Home / Know-how
Know-how

WordPress and GDPR — Legal Requirements, Consent, Cookies, and Personal Data Protection

Published: March 20, 2026 · Author: Marcin Szewczyk-Wilgan

GDPR applies to every website that collects personal data from users in the European Union — regardless of where the site owner is located. In practice, this affects nearly every WordPress site: contact forms, comments, Google Analytics, Google Fonts, embedded YouTube videos — all involve personal data processing. In 2026, regulators no longer ask whether you have a cookie banner — they ask whether it actually works: whether it blocks scripts before consent, whether the reject option is as visible as accept, and whether the user can realistically withdraw consent. This article describes specific GDPR requirements for WordPress sites and practical steps to meet them.

Key GDPR Requirements for WordPress Sites

GDPR is based on several fundamental principles that translate into specific technical and organizational requirements for every WordPress site:

Consent before processingYou must obtain explicit, voluntary user consent before collecting personal data. This applies to analytics and marketing cookies, contact forms, newsletters, and comments. Consent must be active (opt-in) — pre-checked checkboxes are not GDPR compliant.
Privacy policyA clear, understandable privacy policy describing: what data you collect, why, how you process it, who you share it with, how long you store it, and what rights the user has. WordPress offers a privacy policy template (Settings → Privacy), but it requires customization for your site.
Right to access and deletionUsers have the right to request a copy of their data (right of access) and its deletion (right to be forgotten). Since version 4.9.6, WordPress has built-in tools: Export Personal Data and Erase Personal Data (Tools → Personal Data). You must be able to fulfill such requests within 30 days.
Data securityGDPR requires appropriate technical and organizational measures protecting personal data: SSL/TLS certificate, encrypted backups, strong passwords, 2FA, restricted database access, regular updates. A personal data breach must be reported to the supervisory authority within 72 hours.
Data minimizationCollect only data necessary for the specified purpose. A contact form does not need a date of birth or phone number (unless justified). Store data only as long as necessary — then delete or anonymize.

Cookies, Tracking Scripts, and User Consent

Cookies are the most common point of contact between a WordPress site and GDPR requirements. In 2026, regulators actively penalize dark patterns in cookie banners — hiding the reject option, forcing consent by blocking content, loading scripts before consent.

Essential

Technical cookies

Session, login, WooCommerce cart, and cookie preference cookies — do not require consent as they are essential for site operation. But you must list them in your privacy policy. WordPress itself sets several session cookies (wordpress_logged_in_, wp-settings-).

Analytics

Analytics cookies

Google Analytics, Matomo, Hotjar — require consent before loading the script. It is not enough to inform — you must technically block the script until consent is given. GA4 additionally requires: IP anonymization, a data processing agreement with Google, and retention configuration.

Marketing

Marketing cookies

Meta Pixel, Google Ads remarketing, advertising pixels — require explicit consent. Must be blocked by default and loaded only after user acceptance. Rejection must be as easy as acceptance — one click, not three.

Embeds

Embedded content

YouTube, Vimeo, Google Maps, social media posts — all set tracking cookies. GDPR requires consent before loading them or using a “no-cookie” mode (e.g. youtube-nocookie.com). WordPress embeds iframes without blocking by default.

Contact Forms and Data Collection

Every contact form collects personal data — and must comply with GDPR. Here are the specific requirements:

Consent checkboxA consent checkbox for personal data processing — unchecked by default. Clear information about the data controller, processing purpose, and legal basis. Link to the privacy policy. The form must not submit without checking the consent box.
Purpose informationThe user must know what happens with their data before submitting: who processes it, for what purpose, for how long, and who has access. This information should be visible next to the form — not just in the privacy policy.
Data retentionIf form submissions are stored in the WordPress database — you need a retention policy. How long do you keep submissions? After the retention period — delete or anonymize. GDPR gives users the right to request deletion at any time.
Newsletter and marketingSubscribing to a newsletter requires separate, explicit consent (not bundled with the contact form consent). Double opt-in is recommended. Every email must include an unsubscribe link. Subscriber lists must be kept current — remove inactive and bounced addresses.

Built-in GDPR Tools in WordPress

Since version 4.9.6 (May 2018), WordPress includes built-in tools supporting GDPR compliance. They are basic — not sufficient on their own, but they provide a foundation:

Privacy policy templateSettings → Privacy → generates a privacy policy template with sections suggested by plugins. Requires customization for your site — the template is a starting point, not a finished document.
Export personal dataTools → Export Personal Data — generates a ZIP file with user data (posts, comments, profile data). Supports the right of access (Art. 15 GDPR) and the right to data portability (Art. 20).
Erase personal dataTools → Erase Personal Data — anonymizes or deletes user data on request. Supports the right to be forgotten (Art. 17 GDPR). Comments can be anonymized instead of deleted.
Comment cookie checkboxWordPress displays a “Save my data in this browser” checkbox for comments. When unchecked — WordPress does not set cookies with commenter data. A small but important compliance element.

Summary

GDPR is not a checkbox to tick — it is an ongoing obligation. A cookie banner that does not technically block scripts is not GDPR compliant. Pre-checked consent checkboxes violate GDPR. Collecting more data than necessary increases risk. In 2026, regulators are increasingly active — penalties for non-compliance are real and growing. WordPress provides the tools — but proper configuration, a consent management platform, an accurate privacy policy, and regular audits are your responsibility.

At WebOptimo, we configure WordPress sites for GDPR compliance — cookie consent management, tracking script blocking, privacy policy, form compliance, and data processing documentation. If you need a GDPR audit of your site — contact us or check our WordPress care and website development offer.

Frequently Asked Questions About WordPress and GDPR

Yes, if you collect any personal data from EU users. Contact forms, comments, Google Analytics, Google Fonts — all constitute personal data processing.

No. The banner must technically block tracking scripts before consent. You also need: a privacy policy, ability to withdraw consent, and handling data access and deletion requests.

You need a CMP (Consent Management Platform) plugin that technically blocks analytics and marketing scripts until consent. A banner without actual blocking does not meet GDPR requirements.

GA4 can be compliant provided: consent before script loading, IP anonymization, disabled Google signals, configured data retention, and a data processing agreement with Google.

Up to 20 million EUR or 4% of annual global turnover. Since 2018, total fines have exceeded 5.88 billion EUR. Regulators increasingly penalize dark patterns in cookie banners.

Contact

Let’s Talk About Your Website’s GDPR Compliance

We will audit your site for GDPR compliance and implement the necessary changes. No commitments — a concrete proposal after analysis.

Phone

+48 608 271 665

Mon–Fri, 8:00–16:00 CET

E-mail

contact@weboptimo.pl

We respond within 24h

Company

WebOptimo

VAT ID: PL6391758393