We care about your privacy and the privacy of your site visitors. Some US states have laws that give consumers more transparency into, and control over, the personal information that for-profit companies doing business in those states collect about them. WordPress.com is committed to operating in accordance with these laws, as well as giving you tools and resources to help you better understand and comply with the law on your own site–like this guide.
If you have questions about any of the choices we’ve made, tools or features we’ve created, or feedback on how we can make this all a little bit easier, we’d love to hear from you at https://wordpress.com/help/contact/.
In this guide
Each state’s privacy laws specify different criteria for who the law does and does not apply to. If you have questions about whether or not a particular law applies to you and your site, you should consult legal advice.
To get ready for US Privacy Laws, some of the steps you can take as a site owner are listed here in our guide, which focuses on the requirements most likely to affect WordPress.com site owners. An attorney can also help you determine which requirements apply to you and your business.
Your Privacy Policy should let your users know what information your site is collecting about them, what you are doing with that information, who you are sharing that information with, and provide a way for people to contact you. If you don’t know what information your site is collecting, we’ve put together the following resources to help you get started:
When researching the information your site is collecting, you should also review the plugins you’ve installed, the tools you are using for marketing or running your site, and all the custom scripts you’ve added. These kinds of extra functionality are common on sites running WordPress.com Creator and Entrepreneur plans or our legacy Pro plan and, depending on their purpose, could be an additional source of information your site is collecting and/or sharing. Be sure to also look at any other tools (online or offline) that you use for your business that collect information about your site visitors and customers.
US Privacy Laws have specific requirements for what to include in your Privacy Policy and how to make it available to your site visitors — for example, making it easy to find by adding a link to it from your homepage, updating it at least once a year, describing the categories of personal information shared with third parties (like your vendors and service providers), along with the purposes for collecting and sharing information, and including the rights of consumers in the corresponding states in your policy.
If you aren’t sure how to get started with your Privacy Policy, you are welcome to use ours as a template (note that we update it frequently). We release our Privacy Policy under a Creative Commons Sharealike license, which means you’re more than welcome to copy it, adapt it, and repurpose it for your own use. Make sure to revise the language so that your policy reflects your actual practices and how you are complying with the relevant privacy laws.
US Privacy Laws require that you tell people what personal information you collected about them and what you’ve done with that information when they ask. Your response should include, among other things, the categories of service providers and others you share data with; for example, you share data with us as your site’s host.
The laws additionally require that you delete this information upon request, though there are situations in which you would be allowed to keep the information even after receiving a deletion request. For example, you may need to keep some information for tax purposes or to comply with a legal obligation.
Much of the personal information collected by your site can be gathered/deleted by you through your site’s dashboard. For example, you can search for and delete comments from a specific individual via your site’s comments admin area. You can do the same for information submitted through our built in Contact Form. Our Privacy Notice has a good overview of the information your site collects but if you receive a request for either access or deletion and you aren’t sure how to honor it, you can reach out to us for help at https://wordpress.com/help/contact.
As part of implementing your deletion process, you may want to establish a retention policy for the personal information your business collects. There isn’t a single right answer for how long your retention policy should be, but in general, it’s a good idea to only keep information for as long as you need it. You can use the Bulk Actions option in the wp-admin dashboard to edit or delete collected information in a variety of areas, including WooCommerce Orders, Contact Form Submissions, and Comments.
If you are selling the information your site collects about your customers or site visitors, you should provide an option for them to opt-out, or to opt-in if they are under the age of 16 (parental approval required for minors under 13). For example, if your site collects email addresses and you sell them to an affiliate, you would need a clearly displayed “Do Not Sell or Share My Personal Information” link on your website.
Our WordAds program allows you to choose to place ads on your qualifying sites. Participating in WordAds is a way for you to earn revenue to support and grow your sites. WordAds shares some information about your site’s visitors with our advertising partners. The advertising partners may use that information to display personalized ads to those visitors.
The information we share includes online identifiers; internet or other network or device activity, and geolocation data, but never a name or contact information. The sharing of this information with our advertising partners may be considered a “sale” of information under the US Privacy Laws. We have provided the following opt-out tools to help you comply with the law:
For sites on the free WordPress.com plan (and on the logged-out WordPress.com homepage), we have added a “Do Not Sell or Share My Personal Information” link to the site. When a visitor clicks this link, they are directed to our Advertising on WordPress.com Sites and Sites in the WordAds Program page where they can find more information and a button that lets them opt out of ads being personalized to them based on their visits to any *.wordpress.com domain.
For sites on a paid WordPress.com plan, we have introduced a toggle in the WordAds settings page in the dashboard that allows you to enable targeted advertising in the relevant states. You can choose whether or not you want to enable this on your site. If you choose not to enable targeted advertising, then generic ads will be displayed for any of your visitors using IP addresses from the corresponding states.
Enabling targeted ads in relevant states for sites on a paid plan is a two-step process:
- You enable the targeted advertising toggle on the WordAds settings page. Make sure to save the settings before moving to step 2 below.
- You enable the Consent Widget or use the
[privacy-do-not-sell-link]shortcode with a Shortcode block to add the “Do Not Sell or Share My Personal Information” link to your site. If your site has a paid plan, it is mandatory to add this link if you want to show targeted ads in the relevant states.
When you add the “Do Not Sell or Share My Personal Information” link to a site with a paid plan, any visitor who clicks on the link will get a pop-up modal that allows them to opt out of ads being personalized to them based on their visits to your site. When you enable the toggle on the WordAds settings page, you have the option of providing a link to your site’s privacy policy. If you choose to do so, the link you provide will be included as part of the pop-up modal text.
The “Do Not Sell or Share My Personal Information” links for free and paid sites only display to visitors using IP addresses from the relevant states. You will also be able to see the link when you are logged in regardless of your geolocation so that you can test and preview the position of the link.
Your privacy is important to you — and to us, too. It’s why we’ve already integrated these recommendations (and a few others) into our products. This means that as a WordPress.com user, you can…
- Learn what information we collect and how we use it by reading our Privacy Policy.
- Contact us at https://wordpress.com/help/contact to gain access to the information we’re storing about you and to request a Data Processing Agreement.
- Delete your personal account information by closing your account.
- Delete your site and all its contents.
- Exercise the above options without any effect on the prices we charge for our upgrades.
Not in one of the states with US Privacy Laws? No Problem! These privacy options are available to everyone, regardless of location.
Beyond these proactive steps you can take on your end, you can also expect WordPress.com to protect the privacy of your personal information, to only collect your information when we need to, and to delete your personal information once it’s no longer necessary.
NOTE: This guide is not intended as a replacement for legal counsel; if you have concerns about whether US Privacy Laws apply to you, or if your site is compliant, we encourage you to seek the advice of a qualified attorney.
