We care a lot about your privacy and that of your site’s visitors. WordPress.com is committed to operating in accordance with the GDPR, as well as giving you tools and resources to help you better understand and comply with the law, for your own site. This guide is designed to aid you in your efforts to be transparent to your site’s visitors about the data your site collects on them and how that data is used.
In general, if you handle the information you collect from your visitors responsibly and are not sharing or selling it to other companies without permission, then the GDPR is unlikely to cause a radical change in how you do things. WordPress.com is not a tool which gives you a lot of personally or legally sensitive details on your visitors by default.
GDPR requirements might be intimidating, but they’re not insurmountable if we all work together. If you have questions about any of the choices we’ve made, tools or features we’ve created, or feedback on how we can make this all a little bit easier, we’d love to hear from you at https://wordpress.com/help/contact/.
⚠️
This guide is not intended as a replacement for legal counsel; if you have concerns about whether or not your site is GDPR compliant we encourage you to seek the advice of a qualified attorney.
In this guide
- Our GDPR Recommendations for Site Owners
- I Heard that to be GDPR Compliant I Need to…
- I Need to…Ask All My Site Subscribers to Re-subscribe
- I Need to…Add a Consent Checkbox to the Comment/Contact Form
- I Need to…Stop Collecting IP Addresses
- I Need to…Keep All Data in the EU
- I Need to…Get the Privacy Features Added to WordPress Core in Version 4.9.6
- I Need to… not serve Google Fonts through their CDN/FDN
The purpose of the GDPR is to encourage site owners to be thoughtful about the personal data they collect and how they use that data. Some of the steps you can take as a site owner are to:
Your Privacy Policy should let your users know what data your site is collecting about them, how they are being tracked and their options for opting out, and provide information on the best way to contact you. If you don’t know what data your site is collecting, or how your visitors are being tracked, we’ve put together the following resources to help you:
If you aren’t sure how to get started with your Privacy Policy you are welcome to use ours as a template. We release our Privacy Policy under a Creative Commons Sharealike license, which means you’re more than welcome to copy it, adapt it, and repurpose it for your own use. Make sure to revise the language so that your policy reflects your actual practices. You may also find this guide from the UK’s Information Commissioner useful in figuring out what to include when writing a Privacy Policy.
One of the GDPR requirements for site owners, is that you tell people what personal data you have collected about them when they ask, and that you delete that data upon request.
For WordPress.com sites, the easiest way to implement this requirement is to provide some way for your site’s users to contact you with these requests, either via a contact form, an email address you include in your Privacy Policy, or even through comments left on your site. Much of the data can be gathered/deleted by you directly through your site’s dashboard. For example, you can search for and delete comments from a specific individual via your site’s comments admin area. If you receive a request for either access or deletion, and you aren’t sure how to honor it, you can reach out to us for help at https://wordpress.com/help/contact.
The Cookie Consent block displays a cookie consent banner on your website, letting the visitors know the site uses cookies. This block is available on sites with Site Editor supported themes.
Sites with themes which do not support the Site Editor can use the Cookies & Consents Banner Widget. Our Cookies widget has been updated with new functionality. When you enable it on your site, it allows you to share links to your site’s Privacy Policy and notifies your site’s visitors about the tracking cookies your site is using. This widget and banner notice is automatically enabled on all sites utilizing our free plan level, but for sites on WordPress.com paid plans, you can enable or disable it on your site. For more information about how this widget works please see our Cookie & Consents Banner Widget guide.
This section of the guide applies to sites with the WordPress.com Creator or Entrepreneur plan. If your site has one of our legacy plans, this feature is available on the Pro plan.
Plugin-enabled sites have the option to install plugins built by 3rd party services. As a site owner, you are responsible for making sure that the plugins you install on your site are handling data in a way that is in line with the GDPR. If you aren’t sure, you can reach out to the plugin developers directly to ask about their GDPR compliance.
In general, the data that’s collected by WordPress.com about your site’s visitors is collected in order to power your site. For example, if someone posts a comment on your site you collect some data about them like their name and email address. This data is for you to be able to run your site and typically should not be shared with third parties, like advertising email-campaign services that would send marketing emails to your site users from advertisers, unless you explicitly get the permission of your site visitors first.
There is a lot of misinformation floating around the Internet about what it means for your site to be GDPR compliant. Below you’ll find more information about some of the recurring claims we’ve heard from WordPress.com users about things they’ve been told they have to do.
There are many services on the Internet that forcibly signed people up for their newsletter/mailing-list without getting consent. Under EU laws that have been in place for a long time, communications, including email, may not be sent without prior consent, unless there is an existing customer relationship. The GDPR likewise doesn’t allow sending email without these pieces in place, so many of those services are now having to send consent requests to their mailing lists asking people to opt-in to being subscribed.
WordPress.com subscribers are different, because these are people who voluntarily chose to subscribe to your site. They asked to be emailed with your site’s updates, so they have already consented to your emails. However, if you are concerned about this you can easily contact all your subscribers by adding a new post to your site that lets them know they can stop following your site, if they choose, by using the unsubscribe links we include in every single subscription email we send.
You likely don’t need to add a checkbox like this to your comment or contact forms.
There are a few valid ways to be transparent and compliant about cookies that a site uses to enable its features, like the comment form. The way we chose is to include information about the cookies we use (including this one) in our cookie policy which you can read here. If you want to alert users to the use of these kinds of cookies on your site, you can do that using the cookie and consent widget, which we describe in more detail here:
https://wordpress.com/support/widgets/cookie-widget/
A common misconception is that it’s not permissible to collect personal data like IP addresses if you want to comply with the GDPR. In fact, this is allowed as long as safeguards are in place to honor key rights established by GDPR. Chief among these are transparency about the data your site collects or transfers, which is what your site’s Privacy Policy is for, and choice and control over a the data’s use, which you offer to your users by honoring their deletion and access requests.
WordPress.com servers store personal data on servers located both in the US and in the EU. It is not possible to restrict the data associated with your site to a single geographic location.
WordPress.com respects EU law related to the proper handling of data being transferred elsewhere. We include the Standard Contractual Clauses for such data transfers in our Data Processing Agreement. If you are interested in having a DPA with us, you can request one from the Privacy Settings page in your dashboard at https://wordpress.com/me/privacy.
The privacy features added to core WordPress help site owners publish a privacy policy, honor access/deletion requests from their site visitors, and gain consent for the data their site is collecting. On most WordPress.com sites we have disabled these features because they weren’t designed for a shared hosting environment like WordPress.com, and we would never offer you a tool that didn’t do the things it claimed to do. However, even though these tools are disabled you are absolutely still able to build a fully GDPR compliant site on WordPress.com. Please see our suggestions above for how to duplicate these privacy features, like adding a Privacy Policy, on a WordPress.com site.
Note that all WordPress.com plugin-enabled sites have access to the core WordPress privacy features. Because it’s possible installed plugins will utilize the core privacy tools to manage compliance, we wanted to make sure these features were available to these sites.
All requests to serve Google Fonts used in WordPress.com themes are served through WordPress.com’s servers and no longer use Google’s CDN/FDN. This change was made in December 2022.
If your site uses a custom plugin or third-party theme, you will want to verify with the plugin and/or theme developers to ensure they are not serving Google Fonts through Google’s CDN/FDN.
