WordPress GDPR Compliance Checklist

The General Data Protection Regulation (GDPR) applies to every website that can be accessed by visitors from the European Union, regardless of where the site is hosted. For WordPress site owners, this means paying close attention to how your site collects, processes, and transfers personal data. This checklist focuses on the technical implementation aspects that you can verify and fix yourself. For legal questions around data processing agreements, legal bases, and specific regulatory requirements, consult a qualified data protection advisor.

Managing External Services and Cross-Border Data Transfers

Every resource loaded from an external server transmits at least the visitor's IP address to that server's operator. Under GDPR, an IP address is considered personal data. Without a valid legal basis or explicit consent, loading external resources constitutes a data protection violation. This is especially problematic with US-based services, since the EU-US data transfer framework remains a contested legal area.

• Host Google Fonts locally: When Google Fonts are loaded from fonts.googleapis.com, every page view sends the visitor's IP address, browser details, and referrer URL to Google's servers. German courts have ruled this practice illegal without consent, with fines starting at 100 EUR per violation. Download the font files and serve them from your own server. Plugins like "OMGF" or "Local Google Fonts" automate this process. After switching, verify that no requests to fonts.googleapis.com or fonts.gstatic.com remain in your browser's network tab.
• Disable Gravatar or cache avatars locally: WordPress sends MD5 hashes of commenter email addresses to Gravatar's US-based servers by default. Even the hash itself can be considered personal data (it can be reversed for known email addresses). Disable Gravatar in Settings > Discussion, or use a plugin that caches avatars locally and only fetches them once with consent.
• Self-host analytics or use a consent-based approach: Google Analytics transfers extensive visitor data to US servers, including IP addresses, browsing behavior, and device fingerprints. Either self-host an analytics solution like Matomo (which keeps all data on your server) or implement Google Analytics behind a proper consent mechanism that blocks all tracking until the visitor actively opts in. Server-side analytics tools like Plausible or Fathom are privacy-friendly alternatives that work without cookies.
• Block Google Maps until consent is given: Google Maps embeds load multiple tracking scripts and transfer visitor data to Google. Instead of embedding the map directly, show a static image or a placeholder with a "Load Map" button. Only load the actual Google Maps embed after the user clicks to consent. The same approach applies to Google reCAPTCHA, which also transfers data to Google.
• Audit all external resource loading: Beyond the obvious services, check for CDN-hosted libraries (jQuery from ajax.googleapis.com, Font Awesome from cdnjs.cloudflare.com), embedded YouTube or Vimeo videos, social media widgets, chatbots, and any other third-party scripts. Each external request is a potential GDPR issue. Replace CDN-hosted libraries with locally hosted copies wherever possible.
• Handle embedded content with facade patterns: For YouTube videos, social media embeds, and similar third-party content, use a two-click solution. Show a thumbnail or placeholder first with a privacy notice, then load the actual embed only after the visitor clicks. Plugins like "Embed Privacy" handle this automatically for common services.

Implementing Cookie Consent Correctly

The ePrivacy Directive (often called the "Cookie Directive") complements GDPR and requires consent before setting non-essential cookies. Getting cookie consent right is one of the most scrutinized aspects of GDPR compliance.

• Install a proper consent management plugin: Use a dedicated consent management platform (CMP) like Complianz, Real Cookie Banner, or Cookiebot. These plugins handle the legal complexity of cookie categorization, consent recording, and script blocking. Free solutions often lack important features like consent logging or automatic script detection.
• Block non-essential cookies and scripts before consent: This is the most critical technical requirement. Your consent plugin must actually prevent tracking cookies, analytics scripts, and marketing pixels from loading until the visitor gives consent. Simply showing a banner without blocking scripts is not compliant. Test this by opening your site in an incognito window, declining all cookies, and checking whether third-party requests still appear in the network tab.
• Offer granular cookie categories: Visitors must be able to choose between different categories: Functional (necessary for the site to work), Statistics (analytics and performance measurement), and Marketing (advertising and tracking). A simple "Accept All" without alternatives is not GDPR-compliant.
• Make rejecting cookies equally easy: The "Reject All" or "Accept Only Essential" button must be as prominent and easy to reach as the "Accept All" button. Hiding the reject option behind a "Manage Settings" link, using a smaller font, or requiring additional clicks has been ruled non-compliant by multiple European data protection authorities.
• Enable consent withdrawal at any time: Visitors must be able to change their cookie preferences after the initial decision. Add a persistent link in your footer (e.g., "Cookie Settings" or "Privacy Settings") that reopens the consent dialog. This is a legal requirement, not optional.
• Log and store consent records: In case of a dispute or audit, you need to prove that consent was given. Your consent plugin should store a timestamped record of each consent decision, including which categories were accepted and the version of the privacy policy that was in effect.

WordPress Data Storage and Processing Requirements

Beyond cookies, WordPress processes personal data in several other ways that require attention under GDPR.

• Handle comment form data properly: WordPress stores the name, email address, and website URL of commenters. It also sets cookies to remember this information for return visitors. Either disable these cookies in Settings > Discussion (uncheck "Show cookies opt-in checkbox") or replace the default behavior with an explicit consent checkbox that links to your privacy policy.
• Add a privacy consent checkbox to all forms: Every form that collects personal data (contact forms, newsletter signups, registration forms) needs a checkbox where the user explicitly consents to the processing of their data. The checkbox must not be pre-checked, and the label should link to your privacy policy. Most form plugins (Contact Form 7, WPForms, Gravity Forms) support this natively.
• Review localStorage and sessionStorage usage: These browser storage mechanisms can be used for tracking just like cookies. Audit what data your plugins store in localStorage and sessionStorage. Any data that can identify or track a visitor falls under GDPR. You can check this in the browser developer tools under the "Application" tab.
• Limit contact form data retention: Do not store form submissions indefinitely. Configure your form plugin to automatically delete submissions after a defined period (e.g., 90 days). If you need the data longer for a specific purpose, document that purpose in your privacy policy.
• Implement data retention policies: Under GDPR's storage limitation principle, personal data should not be kept longer than necessary. This applies to user accounts, comments, order data (for WooCommerce), log files, and analytics data. Define retention periods for each data category and enforce them, either manually or with automation.
• Support data subject access requests: GDPR gives individuals the right to request a copy of all personal data you hold about them, and the right to have it deleted. WordPress includes a built-in privacy tools page (under Tools > Export Personal Data and Tools > Erase Personal Data) that helps with this, but you should test the process and make sure it covers data from all your plugins.

Required Legal Pages for GDPR Compliance

Certain pages are legally required for any website accessible in the EU. Missing or incomplete legal pages can result in warnings, fines, or cease-and-desist letters.

• Privacy Policy (required everywhere in the EU): Must describe all data processing activities in clear, understandable language. Include what data you collect, why you collect it, how long you store it, who you share it with, and what rights visitors have. WordPress provides a privacy policy template under Settings > Privacy that covers the basics, but you need to customize it for your specific plugins and services.
• Cookie Policy (recommended): Can be a standalone page or a section within your privacy policy. List all cookies your site sets, their purpose, duration, and whether they are first-party or third-party. Your consent management plugin usually generates this list automatically.
• Imprint / Legal Notice (required in Germany and Austria): Must include the full legal name, postal address, email address, and phone number of the site operator. For businesses, include the commercial register number, VAT ID, and responsible person. This is required under the German Telemediengesetz (TMG) and Austrian E-Commerce-Gesetz (ECG), not under GDPR, but it is equally enforced.

Verify Your WordPress GDPR Compliance with InspectWP

InspectWP's GDPR section automatically detects Gravatar usage, externally loaded Google Fonts, Google Analytics tracking, Google Maps embeds, Facebook pixel and tracking scripts, and other external resources that transfer visitor data to third parties. Use it as the starting point for your GDPR audit. Schedule regular scans to catch new external resources that might be introduced when plugins are updated or new content is published.