A privacy policy is not optional under GDPR – it is a legal requirement. Article 13 and Article 14 of the regulation specify exactly what information must be provided to users when their personal data is collected. Yet the majority of privacy policies found on WordPress websites are either dangerously incomplete, written in impenetrable legal jargon, or simply copied from a template without being adapted to the actual practices of the site.
This guide walks you through every section a GDPR-compliant privacy policy must contain, explains what each requirement means in plain terms, and shows you how to implement and maintain it on your WordPress site.
Why Your Privacy Policy Matters
Under GDPR, transparency is a fundamental principle (Article 5(1)(a)). Users have a right to know what data is being collected about them, why it is being collected, how long it will be kept, and who it is being shared with – before they provide that data, not buried in fine print afterwards. A privacy policy is the primary mechanism for fulfilling this transparency obligation.
Supervisory authorities regularly review privacy policies as part of investigations and can issue fines not just for data breaches, but for inadequate or misleading privacy notices. The cost of getting this right is a few hours of careful writing. The cost of getting it wrong can be significant.
What Your Privacy Policy Must Include
GDPR Articles 13 and 14 define what must be included in a privacy notice. Here is each requirement explained.
1. Identity and Contact Details of the Data Controller
Your privacy policy must clearly identify who is responsible for the data. This means providing the full legal name of your organisation (or your own name if you operate as an individual), your registered address, and at minimum an email address for privacy-related enquiries. If you have appointed a Data Protection Officer (DPO), their contact details must also be included.
2. What Personal Data You Collect and Why
List every category of personal data your WordPress site collects. For a typical WordPress site, this might include:
- Name and email address from contact forms or newsletter sign-ups
- Username, email, and password for registered accounts
- IP addresses and browser information collected automatically by WordPress and your hosting provider
- Purchase information if you run a WooCommerce store (billing address, order history, payment method type)
- Analytics data (pages visited, session duration, device type) if you use analytics tools
- Cookie identifiers placed by your site or third-party services
For each category, state the purpose of processing — why you collect this data and what you use it for.
3. Legal Basis for Processing
This is the section most often missing or vague in WordPress site privacy policies. GDPR Article 6 requires that every processing activity has a legal basis. You must state which basis applies to each type of processing:
- Consent (Article 6(1)(a)): Used for analytics, marketing emails, and non-essential cookies. Consent must be freely given and withdrawable.
- Contract (Article 6(1)(b)): Used for processing data necessary to fulfil an order or provide a service the user has requested (e.g., WooCommerce order processing).
- Legal obligation (Article 6(1)(c)): Used where you must retain data to comply with tax, accounting, or other legal requirements.
- Legitimate interests (Article 6(1)(f)): Can be used for some analytics and security logging, but must be carefully justified and balanced against users’ rights. Do not use this as a catch-all.
4. Data Retention Periods
GDPR’s storage limitation principle (Article 5(1)(e)) requires that personal data is not kept longer than necessary. Your privacy policy must state how long you retain each category of data, or — if a specific period cannot be named — the criteria used to determine the retention period. For example: “Contact form enquiries are retained for 24 months after the last communication” or “Order data is retained for 7 years to comply with tax obligations.”
5. Data Sharing and Third Parties
List every third party that receives personal data from your site, and explain why. For a typical WordPress site, this includes:
- Your hosting provider (receives all data stored on the server)
- Email marketing platforms such as Mailchimp or Brevo (receive names and email addresses)
- Payment processors such as Stripe or PayPal (receive billing information)
- Analytics providers such as Google Analytics or Matomo
- Content delivery networks and security services such as Cloudflare
If any of these third parties are located outside the European Economic Area, you must also explain the mechanism used to ensure an adequate level of data protection (e.g., Standard Contractual Clauses, adequacy decision for a specific country).
6. User Rights
Your privacy policy must inform users of their rights under GDPR and explain how to exercise them. These rights include:
- Right of access: Users can request a copy of all personal data you hold about them.
- Right to rectification: Users can ask you to correct inaccurate data.
- Right to erasure (“right to be forgotten”): Users can ask you to delete their data, subject to legal retention obligations.
- Right to restriction of processing: Users can ask you to pause processing of their data in certain circumstances.
- Right to data portability: Where processing is based on consent or contract and carried out by automated means, users can request their data in a machine-readable format.
- Right to object: Users can object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent: Where processing is based on consent, users can withdraw it at any time without affecting the lawfulness of prior processing.
Include a specific email address or contact form where users can submit these requests. WordPress’s built-in privacy tools (under Tools → Privacy) can help you respond to data export and erasure requests.
7. Right to Lodge a Complaint
Users also have the right to lodge a complaint with a supervisory authority. Your privacy policy must mention this right and, ideally, link to or name the relevant authority in your country. In the EU, each member state has its own Data Protection Authority (DPA). In the UK, it is the ICO.
How to Add and Maintain a Privacy Policy in WordPress
Using WordPress’s Built-In Privacy Page
WordPress includes a dedicated privacy page feature. Go to Settings → Privacy in your WordPress admin dashboard. You can either use the suggested privacy policy guide as a starting point or assign any existing page as your privacy policy page. Once designated, WordPress will automatically link to this page in the right places — including cookie consent prompts generated by the default theme.
Writing It in Plain Language
GDPR Article 12 requires that privacy information is provided in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.” Avoid copying dense legal text. Write for the average user visiting your site, not for a lawyer. Use headings, short paragraphs, and simple sentences.
Keep It Up to Date
Your privacy policy is a living document. Every time you add a new plugin that collects data, integrate a new third-party service, or change how you use data, you must update your privacy policy. Note the date of the last update at the top of the page, and consider notifying existing users of significant changes via email.
Conclusion
Creating a GDPR-compliant privacy policy for your WordPress site is not as daunting as it might seem once you understand what is actually required. The key is accuracy: your policy must reflect what your site actually does with personal data. A generic template that does not match your real practices is arguably worse than no policy at all, because it actively misleads users. Take the time to audit your data flows, describe them accurately, state your legal bases clearly, and keep the document updated as your site evolves.