WordPress GDPR Compliance: Cookie Consent, Privacy Policies, and the Plugins That Handle It
Data protection law applies to most WordPress sites whether or not the site owner has read a single line of the regulation. If your site collects personal data – an email address from a contact form, analytics cookies, WooCommerce customer records – then GDPR, CCPA, PECR, or some combination of those regulations applies to you. This guide is a practical walkthrough: what the law actually requires, which plugins handle it well, and how to implement compliance without degrading the experience for your visitors.
What GDPR, CCPA, and PECR Actually Require
These three regulations are often mentioned together but they cover different jurisdictions and have meaningfully different requirements.
GDPR (General Data Protection Regulation)
GDPR is a European Union regulation that applies to any organization that processes the personal data of EU residents, regardless of where the organization is based. If a visitor from Germany lands on your US-hosted WordPress site and your analytics platform drops a cookie that tracks their behavior, GDPR applies to that interaction.
Core requirements relevant to WordPress site owners:
- Lawful basis for processing: You must have a valid legal reason to collect personal data. For marketing emails, this is typically explicit consent. For order fulfillment, it is contractual necessity.
- Consent must be informed, specific, and freely given: Pre-ticked checkboxes do not count. Bundling consent to marketing with consent to terms of service does not count.
- Right to access and erasure: Users can request a copy of their data or ask for it to be deleted.
- Data minimization: Collect only what you need for the stated purpose.
- Privacy policy: Must explain what data you collect, why, how it is stored, and who it is shared with.
CCPA (California Consumer Privacy Act)
CCPA applies to for-profit businesses that collect personal information from California residents and meet certain thresholds (annual gross revenue above a set amount, buying/selling/receiving data of a certain number of consumers, or deriving a set percentage of revenue from selling data). CCPA requires a “Do Not Sell My Personal Information” link for sites that sell consumer data, and gives consumers the right to know what data is collected and to request deletion.
PECR (Privacy and Electronic Communications Regulations)
PECR is a UK regulation that specifically governs cookies and electronic communications. It is the legal basis for cookie consent banners in the UK. PECR requires informed consent before placing non-essential cookies on a user’s device – analytics cookies, advertising cookies, and tracking pixels all require consent. Strictly necessary cookies (session management, security) are exempt.
A pre-checked consent box is not valid consent under any of these frameworks. The user must take an affirmative action.
Complianz vs CookieYes vs Cookiebot: Plugin Comparison
Three plugins dominate this space for WordPress sites. Each has a different architecture, pricing model, and approach to compliance.
| Feature | Complianz | CookieYes | Cookiebot |
|---|---|---|---|
| Free plan available | Yes | Yes (up to 100 pages) | Yes (up to 500 pages) |
| Cookie scanner | Yes | Yes | Yes |
| Auto-blocks cookies before consent | Yes | Yes | Yes |
| GDPR compliant | Yes | Yes | Yes |
| CCPA compliant | Yes | Yes | Yes |
| Consent log / audit trail | Yes (stored locally) | Yes (cloud) | Yes (cloud) |
| WordPress-native setup | Fully native | Mostly native | Requires external account |
| WooCommerce integration | Yes | Yes | Yes |
| Banner customization | High (template-based) | High (visual editor) | Medium (CSS/JS) |
| Data processed outside EU | No (local storage) | Partial | Yes (CDN-based) |
Complianz is the most WordPress-native option and the best choice for site owners who want all consent data stored on their own server. The free version handles single-site compliance for GDPR and PECR. The pro version adds multisite support, TCF (IAB Transparency and Consent Framework) for advertising networks, and A/B testing for banners.
CookieYes has the most polished visual banner editor and is a good choice if the appearance of the consent widget matters to you. The free plan covers sites with up to 100 pages, which covers most small sites. Consent logs are stored in the cloud, which means you depend on their service for compliance records.
Cookiebot is a Danish product widely used by enterprise and agency sites. It operates via a CDN script, which means cookie scanning and blocking is handled outside your WordPress install. The setup requires creating an account on their platform and adding a domain. The free plan covers domains up to 500 pages.
Recommendation: Use Complianz if data sovereignty matters or if you want a self-contained WordPress-native solution. Use CookieYes if you want an easier visual setup and are comfortable with cloud-based consent logs. Cookiebot is best for larger organizations already in the Cookiebot ecosystem or those who need IAB TCF for ad networks.
Setting Up a Compliant Cookie Banner Without Wrecking UX
Consent banners have a reputation for being ugly and annoying. That reputation is earned by poor implementations, not by the requirement itself. A well-built cookie banner can be unobtrusive, accessible, and legally valid. Here is what makes the difference:
What a Compliant Banner Must Do
- Present a genuine choice: accept, decline, and ideally manage individual categories
- Not place non-essential cookies before consent is given (pre-consent blocking)
- Be accessible by keyboard and screen reader
- Not use dark patterns: “Accept” and “Decline” buttons must be equally visible
- Store a record of consent that can be produced if challenged
UX Practices That Keep It Clean
- Use a bottom bar, not a full-screen overlay: Full-screen consent modals block content entirely and create frustration. A bottom bar or corner widget is less disruptive.
- Match your brand: A banner that visually fits your site feels less like an intrusion. All three plugins allow custom colors and typography.
- Minimize the initial banner copy: State what you need consent for in one or two short sentences. Full policy details belong in a separate “More information” link.
- Avoid the reject-all dark pattern: Hiding the decline option behind a small text link while showing a prominent “Accept all” button is a dark pattern that regulators have specifically targeted for enforcement action.
Setting Up Complianz Step by Step
After installing and activating Complianz, the plugin runs a setup wizard that walks through your site type, the cookies you use, and your target geographies. At the end it generates a compliant banner configuration and a privacy policy draft. Key steps:
- Run the cookie scanner to detect existing cookies from analytics, advertising, and embedded content
- Set cookie categories: Functional, Analytics, Marketing, Preferences
- Enable geo-targeted consent: EU visitors see a GDPR banner; US visitors see CCPA language
- Enable pre-consent cookie blocking so scripts only fire after the visitor consents
- Test in a private browser window to verify the banner appears and cookies are not set before consent
WordPress Privacy Policy Page and Built-In Privacy Tools
WordPress has included privacy tools since version 4.9.6, released in response to the GDPR deadline. Most site owners have never used them. Here is what is available:
Privacy Policy Generator
Go to Settings – Privacy. WordPress creates a draft Privacy Policy page and offers a policy template. The template includes sections for what data is collected, how it is used, and retention periods. Plugins can add their own suggested text to this template – Complianz, WooCommerce, and Jetpack all do this. Edit the draft to match your actual practices, then publish it and link it from your cookie banner and footer.
Personal Data Export and Erasure
Under Tools – Export Personal Data and Tools – Erase Personal Data, you can respond to data subject access requests (DSARs) directly from the WordPress admin. Enter the user’s email address and WordPress sends them a confirmation link, then compiles a downloadable archive of all data WordPress and its plugins hold for that user.
The erasure tool works similarly: the user requests deletion, confirms by email, and WordPress removes all stored data it can identify for that user. Note that not all plugins hook into this system. Check that your key plugins – forms, membership, WooCommerce – support the built-in export and erasure hooks. Understanding WordPress user roles and access levels helps you assign the right permissions for handling data requests without granting unnecessary access.
Comment Consent
Under Settings – Discussion, enable the checkbox that asks commenters to consent to their data being stored. This adds a checkbox to the comment form stating that the commenter accepts their name, email, and website being saved in their browser for future comments. This satisfies the consent requirement for comment data storage.
GDPR Implications for WooCommerce Customer Data
WooCommerce stores considerable personal data: billing addresses, shipping addresses, order history, payment method tokens (where applicable), and account credentials. This data carries GDPR obligations.
What WooCommerce Stores
- Customer account data (name, email, billing and shipping addresses)
- Order data (items, prices, payment method, order notes)
- Browsing data if session tracking is enabled
- Review content and reviewer identity
WooCommerce Privacy Settings
WooCommerce has its own privacy settings under WooCommerce – Settings – Advanced – Privacy. You can configure account data retention, order data retention (balance this with accounting requirements), download log retention for digital products, and your privacy policy page link so it appears at checkout and account registration.
Checkout Consent and Email Marketing
At checkout, WooCommerce automatically displays a link to your privacy policy. For marketing emails, you need an explicit opt-in checkbox – do not pre-check it. Transactional emails (order confirmation, shipping notifications) do not require marketing consent because they are necessary for contract fulfillment. If you are building an email list through WooCommerce, the guide to adding email newsletter signups to WordPress covers the consent-compliant approach for growing a subscriber list alongside orders.
Risks of Ignoring Data Protection Requirements
Regulatory action against WordPress sites is not hypothetical. Data protection authorities across the EU have issued fines to businesses of all sizes, including small e-commerce operators. The enforcement risk is real, even if the penalty scale is typically proportional to company size and revenue.
Beyond regulatory fines, the practical risks include:
- Complaint-driven investigations: A single customer complaint to a data protection authority can trigger an audit. Most small-business fines originate from complaints, not proactive regulator sweeps.
- Payment processor requirements: Stripe and PayPal require merchants to have a published privacy policy. Missing or inadequate policies can result in account suspension.
- Browser and ad platform restrictions: Google Ads and Meta require compliant consent mechanisms for EU traffic. Non-compliance leads to ads being restricted or paused.
- Reputational damage: Customers who notice non-compliant cookie behavior or cannot find a privacy policy are increasingly likely to disengage or leave negative feedback.
Implementation Checklist
Use this as a starting point. Legal requirements vary by jurisdiction and change over time – consult a data protection professional for advice specific to your situation.
- Install a cookie consent plugin (Complianz, CookieYes, or Cookiebot)
- Run the cookie scanner and categorize all cookies your site sets
- Enable pre-consent blocking so non-essential cookies fire only after consent
- Publish a privacy policy page using the WordPress privacy generator, supplemented with plugin-specific text
- Link the privacy policy from your footer, cookie banner, and checkout
- Configure WooCommerce data retention settings
- Add an unchecked marketing consent checkbox at checkout (separate from order completion)
- Enable the WordPress comment consent checkbox
- Test: open a private browser window, visit your site, and verify no analytics or marketing cookies are set before you interact with the banner
- Document your consent configuration as part of a Record of Processing Activities (ROPA)
Frequently Asked Questions
Does GDPR apply to me if I am not based in the EU?
GDPR applies based on where your site visitors are located, not where you are. If your site is accessible to EU residents and you process their personal data (analytics cookies count), GDPR applies. Implementing basic compliance is lower risk than ignoring it.
Is Google Analytics illegal under GDPR?
Not automatically, but it has been the subject of multiple enforcement actions by EU data protection authorities, primarily because of data transfers to the United States. Using Google Analytics with proper consent, IP anonymization, and reviewed data processing terms is the pragmatic approach. Some site owners have switched to EU-hosted alternatives like self-hosted Matomo or Plausible to eliminate transfer risk entirely.
Do I need a cookie banner if I only use Google Fonts?
Google Fonts loaded from Google’s CDN sends the visitor’s IP address to Google’s servers, which constitutes a transfer of personal data under GDPR. Several EU courts have found this non-compliant without consent. The straightforward solution is to self-host your fonts, which eliminates the transfer and removes the consent requirement for fonts.
What is the difference between a privacy policy and a cookie policy?
A privacy policy covers all personal data your site collects. A cookie policy is a section (or separate document) specifically covering cookies: what categories you use, their names and purposes, and how to opt out. Under GDPR, you need both. Complianz and CookieYes generate both automatically based on the cookies they detect.
How long do I need to keep consent records?
There is no specific retention period mandated by GDPR for consent records, but the generally accepted practice is to retain them for as long as you are processing data under that consent. Complianz stores consent logs locally with timestamps, which gives you a defensible audit trail.
Can I block users from my site if they decline cookies?
No. Withholding access to content as a condition of accepting non-essential cookies – sometimes called a cookie wall – has been specifically addressed by the European Data Protection Board as inconsistent with freely given consent.
Summary
GDPR compliance for a WordPress site is not a one-time task – it is an ongoing responsibility as your plugin stack changes and regulations evolve. The practical starting point is a cookie consent plugin with pre-consent blocking, a published privacy policy, and WooCommerce data retention settings configured. The tools are available, several of them free, and the setup takes a few hours. The cost of ignoring it is much higher.
For a broader look at securing your site and protecting your users, the WordPress security audit checklist covers data handling, access control, and monitoring in a single structured framework.
