GDPR for WordPress: Cookie Consent, Contact Forms and Plugin Compliance
Category: Industry Guides
Date: March 2026
Read time: 10 min read
Tags: GDPR, WordPress, WebDev, Compliance
WordPress powers around 43% of all websites on the internet. That means a huge proportion of the GDPR enforcement landscape sits on WordPress installations — and a huge proportion of site owners are either unaware of their obligations or relying on a single plugin to do far more than any single plugin can.
This guide covers what WordPress website owners need to do to comply with UK GDPR and EU GDPR: cookie consent, contact forms, Google Analytics, Google Fonts, third-party plugins as data processors, hosting, newsletters, and more.
Cookie Consent on WordPress
The first thing most WordPress site owners do when they hear about GDPR is install a cookie consent plugin. That instinct is correct — but the plugin alone does not make you compliant.
GDPR requires that consent for non-essential cookies is:
- Freely given — the user must have a genuine choice
- Specific — consent for analytics is separate from consent for marketing cookies
- Informed — users must know what they are consenting to
- Unambiguous — a pre-ticked box or "by continuing to browse" does not count
Popular WordPress Cookie Consent Plugins
CookieYes is one of the most widely used plugins and handles consent well for most small sites. It auto-detects cookies, categorises them, and blocks them until consent is given. The free tier covers basic needs; paid plans add deeper scanning and consent logging.
Complianz is a strong alternative with good depth on jurisdiction-specific rules. It generates your cookie policy dynamically based on what it finds and integrates with Google Consent Mode v2. It also covers PECR (the UK's Privacy and Electronic Communications Regulations) and CCPA.
GDPR Cookie Consent by WebToffee is lightweight and straightforward. Good for simple sites that don't need advanced configuration.
What all three have in common: they block cookies by default, show a banner before loading trackers, and give users the ability to change their preferences later. That last point matters — your cookie settings must be as easy to withdraw as to give.
What they cannot do for you: they cannot write your privacy policy, ensure your third-party plugins respect consent signals, or make sure your hosting provider is GDPR-compliant.
Contact Forms and Personal Data
Contact forms are one of the most overlooked GDPR risks on WordPress sites. When someone submits your contact form, they are providing personal data — their name, email address, and often details about themselves or their business.
Where does form data go?
That depends entirely on which plugin you use and how it is configured.
WPForms stores form submissions in the WordPress database by default. That means the data sits on your hosting server and you are responsible for it. You need to know how long you are retaining it, who has access to it, and what your process is for deleting it on request.
Contact Form 7 does not store submissions in the database by default — it emails them to you and the data then sits in your email inbox. That might sound simpler, but it means submissions are spread across your email account rather than a central, manageable location. CF7 does have an option to store submissions with the Flamingo plugin, which adds database storage.
Both plugins can integrate with CRMs like HubSpot or Mailchimp. If you connect your contact form to a CRM, you are sending personal data to a third-party data processor. You need a Data Processing Agreement (DPA) with that provider, and you need to disclose this in your privacy policy.
What you need to do
- Add a checkbox to your contact form stating that users consent to their data being used to respond to their enquiry (this is different from marketing consent)
- Link to your privacy policy from the form
- Decide how long you retain form submissions and delete them after that period
- If submissions go to a CRM, ensure you have a DPA with that provider
WordPress Comments and Personal Data
If you have comments enabled on your WordPress site, you are collecting personal data. WordPress stores the commenter's name, email address, IP address, and website URL.
Under GDPR, you need to:
- Tell users what data you collect when they comment (the default WordPress comment form now includes a checkbox for this, but it needs to be visible and functional)
- Allow commenters to request deletion of their data
- Consider whether you need comments enabled at all — many content sites disable them and direct engagement to social media or email instead
Google Analytics and GA4 Consent Mode
Google Analytics is on a majority of WordPress sites. It is also one of the most scrutinised tools under GDPR, with multiple EU data protection authorities ruling that the standard GA implementation is unlawful because it transfers data to US servers without adequate safeguards.
GA4 with Google Consent Mode v2 is the current approach Google recommends. In consent mode, GA adjusts its behaviour based on whether the user has consented. Without consent, it uses modelled data rather than individual tracking.
For WordPress, you need:
- A cookie consent plugin that supports Consent Mode v2 — both CookieYes and Complianz do this
- GA loaded via that plugin, so it does not fire before consent is given
- Your privacy policy to mention Google Analytics, the data it collects, and the legal basis for processing
Do not add GA via the WordPress Customiser or hardcode it in your theme's header.php. If you do this, it loads before the consent plugin has a chance to check for consent.
Tools like Custodia can scan your site and detect whether Google Analytics is firing before consent — a common misconfiguration that most site owners do not realise they have.
Google Fonts as a GDPR Risk
Google Fonts seems harmless — it is just typography. But when WordPress loads Google Fonts from Google's CDN (the default for most themes), it sends the visitor's IP address to Google's servers in the United States. In January 2022, a German court fined a website operator €100 for this exact issue.
The fix is straightforward: host Google Fonts locally.
Plugins like OMGF (Optimize My Google Fonts) or the built-in features of performance plugins like WP Rocket can download the fonts to your server and serve them locally. Once you do this, no IP address is sent to Google.
Many page builders (Elementor, Divi) and themes load Google Fonts by default. Check yours.
Plugins as Data Processors and DPAs
Every third-party plugin that handles personal data from your site is, legally, a data processor. Under GDPR, you need a Data Processing Agreement with each of them.
Common WordPress plugins that act as data processors:
- Mailchimp for WooCommerce / MC4WP — sends email addresses to Mailchimp
- Jetpack — sends site data to Automattic's servers
- Akismet — sends comment data to Automattic for spam checking
- WooCommerce — processes customer data (more on this below)
- MonsterInsights — Google Analytics integration
- HubSpot for WordPress — sends contact and behaviour data to HubSpot
Most reputable plugins and their parent companies have DPAs available on their websites, often under their Terms of Service or Privacy sections. You need to find these, review them, and keep a record that you have done so.
This is part of your obligation to maintain records of processing activities under Article 30 of GDPR. If you use Custodia, it tracks third-party data flows automatically as part of your compliance dashboard.
WordPress Hosting and Server Locations
Where your WordPress site is hosted matters for GDPR. If your server is in the United States or another country outside the UK/EU, you need to ensure there are appropriate safeguards for international data transfers.
What to look for:
- EU or UK-based hosting, or a hosting provider with Standard Contractual Clauses (SCCs) in place for international transfers
- A Data Processing Agreement from your host (most reputable hosts provide these — SiteGround, Kinsta, WP Engine, and others have them readily available)
- Clear information about where backups are stored, not just the primary server
If you use a managed WordPress host like Kinsta or Pressable, they typically operate from multiple data centres. Check their documentation to confirm EU regions are available and that you are using one.
WooCommerce and E-Commerce
WooCommerce introduces a much more complex data processing picture. Customer names, addresses, payment details (even if processed via Stripe or PayPal), order history, and browsing behaviour all become personal data you are responsible for.
WooCommerce has a built-in privacy functionality that supports GDPR data export and erasure requests. But configuration is not automatic — you need to enable it, test it, and ensure it covers all the data stored by your WooCommerce extensions.
This topic deserves its own guide — see our dedicated post on e-commerce privacy compliance for a full breakdown.
Membership Plugins and User Data
If you run a membership site using a plugin like MemberPress, Paid Memberships Pro, LearnDash, or LifterLMS, you are processing significant volumes of personal data: user accounts, subscription history, payment data, course progress, and potentially sensitive information depending on your niche.
Key considerations:
- Users have the right to access all data you hold on them (Subject Access Requests)
- Users have the right to erasure — though this may conflict with your need to retain transaction records for tax/accounting purposes
- Password resets and account security need to meet reasonable security standards under GDPR's security requirements
Newsletter Plugins and PECR
WordPress sites often integrate newsletters via Mailchimp, ConvertKit, ActiveCampaign, or similar tools — either through dedicated plugins or WooCommerce integrations.
In the UK, newsletter marketing is governed by both UK GDPR and PECR. PECR requires specific opt-in consent for marketing emails to individuals (as opposed to business-to-business emails to corporate addresses, which have more flexibility).
What this means in practice:
- A pre-ticked "sign up to our newsletter" box on a contact form is not valid consent
- "I agree to the terms and conditions" is not consent to receive marketing emails
- You need a clear, specific, unticked checkbox: "Yes, I'd like to receive marketing emails from [Company]. I can unsubscribe at any time."
If you use Mailchimp, ConvertKit, or similar tools, they require you to collect consent before adding people to lists. But the responsibility for getting that consent correctly sits with you, not the email platform.
WordPress.com vs Self-Hosted WordPress
There is an important distinction between WordPress.com (the hosted platform) and self-hosted WordPress (using WordPress.org software on your own hosting).
WordPress.com: Automattic is the data controller for the platform infrastructure. Your responsibilities are narrower, but you still need to comply with GDPR for the data you collect from your visitors. You have less control over what WordPress.com loads on your site, which can complicate compliance.
Self-hosted WordPress: You are fully responsible for the server, the plugins, and the data. More control, more responsibility. Most GDPR considerations in this guide apply primarily to self-hosted installations.
Data Breach Response
GDPR requires you to report personal data breaches to the relevant supervisory authority (the ICO in the UK, your national DPA in the EU) within 72 hours of becoming aware of the breach, where the breach is likely to result in risk to individuals' rights and freedoms.
For WordPress sites, breaches commonly occur through:
- Plugin vulnerabilities exploited to access the database
- Brute-force attacks on wp-admin
- Compromised hosting credentials
- Insecure file permissions exposing data
Have a plan before a breach happens. Know who at your organisation (even if that is just you) is responsible for breach assessment and notification. Keep records of any breaches, even minor ones, in a breach register.
Subject Access Requests on WordPress Sites
When a visitor, customer, or user submits a Subject Access Request (DSAR), they are entitled to a copy of all personal data you hold on them within one month.
For a WordPress site, this means:
- WooCommerce order data
- Contact form submissions
- Comments and their metadata
- User accounts and profile data
- Any newsletter or CRM records linked to their email address
- Analytics data (if you hold it in a way that can be linked to an individual)
WordPress has a built-in Data Export tool (under Tools > Export Personal Data) that covers core WordPress data. But it does not cover all your plugins. Check whether your major plugins export their data through this tool or require separate processes.
Privacy Policy Page Requirements
Your WordPress site needs a privacy policy that covers:
- What personal data you collect (contact forms, analytics, comments, accounts)
- Why you collect it and the legal basis for each type of processing
- Who you share it with (plugins, integrations, hosting providers)
- How long you retain it
- Users' rights under GDPR (access, rectification, erasure, portability, objection)
- How to make a complaint to the supervisory authority
- Your contact details (or your Data Protection Officer's details if you have one)
WordPress has a built-in privacy policy generator (Settings > Privacy) that gives you a starting template. But it is a template — it does not know what plugins you use, what data they collect, or what your specific processing activities are.
An automatically generated privacy policy based on your actual site configuration is more accurate and defensible. Custodia generates privacy policies based on what it actually finds on your site, rather than what a template guesses.
WordPress GDPR Compliance Checklist
Use this checklist to audit your WordPress site:
Cookie consent:
- Cookie consent plugin installed and configured to block cookies by default
- Consent Mode v2 enabled if using Google Analytics
- Cookie preference centre accessible from the footer
- Cookie policy linked from the banner
Analytics:
- Google Analytics does not fire before consent is given
- GA4 configured with Consent Mode v2
- Privacy policy mentions Google Analytics
Fonts and assets:
- Google Fonts loaded locally, not from Google's CDN
- No other third-party assets loading before consent (social share buttons, embedded maps, video players)
Contact forms:
- Privacy notice linked from each form
- Consent checkbox present (separate from terms of service)
- Retention period defined and enforced for stored submissions
- Third-party integrations (CRM, email) covered by DPAs
Hosting and infrastructure:
- Hosting provider has a DPA
- Server location confirmed (EU/UK or SCCs in place for international transfers)
Plugins and processors:
- DPAs obtained from all plugins that process personal data
- Records of processing activities maintained
Privacy policy:
- Privacy policy accurately reflects your site's data processing
- Linked from the footer on every page
- Linked from contact forms and sign-up flows
Data subject rights:
- Process defined for handling Subject Access Requests within one month
- WordPress data export tool tested
- Erasure process defined and tested
Breach response:
- Breach assessment process defined
- Breach register maintained
- ICO/DPA notification process known
Getting Started
GDPR compliance for WordPress does not have to be overwhelming. Start with the highest-risk areas: cookie consent, Google Analytics, and your privacy policy. Then work through plugins systematically.
If you want to understand exactly what your WordPress site is collecting and sending to third parties, scan it free with Custodia. The scan takes 60 seconds and gives you a breakdown of trackers, cookies, and privacy risks — so you know exactly what needs fixing.
This article is for informational purposes and does not constitute legal advice. For complex compliance questions, consult a qualified privacy lawyer or data protection consultant.
Top comments (0)