot!

      In a WordPress context, the (in)ability to “self delete” has cropped up for a long time.

      Also, in Germany, Akismet has raised some concerns because comment data is sent “outside” the EU to servers elsewhere.

      These types of questions could use an answer.

      For an ordinary webmaster, these regulations are not aimed at small businesses; but as a general rule: try to be compliant with all laws, seems to be a sensible one :)

      • Sarah Hills

        Thanks for the reply Robin! Agree 100% re. not collecting data if you’re not going to use it – and also about being very upfront about why you’re collecting it, how it’s stored, third parties, data retention etc.

        I’m approaching this from the perspective of helping my clients become fully compliant with the law, whilst not adversely affecting user experience more than is necessary. That’s why I make the point about consent checkboxes on contact forms – I’ve seen it written in so many places ‘every form must have a checkbox’, which is just not true!

        Take a standard form allow visitors to request prices/further info on services; the service in such a case is e.g. providing a quote. The most sensible legal basis would appear to be ‘Contract’. You can’t provide the service (providing a quote) without processing and storing the personal data – so consent would be a pre-condition of service and therefore discouraged. In this situation therefore, no consent checkbox is required; what IS required is a clear statement, at the time of data entry, along the lines of ‘Your personal information will be processed and stored in line with our Privacy Information Notice [link]’.

        As you say, if you’re then going to use the details for marketing/profiling, you definitely SHOULD have an unticked-by-default checkbox, specifically for that granular permission.

        Do you concur? I think probably we are thinking along the same lines here, but thought it would be worth clarifying.

        • Robin Scott

          Hi, yes its this I would take issue with:

          ‘Your personal information will be processed and stored in line with our Privacy Information Notice [link]’.

          Using a link here would appear to be not going far enough – based on the terminology used in the regulatioon. You should say what the usage of the personal data will be. In 1-2 sentences. And be really explicit.

          So “By submitting this form you accept we will do X with your personal data, and we may do Y and store it for Z…” Or whatever. Why not just say what you’re doing in the form – its hardly more difficult than having “see link” but you can be sure someone has actually seen it.

          • Sarah Hills

            Thanks, it’s an interesting one. I’ve just re-read the ICO guidance on the right to be informed (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/), and also scanned the 35-page(!) WP29 guidelines on transparency (linked from the bottom of the ICO guidelines). The guidelines do actually seem to imply that an in-context link is sufficient:

            ‘The “easily accessible” element means that the data subject should not have to seek out the information; it should be immediately apparent to them where this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface etc.).’

            So I think both approaches are valid, although I can certainly see the value of providing it on-page/’just in time’. I suppose the downside would be the admin burden of reviewing/keeping the information up-to-date in potentially multiple form locations (out of date info would be worse than none) – which for small businesses might make it less viable.

            What also came out of my reading of the WP29 guidelines was that they focus quite heavily on layered privacy notices – i.e. instead of presenting users with a big chunk of a document, you give them the summary points first, and then they can drill down to the detail where/if they need to. I’m now mulling over how best to implement this in WordPress! – toggles or linked content in some form or other I imagine…

          • Robin Scott

            This is kind of my point though. Using a great long terms and conditions (or privacy policy) page is specifically precluded by the wording used in GDPR. I think we’re saying the same thing, though the difficulty of maintaining the form… this is not an issue if you use Gravity Forms / Contact Form 7 or similar – the consent is built in the form at the time of creation, and therefore updated for all instances of the form on update. For example.

            Which is the most clear consent: “I agree you can use my details to subscribe me to a mailing list – see our terms and conditions for more [link]” or “I agree to your terms and conditions [LINK]” which sends user to a 40 page doc?

  • Hi,

    Can you elaborate on what if anything US based companies need to do? Also, are there any size limits exclusions – that is, exceptions for very small companies?

    • Hi Mike,
      how to get your online business/website GDPR-compliant isn’t a one-size-fits-all answer (unfortunately) because it has to do with what type of user data you collect, how you store it, how your process it, and how you use it eventually.

      But I can tell you this: all online websites or businesses collecting data from EU residents need to comply. And that could vastly be different for a small brochure-type website and a medium or big online store. The first step, as in many other areas, is to get to know what you’re current status is and run an in-depth audit around user data and the processes you have in place. That will highlights areas where you should start focusing on to become GDPR-compliant. After that, you could engage with a specialist to take care of the technicalities involved. If you can’t count on in-house resources to run that data audit, you might want to bring in a specialist right from the beginning.

      On exceptions: there are none. Yet, the more I research and talk with professionals about this regulation, I’m thinking that GDPR is a huge and structured pile of guidelines the purpose of which is, roughly speaking: “don’t mess with data from your EU users and be respectful of their privacy rights.” That means, GDPR is likely aiming to take down current processes around data collection and user profiling huge corporations have in place, not small or even medium. Just look at the fines they disclosed.

      • Thanks Matteo, keep up the good work!

        • Thank you, Mike :)

          I’m already working on another GDPR-focus piece about the top areas and elements a website manager should have a look at.

  • Luke Cavanagh
  • Renato Frota

    The greatest article about GDPR I have read so far.

    • Wow, Renato!

      Thank you so much, it means the world to me :)

  • We recorded an incredible video teaching everyone how to get GDPR straightened out easily and practically. Free video on youtube. Do not forget to leave the like.

  • I appreciate these GDPR regulations to protect ones identity. Thanks for the post